0xcon 2022 returns to an in-person event after 2 years of online virtual events due to Covid. For those unaware, 0xcon started in 2017 and is a South African conference that is aimed at building the Gauteng and ZA infosec community. The conference welcomes both new and experienced alike and works hard to keep things open and free to everyone.

How to participate

Event Program


Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft’s Endpoint Management Software - Christopher Panayi

System Center Configuration Manager, now Microsoft Endpoint Configuration Manager (MECM), is a software management product that has been widely adopted by large organizations to deploy, update, and manage software; it is commonly responsible for the deployment and management of the majority of server and workstation machines in enterprise Windows environments.

This talk will provide an outline of how MECM is used to deploy machines into enterprise environments (typically through network booting, although it supports various Operating System deployment techniques), and will explore attacks that allow Active Directory credentials to be extracted from this process. The common MECM misconfigurations leading to these attacks will be detailed and, in so doing, the talk will aim to show how to identify and exploit these misconfigurations and how to defend against these attacks. Each viable attack will be discussed in depth (mostly by discussing the protocols and architecture in use, but sometimes by diving into relevant code, if necessary) so that the context of how and why the attack works will be understood. These concepts will be illustrated through the demo of PXEThief (https://github.com/MWR-CyberSec/PXEThief), a tool that allows for the extraction of credentials from several of the onsite deployment techniques that MECM supports.

About Christopher

Christopher is the Chief Research Officer at MWR CyberSec, having previously led cyber-defense, red team, and targeted attack simulation (TAS) engagements for several years, as well as having designed and help run the in-house training programme for security consultants at MWR. As part of this work, a major focus area for him had been understanding attack techniques impacting Active Directory (AD); this led to publications such as a discussion of the previous gold standard in AD security, the red forest, and why it did not meet its goal of making environments more secure in many cases (F-Secure Whitepaper - Tending To the Red Forest (English).pdf). His interest in how things work at a deep technical level - and desire to develop an understanding of how to use this information to compromise and secure systems and environments - has led him to his current focus, investigating and understanding Microsoft Endpoint Configuration Manager, how it interacts with AD, and how to abuse its configuration to attack enterprise environments.

2022 Year in Review - Jared Naude

Looking back at events that have taken place for lessons that can be learned is an important ingredient to enable forward insight, especially in the cyber security space. In this talk, I will go through the various security news, events and incidents of note that occurred in 2022 while adding some commentary and analysis from myself. This will primarily focus on the Russia-Ukraine invasion and the various failures that we have seen but will also cover trends in ransomware and malware, disinformation and breaches.

About Jared

Jared is a Cloud Architect that specializes in enterprise cloud architecture and security; he is passionate about helping large organizations with architecting, building, securing and operationalizing cloud environments. Jared’s research interests and policy advocacy work involves cyber security topics that intersect with national security and foreign policy issues such as encryption, privacy, surveillance and disinformation.

Ransomware and Incident response within South Africa - Ivan Burke

This will cover key information items such as first responder actions which aid in better recovery of business processes, common pitfalls and misconceptions about service provider accountability and ability to assist during an active incident response. I will also be covering some resource users can use to test and practice internal incident response processes and scenario building. If there is interest in it, I can extend the talk length to include some case studies of IRs that took place during the year which we were involved in.

About Ivan

Ivan has been a cyber security researcher working for the Council for Scientific and Industrial Research (CSIR), for 14 years. During this time he has worked for the Cyber Defence Research group and assisted on various governmental projects related to cyber defence. In October 2021, Ivan started to work at a private cyber security consulting and research company, called BlueVison ITM (https://bitm.co.za/). Ivan is currently employed as the Head of Research, innovation and Development at BlueVision, where his role is mostly to develop innovative strategies to prevent, detect and eradicate cyber threats within client environments. Over the past year BITM has coordinated numerous national IR processes for SMEs and larger state owned entities. BITM is fully CREST accredited for Incident Response, vulnerability management and penetration testing.

Investigating the Coordinated Inauthentic Behavior of a South African Business during the Covid lockdown - Roelof Temmingh

In the same way that hackers target computers, corporations target people’s minds and wallets. When exploits become marketing campaigns and semantic hackers become world leaders you know it’s time to shift your registers in a major way. CIB is the new buzzword and if you think it’s only the domain of St Petersburg troll farms you’ve missed the plot. Join this talk and see how this shit is happening from Sunnyside to Woodstock, from Melrose House to your treehouse

About Roelof

Roelof is the founder of SensePost, Maltego, and Vortimo. Stone cold badass and all around cool guy.

HaC - Hacking as Code (DevSecOps) - Christo Goosen

A talk on SecureCodeBox + DefectDojo and doing vulnerability scanning as part of the DevSecOps pipeline. Automate OWASP ZAP, WhatWeb, SSLAlyze, NmapScan, etc with kubernetes configs. A deployed Kubernetes setup with a custom resource type scan for running jobs on your internal and external infra. Combine that with DefectDojo and helm/ArgoCD and you have a powerful hacking as code setup.

About Christo

Christo is a DevSecOps lead and is always stuck in between development, infrastructure and security. Love to build, deploy and break systems. Crypto miner, python dev, Devops, etc. Photography & surfing to try and be offline. BSides Cape Town leader.

Pentesting Cloud… How? An introduction into Azure Pentesting - Javan Mnjama

With the growth of cloud computing and the adoption of cloud. Security professionals are slowing being pushed from the traditional approach of pentesting and adapting in finding new techniques for cloud penetration testing. This talk will focus on a brief introduction into performing a penetration assessment against an Azure environment using the cyber attack kill chain from a cloud perspective. An overview will also be presented on the techniques and tooling available for offensive security professionals when reviewing Azure environments.

About Javan

Javan holds a Masters degree from Rhodes University and has had experience in penetration testing for five years where he has strong interest in cloud security. In his spare time, he enjoys going to the gym and making music.

Securing a cloud native open source microservice based core banking system - Ntando Mngomezulu

Open Source in information systems is a fundamental driving force of collaboration, transparency, and accountability. Open-Source software also creates a conduit for rapidly prototyping ideas and deploying them to test their efficacy and evaluating their business case. In the FinTech sector, which is characterized by high paced innovation and stringent demands on privacy and confidentiality, these attributes are highly desirable as a mechanism to improve security of systems as a collaborative effort between security professionals to deliver exactly the type of software which we should strive to take to our markets.

In this talk, we will explore an example of collaboration on open-source software in order to deploy and test a FinTech system, namely FineractCN and its deployment on AWS in conjunction with Keycloak to effectively improve upon the security of a system which is built for the cloud native future we are moving into.

About Ntando

Ntando is a Senior Security Analyst at Synthesis Software Technologies responsible for the establishment and continuous maintenance and testing of client organizations’ infrastructure, network, and web security. Ntando has over 10 years of IT experience within a variety of sectors such as health, broadcasting, streaming, and Fintech.

Dafuq - The Security Outlook for 2023 - Charl van der Walt

A look at what to expect for 2023.

About Charl

Charl is the Head of Security Research at Orange Cyber Defense


We look forward to seeing everyone at our event!