Olivia
Online
Zeroed
@Zeroedtech
Just a guy that talks at conferences sometimes
Joined July 2019
84 Following
326 Followers
59 Posts
If you're attending #BSidesMelb2026 this weekend, there's still a handful of tickets available for my Friday training session "Attacking and Defending Microsoft IIS" https://t.co/qZfRJmIg7F Come and learn how to write and detect web shells, there's something for everyone
A slightly scary commit, on the plus side, my .NET profiler is a million times easier to extend now
If you're attending #BSidesMelb2026 and have an interest in IIS security, I'll be running training the day before https://t.co/iulfaMv5up
Come and learn how to write and detect web shells, there's something for everyone
Success! After hours of debugging, I found that removing runat="server" from the outer most element of the CVE-2025-49704 payload generated by YSoNet fixed it. Every in the wild sample I've seen has this field set so I'm pretty confused now. @irsdl any idea why this might be?
Who to follow
BSidesCanberra
@BSidesCbr
24-26th September 2026
Shanna Niggans 🦄
@fancy_4n6
Digital forensics & incident response #DFIR + #CTI | Horse and Dog mum | Co-host @ComfyConAU | @torincybergroup | RB/SCP for @BlackHatEvents & @BSidesMelbourne
Pam O’Shea
@pamoshea
Security consultant | @BlackHatEvents @BSidesCbr @BSidesSG @OWASPMelbourne Review Boards | @SDR_Melbourne | VK3HXX |@haXX_group | @sheasecurity🖖📚☕️
Has anyone managed to exploit any of the SharePoint ToolPane CVE's on a freshly installed server? I'm testing out a CVE-2025-49704 payload generated with https://t.co/9aVHTUYOO6 against 16.0.10417.20018 in my lab and whilst the auth bypass works, the payloads fail to deserialise
I’ve recently done a deep dive into how IIS view state machine keys are generated and how they are used to decrypt view state messages. I’ve written up my findings in a new blog post and developed an application to assist with the decryption of view states
https://t.co/JkfFjnpBVj
...so yes
Not the response I want when I resort to AI to debug some mutual TLS issues
@irsdl @BSidesLondon I'd be very keen, viewstate exploration is a massive issue these days but getting people to under the issue is a nightmare
@BertJanCyber I suspect this will follow the same route as the recent SharePoint vulns, adversaries will start simple with basic subprocesses execution but within a few days we'll have malicious .NET assemblies being reflectively loaded
I've recently been experimenting with using .NET profilers to hook .NET functions under IIS and decided to write up a blog post while it was fresh in my mind https://t.co/VzSHi8b5Q8
TOLLBOOTH: What's yours, IIS mine https://t.co/tcb2I2ieH7
12 months ago I presented a 3 hour course on attacking and defending Microsoft IIS servers to a packed room at BSides Canberra, today the 30+ hour version went live on @XintraOrg !
New XINTRA course‼️
Advanced IIS Post Exploitation, Detection & Evasion
Modern APT groups are actively weaponizing ToolShell and fileless IIS tradecraft to compromise Exchange, SharePoint, ASP workloads.
If your detection and response capabilities lag exposure, this course bridges the gap with:
- Memory dump analysis (Windbg)
- Deserialisation exploits & detections
- ViewState attacks
- .NET Reflection
- Deobfuscation techniques
Syllabus and preview videos here👇
https://t.co/U4TjRX7DXy
@XintraOrg
@lucho_in_Oz The weekend
@irsdl @0xTib3rius @TheRealC3rul34n You don't like waiting 5 mins for the installer to launch, just to tell you you're missing a dependency?
Not a bad read, I think they may be overanalysing a compiled webshell and its a shame they didn't get a memory dump but its great to see more companies talking about this stuff
https://t.co/0EkBjcdAjn
@vinopaljiri Nice, I've always assumed these timestamps had just been tampered with
After a bit more digging it look like its referenced in Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
but not Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
The later of which is used by my IIS
For years I've seen adversaries using the "unsafe" keyword in their JScript eval shells and assumed it was required to eval complex statements (i.e code), but after trying to work out what it actually does for some training I'm working on I found it does nothing! Its unreferenced
@AlienPacket @DebugPrivilege Sometimes you just don't care, as long as you achieve your objective, does it really matter that the blue team knows how you did it? A lot of the c# malware I look at does very little to hide what it's doing
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers