Join us as we kick off BSides Canberra 2025! In this short opening session, we’ll welcome you to Australia’s largest hackercon, share what’s new this year, and celebrate the incredible community that makes it all possible.

We’ll run through highlights of the program, introduce a few key faces behind the scenes, and cover important housekeeping details to help you make the most of the next three days. Whether you're here to learn, share, compete, or connect - thank you for being part of BSides Canberra.

Let’s get things started.

Announcement to be made shortly

We all hear about "hacking into the mainframe" in movies, but mainframes aren't just relics of the past waiting to be broken by people wanting to hack the Gibson. They quietly power the backbone of modern society.
In saying that, watch as an unauthenticated remote code execution into a mainframe unfolds, all without the need to mash the keyboard as random text scrolls past in a black and green terminal screen.

Step away from the keyboard – it’s time to get hands-on. Whether you're a seasoned tinkerer or just curious about what’s inside your badge, the Hardware Village is your space to learn, hack, solder, and explore.

We’ll have soldering stations ready for badge mods and hardware experiments, plus friendly experts on hand to help with troubleshooting or inspiration. Bring your gear or just swing by to see what others are building and tinkering with.

There’s always something to learn, create, or break (safely, of course).

The Locksport village is your gateway into the fascinating world of physical security. Whether you're a total newcomer or a seasoned picker, there's something here for everyone.

Explore a wide variety of locks, pick tools, and hands-on challenges – all under the guidance of experienced instructors ready to share their tips and tricks. Learn how locks work, discover their vulnerabilities, and test your skills on locks ranging from beginner to expert difficulty.

This isn’t just a display – it’s a fully interactive experience. Step into the shoes of a lockpicker, challenge yourself, and maybe even surprise yourself with a hidden knack for tumblers and tension wrenches.

Come for the curiosity, stay for the challenge. You might just unlock a new obsession.

Recently, we have seen an uptick in GNSS jamming and spoofing, which is impacting aviation operations. GNSS is used for aircraft navigation, RNP approaches, and traffic management with ADS-B.

Old navigation aids like VOR are being decommissioned which can be used to cross-reference GNSS. To save costs running primary radars, they are being decommissioned with ADS-B filling the gap. With the GNSS jamming/spoof do we need some other tools to help mitigate some of these risks? Can some of the radio direction-finding tools be of help here?

Welcome to the Speedrun CTF Qualifier—where precision, speed, and nerves of steel collide.

Individual competitors will face two challenges drawn from a mix of web, pwn, reverse engineering, or crypto. You’ll have a maximum of 15 minutes to complete both.

The faster you solve, the higher you climb. Only the top 8 fastest solvers will earn a spot in the live finale.

No second chances. No warm-ups. Just you, the challenge, and the clock. Think you're fast enough?

The BlackBag will be returning for 3 days to BSides Canberra 2025.

Details coming shortly...

Grab a soldering iron, clip in a shield, and choose your playground. Our drop-in Hardware CTF lets attendees build, and then break, two purpose‑built open‑source boards: CompatrIoT, which mirrors everyday smart‑home devices, and CompatriOT, a pocket‑sized PLC rig that behaves like the gear running factory floors. A quick solder‑on gateway earns the first flag; after that, players explore firmware extraction, wireless and NFC tricks, protocol tampering, and control‑logic mischief. Achievements pop straight onto a live scoreboard, mentors keep queues short, and everyone leaves with new skills and a fun experience in the world of Cyber Security. No prior hardware background required, just curiosity and a sense of fun.

Ever wonder why some top-tier security professionals get overlooked for dream positions? In this engaging interactive session, you'll learn how unclear professional branding can make talented professionals practically invisible. Attendees will search for "hidden" cybersecurity professionals by analyzing vague LinkedIn profiles and resumes, learning firsthand why clarity and visibility matter in career positioning!

The cyber domain is intractably chaotic, complex and noisy.

How often, if at all, do we actually consider why the cyber domain is like this?
How often, if ever, do we think about our thinking and grow our conceptual understanding?

As the pace, scope and depth of the cyber domain exponentially increases, it behoves all cyber folk to understand the broader context of hamster wheel in which we toil.

While Nic considers himself a middling/journeyman cyber operator, during 20+ years in the cyber domain, he has been fortunate to work with and observe cyber 'rock stars'. This talk presents his key observation: good cyber operators look broadly across and outside of their domain for inspiration. The talk also presents a philosophical/intellectual foundation for understanding the cyber domain's nature, and some of the mental models [or monkly koans] he uses to work within the field.

Journey through time and learn to reverse engineer and exploit an n-day protocol vulnerability to achieve Remote Code Execution in a game released over 10,000 days ago. We will first approach the vulnerability using only tools available to hackers in 1997, demonstrating the complete exploitation chain with period-authentic methods. Once the exploit chain is complete, we will teleport back to the future and showcase the same exploit using modern techniques and tooling, highlighting both the evolution and consistent principles of exploitation over time. Participants will learn how to analyse protocols, identify and exploit the bug, write custom shellcode, navigate older and dated tooling, and understand newer techniques and approaches. This technical deep dive provides both historical context and hands-on skills applicable to today's security challenges.

Ever wanted to build your own circuit board but didn’t know where to start? Me too. This talk is a beginner’s journey into the chaotic, confusing, and surprisingly fun world of PCB design — with plenty of mistakes, a bit of magic smoke, and (depending on how my current design turns up) something working at the end.

I'll walk through the tools I used, lessons I learned (sometimes the hard way), and how this went from a random side project to something I now use to create hands-on training tools for students. Whether you're curious about hardware hacking, want to design your own blinky badge, or just like learning by breaking things — this is a talk for you.

Expect real talk, terrible design, and hopefully a bit of inspiration to build something of your own.

Adobe Experience Manager (AEM) is one of the most popular content and digital asset management systems used by enterprises. It’s likely that the home pages of some of the biggest brands you know and love are using AEM under the hood. In this presentation, we will discuss AEM’s internals, its architecture, request routing mechanisms, and internal tooling to assist with security research.

As a part of our research into AEM’s internals, we reported several high and critical risk pre-authentication vulnerabilities to Adobe affecting AEM’s core code, both on-premise and cloud, which we will publicly release in this presentation. AEM’s exposure on the external internet is vast, with over 45,000 sites currently using the technology.

In today’s AI-driven world, autonomous agents powered by advanced language models are handling everything from file processing to SQL queries with each capability opening up new attack vectors. In this talk, we draw on our year-long tracking of production-grade agentic AIs (including OpenAI’s ChatGPT) to reveal three classes of real-world threats and their defenses:

• Sandbox Escapes & Code Execution: We dissect containerized sandboxes—revealing how malformed file uploads or hidden background daemons can break isolation, persist code, or hijack Jupyter kernel.

• Steganographic Exfiltration & Indirect Prompt Injection: By embedding malicious prompts into innocuous images or Office documents, attackers can coerce multimodal models (e.g., GPT-4o) into leaking credentials or data without user interaction.

• AI-Native MCP SQL Injection: We uncover how malicious prompts directed at Model Context Protocol (MCP) endpoints can silently tamper with or exfiltrate entire database backends—quickly cascading into downstream AI pipelines.

We demonstrate how an LLM-powered agents can be compromised by utilizing a proof-of-concept AI agent with these vulnerabilities, showing the impact of the exploits and emphasizing the critical need for advanced security measures.

Have you ever blamed cosmic rays for a computer misbehaving? It’s more common than you think! Join us on our practical adventure of measuring bitflips in DNS traffic, resulting in over a years' worth of collected data from bitflips in a very prominent Australian top-level domain.

Bitsquatting is a form of cybersquatting which relies on bit-flip errors that occur during the process of making a DNS request – and has been known about for over 14 years. Practically, this results in machines resolving DNS incorrectly, with a potentially attacker-controlled DNS server.

We explore our data collected for a specific dataset of Australian domains and offer insights into the practical side of exploiting systems in weird ways, including coerced authentication between system-to-system integrations.

Welcome to Cyber House, our multi-award-winning Michelin-star restaurant for careers.

Tonight, we’re not plating foie gras or truffle risotto. We’re serving live résumés, roasted to perfection. On the menu is a curated degustation of CVs, each grilled with care, seasoned with brutal honesty, and finished with actionable feedback.
Unlike traditional restaurants, we don’t believe in rare or undercooked. Every résumé here is served well done, whether it’s polished to perfection or seared with some tough love.

Pull up a seat. Bring your appetite for critique. This is career feedback, chef’s table style.

Security wonks do some of our best work when we're away from the keyboard. Whether we're ruminating on a bug or dreaming up new research opportunities, our brains are almost always running. I've found that having a well-tuned productivity system helps keep my life on track when work gets hectic, and conversely, to be "regular and orderly in my life, so that I may be violent and original in my work" (Gustave Flaubert)

I'll walk you through my productivity management methodology based on David Allen's "Getting Things Done" (2001). We'll cover how to bootstrap a system using a painstaking brain-dump, how to triage and collate your tasks and projects, how to rapidly capture thoughts as soon as they come up, how to set up recurring events to put your life on auto-pilot, how to defer things using someday/maybe lists to hide the stuff you're not ready for yet, and how to use contextual tagging so that tasks come back to you exactly when you can do something about them.

Having a trusted system has helped me to achieve more, manage my stress, and make room for thoughts that are worth having. Whether you're a student, a professional, or just someone with responsibilities, you can be more present, focused, and effective in your personal and professional life.

In June 2025, CyberCX released a report on a highly orchestrated phishing campaign targeting popular WordPress hosting platform WP Engine, dubbed “DarkEngine”, which led to the compromise of at least 2,350 unique WordPress websites worldwide to deliver information stealer and remote access trojan malware through fake CAPTCHA prompts.

ClickFix (and fake CAPTCHA) have become increasingly common as initial access vectors for individuals and organizations with their detonation often leading to the compromise of sensitive credentials and information used to provide a foothold into organizations’ environments. But how do they get there in the first place?

In this presentation, the lead author of this report shares their research and analysis journey of this campaign’s operations and infrastructure as well as providing detection and defence measures that organizations can put in place to reduce the risk of users falling victim to these increasingly common tactics.

Join your conductor, Liam Wilkinson, on this journey of exposed threat actor infrastructure, scripting, and open-source intelligence to trace the tracks of the operations behind “DarkEngine”.

Drowning in the chaos of Threat Actor aliases? Fancy Bear or Forest Blizzard? Wicked Panda or BRONZE ATLAS? And malware families? CageyChameleon or Cabbage RAT? Qakbot or Pinkslipbot?
In this session, we unveil a free tool designed to map across various Threat Actor naming conventions, malware families and public research. We’ll walk through how it works and highlight how it enables seamless searches of threat actors and associated research. It offers swift access to information on Threat Actors and malware families – an invaluable asset for your intelligence analysis, research, and operational tasks.

Careers Panel - come and ask specialists about their career

The top 8 have qualified - now it’s time to crown a champion live on stage.

In the Speedrun CTF Finale, competitors face off in a round robin format, battling through a gauntlet of challenges in front of a live audience. The fastest solver in each match advances, with the pressure mounting as the field thins.

Round by round, the competition intensifies - until only one winner remains standing.

Everyone thinks iOS is unbreakable. This talk disagrees.

In Unbreaking the iPhone, we’ll dissect the invisible scaffolding behind Apple’s mobile empire. From Secure Enclave architecture to KTRR and PAC. We’ll explore how researchers theorize paths to reverse bootchain security, defeat SEP isolation, and repurpose GPU driver vulnerabilities for kernel access —even on post-checkm8 devices.

This isn’t a jailbreak tutorial, it’s a blueprint for those aiming to reach the highest levels of mobile OS exploitation.

This case study delves into the lessons learned from Red Hat's efforts to detect, mitigate, and prevent data leaks not only on GitHub but also across a myriad of distributed sources. It all began with an internal monitoring solution, which subsequently evolved into a comprehensive architecture designed to tackle leaks at scale. The project has proven instrumental in saving considerable time and effort for our Incident Response analysts, significantly compressing the time frame from data exposure to its successful mitigation. Furthermore, it has given rise to new tools aimed at preventing the initial exposure of sensitive data. Presently, our capability to detect leaks has reached a level where we often outpace the bad guys and are preemptively averting potentially expensive incidents all together. We invite you to join us for an overview of the architecture and a preview of our open-source releases to learn how you can do it too!

“The stone age didn’t end because we ran out of stones. It ended because we found a better way to build.”
— Paraphrased from Sheikh Yamani

Cybersecurity is having its “better-way” moment. When an analyst at our SOC used ChatGPT to craft a perfectly weaponised phishing lure in under 30 seconds, everyone in the room realised two things: AI has already changed the rules, and our careers will either sink or soar depending on how quickly we adapt.

-AI is expected to automate up to 30 percent of repetitive security tasks by 2027. If your skills fall in that category, you're at risk of being replaced.
-Attackers are already using AI-driven red teams to discover zero-day vulnerabilities while defenders are still writing detection rules.
-Cyber leaders are now expected to understand AI risk, model governance, and digital ethics, not in the future but now.

This talk is your go-to guide for navigating cybersecurity in the age of AI. Discover how automation is reshaping roles, which skills will keep you relevant, and why creativity, psychology, and ethics are your biggest career assets. Whether you're just starting out or looking to stay ahead, you'll gain the tools and insights to not just survive but thrive in the future of cyber.

Think you've seen some wild things in cybersecurity? Wait until you play this.

In this interactive game-meets-roast, we flip the script on typical career advice. Participants work through hilarious (but painfully accurate) prompts about hiring, interviews, burnout, DEF CON trauma, and LinkedIn chaos.

Each round blends sharp humor with real lessons about personal branding, team dynamics, and why most job descriptions are just buzzwords in a trench coat.

You'll leave laughing and rethinking your resume.

This talk will provide you insight by the researcher into a South-East Asia botnet operator and it's correlation with an ongoing campaign of grand scale espionage via disassociated operational collection infrastructure. The group are a highly organised, long-term state actor operating as a disassociated data and network service technology provider. Which maintain and provide access to a large-scale botnet comprised of compromised Small Office/Home Office (SOHO) routers and Virtual Private Servers that route and tunnel victim traffic thru layers of network obfuscater and relaying infrastructure. The infrastructure is leveraged to support a variety of malicious activities, including espionage and network attacks, for multiple threat actors. Their operations and maintenance of their infrastructure; demonstrate a sophisticated understanding of network infrastructure, custom malware development, and resilient C2 methodologies.

HackerChix is a relaxed networking event for women attending BSides Canberra. Whether you're new to the community or a returning regular, come along to meet other women in cyber security, share stories, and build connections in a welcoming and inclusive space.

Open to anyone at the conference who identifies as a woman, this is a great chance to take a break from the buzz of the main event and enjoy some low-key conversation with like-minded people. Drinks and light refreshments provided.

No panels, no pressure - just a space to connect.

Ever since Peter Shor published his famous algorithm in 1994 there has been excitement how a hypothetical quantum computer could break the commonly used encryption methods which we routinely rely upon today. In the last few years there has been a crescendo of announcements about developments in quantum computing, and also many commentators warning darkly of an imminent apocalypse. However, the world still seems to keep going. Cyber security professionals are left wondering what all the fuss is about, what they should be doing, and where this sits amongst all the other vulnerabilities and threats they face.
This talk will aim to explain all, and although the speaker has a PhD in quantum physics, no scientific expertise will be required to follow along. We will discuss:
- What quantum computers are, and what they are not
- The current state of quantum computing technology, what is still needed before Shor’s algorithm becomes a realistic threat, and the likely timelines
- The recent developments in mitigations against this threat, including latest research and practical experiences in implementation of solutions
- What cybersecurity professionals need to worry about, what they should actually do, and when
Along the way, we will expose some common myths, have a look at the truth behind some of the headlines you may have seen, and leave the audience with pragmatic, actionable advice to incorporate into their work.

This is a fast-paced workshop that provides a deep dive into Windows Active Directory (AD) specifically focused on what security professionals need to know. In this workshop, we will cover Active Directory security, and deep dive into some of the Kerberos attacks. The Workshop can be divided into two parts, the first focused on Introduction to Active Directory in general, Active Directory Accounts and Groups and Windows Access Control Model. The second part will focus on Kerberos and attacks targeting Kerberos. ,

This Workshop is not focused on a specific tool, and covers attack techniques used by threat actors in Active Directory and how defenders can detect and defend against those.

Student Laptop (Newer CPU and minimum 16 GB RAM suggested), VMWare, Students will be provided instructions before hand to set up the lab and run scripts to configure the environment, Wifi

Step away from the keyboard – it’s time to get hands-on. Whether you're a seasoned tinkerer or just curious about what’s inside your badge, the Hardware Village is your space to learn, hack, solder, and explore.

We’ll have soldering stations ready for badge mods and hardware experiments, plus friendly experts on hand to help with troubleshooting or inspiration. Bring your gear or just swing by to see what others are building and tinkering with.

There’s always something to learn, create, or break (safely, of course).

The Locksport village is your gateway into the fascinating world of physical security. Whether you're a total newcomer or a seasoned picker, there's something here for everyone.

Explore a wide variety of locks, pick tools, and hands-on challenges – all under the guidance of experienced instructors ready to share their tips and tricks. Learn how locks work, discover their vulnerabilities, and test your skills on locks ranging from beginner to expert difficulty.

This isn’t just a display – it’s a fully interactive experience. Step into the shoes of a lockpicker, challenge yourself, and maybe even surprise yourself with a hidden knack for tumblers and tension wrenches.

Come for the curiosity, stay for the challenge. You might just unlock a new obsession.

THE SHADOW VAULT
Something wicked this way comes...

The Shadow Council is making plans. For months, their agents have been moving in the shadows, gathering resources, positioning assets, preparing for something massive. Whatever they're scheming, it's bigger than anything we've seen before. Their dark fortress stands impenetrable - or so they believe.

Our network of spies have discovered the location of their war room, where all their schemes are planned and their secrets stored. One night. One chance. The fate of the realm hangs in the balance.

Storm the castle. Breach their defences. Steal their secrets. Escape before dawn.

Gather your party of 4-8 and make a booking ASAP (booking link will added here closer to the date).

Roll for initiative.
```

Grab a soldering iron, clip in a shield, and choose your playground. Our drop-in Hardware CTF lets attendees build, and then break, two purpose‑built open‑source boards: CompatrIoT, which mirrors everyday smart‑home devices, and CompatriOT, a pocket‑sized PLC rig that behaves like the gear running factory floors. A quick solder‑on gateway earns the first flag; after that, players explore firmware extraction, wireless and NFC tricks, protocol tampering, and control‑logic mischief. Achievements pop straight onto a live scoreboard, mentors keep queues short, and everyone leaves with new skills and a fun experience in the world of Cyber Security. No prior hardware background required, just curiosity and a sense of fun.

Announcement to be made shortly

CALLING ALL SERIOUS HACKERS, GAMERS, ENIGMA ENJOYERS, CRYPTIC CONNOISSEURS

ONCE YOUR FIERCE COMPETITORS, NOW BOUND BY THE TREACHEROUS RULE OF THREE

SKATEBOARDING DOG BRING TO YOU A BRAND NEW ERA OF FLAG CAPTURING WITH SPEED, STYLE, AND SKATEBOARDS

ALL YOUR USUAL CTF CATEGORIES (CRYPTO, PWN, REV, WEB) - PLUS WHATEVER WE FELT WAS COOL - DELIVERED TO YOU IN REFRESHING FORMATS

SUITABLE FOR ALL PLAYERS FROM NEW KIDS ON THE BLOCK TO OLD DOGS HERE TO LEARN NEW TRICKS

Email addresses are a common data type which can be highly inconsistent, with various parsers behaving differently depending on its implementation. In some cases, parsers may accept an RFC-compliant email address that can lead to high impact vulnerabilities in applications, because the developers assumed that the parser will parse an email address according to their expectations. This concept is not just restricted to web applications, but also other types of services that rely on parsing email addresses to establish identities.

In this presentation, I will talk about my experience when researching on Jakarta Mail (previously known as JavaMail javax.mail) for email parsing issues and it will be presented in a journey-style manner. This research was inspired by one of our recent engagements, where a client utilised a library that has JavaMail as one of its dependencies. While researching about Mail vulnerabilities, I recalled how Gareth Heyes from PortSwigger published about the use of encoded strings in email addresses and how email parsers may decode and accept them. After reading such an inspiring write-up, I attempted to extend the research Gareth did, against Jakarta Mail this time, and was surprised to find other interesting behaviours that were exhibited.

One of the main highlights in this sharing will be on InternetAddress.java, a default class shipped with Jakarta Mail that is used to parse and represent email addresses. It has some inconsistencies that can potentially lead to situations where developers assume that emails are always validated when in fact they are not. As InternetAddress is not typically used directly, I have also looked into how other libraries utilised it, namely Angus Mail and Spring Framework. In addition to the InternetAddress class, I will also be going through my observations from other classes such as MimeMessage (from Jakarta Mail), as well as InternetAddressEditor, MimeMessageHelper, MimeMailMessage and SimpleMailMessage (from Spring Framework).

Throughout this research, I have noted down various interesting primitives which I will be sharing, hoping that it will be useful for other researchers if they ever encounter them in the wild.

C and C++ are awesome / terrible – they let you do whatever you want with pointers, resulting in all the tasty memory corruption vulnerabilities we know and love. Other languages impose a runtime or garbage collection, which tends to disqualify them from systems programming, embedded firmware and performance-critical applications. Rust seems like a magical best-of-both-worlds:

• Guaranteed memory safety and thread safety
• Performance and control equivalent to C and C++
• Suitable for firmware and kernels, with no runtime or garbage collection

How does it do that? In this talk we reinvent Rust's concept of Ownership, which enables it to make these guarantees at compile-time.

Supply chain security is a topic which has been raised in profile in recent years through events such as the xz backdoor. In the open source world trust matters a lot. While trust is mostly gained through social interactions, it is also important to trust the tools themselves. This talk will detail how I found several holes in common tools, leading to the potential for attacks against developer's tooling.

Host file-access logs can be a valuable source of information when it comes to detecting the theft of sensitive files or the establishment of persistence by malware. But how can we leverage logs, such as those produced by Santa, for early malware mitigation when monitoring a fleet that makes an enormous amount of benign file accesses every day? Enter the Suspicious File Access Detection pipeline - an internal, ML-backed detection mechanism developed through collaboration between Security and AI software engineers at Google. The pipeline is used by Google's Detection & Response team to score, surface, and investigate clandestine file access behaviours.

I’ll take you through the process of how we created a ML model to score file access logs based on their relative suspicion level. We’ll dig into how we can go beyond prevalence-based anomaly detection and utilize embeddings to not just identify activity that is rare, but activity that is extremely suspicious for a given host. This approach aims to detect behaviourally-agnostic malware activity involving the modification of sensitive files on disk for Google’s corporate fleet.

For the purpose of this talk I’ll demonstrate how we use this pipeline with Santa, a publicly available binary and file access authorization system for macOS. I’ll take you through the process of how Santa can be configured to monitor areas of the macOS filesystem that are modified to establish persistence at runtime, and how the logs are utilized by the SFAD model.

One from the vaults. In 2020, Justin had a serendipitous encounter with a dangling legacy AWS S3 bucket once owned by the Linux Vendor Firmware Service (LVFS). "What if I registered it," he thought. "What's the worst that could happen?" This is the story of how he wedged himself between 100,000 Linux machines and their firmware updates, stumbled upon a bypass in fwupd's PGP-based firmware update signature checking, traced the flaw back to its root cause, and ultimately returned the bucket to its original owner.

Windows COM (Component Object Model) is an essential yet complex part of the OS, responsible for enabling interprocess communication. While well-documented on the surface, COM's internal behaviors by many researcher by still hide attack surfaces that are underexplored.

In this talk, I will take you through my personal journey of discovering a pre-authentication COM vulnerability in Windows. Starting from understanding COM internals and how to access their stubs simply, then fuzzing them using harnesses built on kAFL and WTF, I’ll show the steps that led to a successful vulnerability discovery.

I’ll also briefly examine previous COM-related CVEs and some researches, what patterns they share, and how I used those lessons in my own approach. Finally, I will present the technical root cause of the vulnerability I found (Case-88235, CVE-2025-29841), followed by a demo of how it could be exploited in a pre-auth scenario.

This talk is intended for vulnerability researchers, reverse engineers, and Windows security enthusiasts interested in novel pre-auth attack vectors and practical bug-hunting methodology.

Delve deeper into the dark and mysterious world of Cloud Native security! Exploit a supply chain attack and start your journey deep inside the target infrastructure, utilize your position to hunt and collect the flags, and hopefully learn something new and wryly amusing along the way!

Attendees can play three increasingly treacherous and demanding scenarios to bushwhack their way through the dense jungle of Cloud Native security. Everybody is welcome, from beginner to seasoned veterans, as we venture amongst the low-hanging fruits of insecure configuration and scale the lofty peaks of cluster compromise!

Each attendee will be given access to their own Kubernetes cluster built within our bespoke sandboxed training environment. A laptop with an SSH client is required to participate.

Kerberoasting is a simple but yet effective method of escalating privileges within an Active Directory domain. This talk will discuss how existing tools perform the attack in .NET (C#), explore how these tools are detected and show how we can build our own tooling to bypass these detections.

Active Directory is a complex beast, and remains one of the core technologies holding together a large majority of organisations (second only to Excel). The number of resources available for security practitioners to fundamentally secure AD in the wild are severely lacking. With thousands of guides on how to break it, and almost none on how to secure it, it's time to level the playing field!

This talk will first analyse the root causes of AD attacks from an architectural level, breaking down modern attacks to three "roots": Overprivilege, Protocol Abuse, and Persistence. Leveraging these foundational understandings, the talk will then demonstrate how to strengthen AD from the roots using native modern AD security controls, such as Authentication Silos and RPC filtering.

By the end of this talk, you will have the the tools to mature your AD environment so that it can fight back against tomorrow's attacks, rather than having to keep up with yesterday's.

API Obfuscation is a common technique employed by malware authors to conceal the capabilities and behaviour of their malware from reverse engineers. Usually, such obfuscation is overcome via decoding obfuscated API names during static analysis or observing the API calls during dynamic execution. But what can a reverse engineer do if even the obfuscated API names are removed from the binary? In this presentation we’ll discuss the analysis of “TCP Listener”, an implant encountered by the ACSC during incident response. In a novel approach this implant receives its obfuscated API references with its command and control payloads, which made analysis difficult – but not impossible. Gathering our clues (strings, constants, function prototypes, and call structure), and armed with our tools (IDA, Yara, and the MSDN documentation), we’ll go on a journey of deductive reasoning (along with a tiny bit of speculative imagination) to reverse engineer this implant and fully understand its functionality.

Despite the widespread availability of secret scanning tools, thousands of sensitive credentials continue to be exposed in popular open source ecosystems, a security blind spot that sparked my curiosity and one that led me to hunt for secrets in both commonly understood risk areas and find some new attack surface with some surprising results.

By looking into ecosystems that are hard to navigate I have helped secure over 40+ organisations including Microsoft, Adobe, Anthropic, MongoDB, Electronic Arts and more.

This talk will cover my process for investigating these ecosystems, results found and why this attack surface remains a risk for organisations and how you can find and remediate these yourself.

Physical keys continue to plague society weighing down your keying and my keyings, and while we always consider our keys to be unique to our door, is that true? In this talk, we'll be reviewing the issue of common keying, where your key is the same as mine, alongside some fun techniques for escalation in a physical lock system, including cross keying and escalation.

As macOS continues to grow in popularity within enterprise environments, cyber threats like the Atomic Stealer malware family have emerged, leveraging stealthy and sophisticated techniques such as Dyld (Dynamic Linker) injection to establish persistence and evade detection. This session focuses specifically on the Atomic Stealer family, dissecting its utilization of Dyld injection to covertly execute malicious payloads by manipulating environment variables, notably DYLD_INSERT_LIBRARIES, within legitimate processes.

The presentation will provide detailed insights derived from original research, including step-by-step demonstrations of Atomic Stealer's operational methodologies, injection techniques, and persistence mechanisms. Attendees will learn about custom detection methods designed to identify the Atomic Stealer and similar threats, incorporating advanced endpoint behavioral analysis, macOS native logging mechanisms, and specially crafted YARA signatures.

Participants will leave equipped with concrete, actionable strategies for detecting, mitigating, and proactively hunting threats associated with the Atomic Stealer malware family.

Endpoint Detection and Response (EDR) is the watchdog running on your endpoint to detect and respond to threats in real-time. However, like other defenses, it is not a foolproof solution. In this talk we present a recent attack on a current EDR product (Palo Alto Cortex XDR) resulting in a bug bounty ($2k) winning CVE-2024-8690.

CALLING ALL SERIOUS HACKERS, GAMERS, ENIGMA ENJOYERS, CRYPTIC CONNOISSEURS

ONCE YOUR FIERCE COMPETITORS, NOW BOUND BY THE TREACHEROUS RULE OF THREE

SKATEBOARDING DOG BRING TO YOU A BRAND NEW ERA OF FLAG CAPTURING WITH SPEED, STYLE, AND SKATEBOARDS

ALL YOUR USUAL CTF CATEGORIES (CRYPTO, PWN, REV, WEB) - PLUS WHATEVER WE FELT WAS COOL - DELIVERED TO YOU IN REFRESHING FORMATS

SUITABLE FOR ALL PLAYERS FROM NEW KIDS ON THE BLOCK TO OLD DOGS HERE TO LEARN NEW TRICKS

This training will demonstrate how to build a custom Command and Control (C2) framework using Python and C#.

With an implant developed, the course will then go on to show common methods of delivering the payload in terms of social engineering.

Step away from the keyboard – it’s time to get hands-on. Whether you're a seasoned tinkerer or just curious about what’s inside your badge, the Hardware Village is your space to learn, hack, solder, and explore.

We’ll have soldering stations ready for badge mods and hardware experiments, plus friendly experts on hand to help with troubleshooting or inspiration. Bring your gear or just swing by to see what others are building and tinkering with.

There’s always something to learn, create, or break (safely, of course).

The Locksport village is your gateway into the fascinating world of physical security. Whether you're a total newcomer or a seasoned picker, there's something here for everyone.

Explore a wide variety of locks, pick tools, and hands-on challenges – all under the guidance of experienced instructors ready to share their tips and tricks. Learn how locks work, discover their vulnerabilities, and test your skills on locks ranging from beginner to expert difficulty.

This isn’t just a display – it’s a fully interactive experience. Step into the shoes of a lockpicker, challenge yourself, and maybe even surprise yourself with a hidden knack for tumblers and tension wrenches.

Come for the curiosity, stay for the challenge. You might just unlock a new obsession.

THE SHADOW VAULT
Something wicked this way comes...

The Shadow Council is making plans. For months, their agents have been moving in the shadows, gathering resources, positioning assets, preparing for something massive. Whatever they're scheming, it's bigger than anything we've seen before. Their dark fortress stands impenetrable - or so they believe.

Our network of spies have discovered the location of their war room, where all their schemes are planned and their secrets stored. One night. One chance. The fate of the realm hangs in the balance.

Storm the castle. Breach their defences. Steal their secrets. Escape before dawn.

Gather your party of 4-8 and make a booking ASAP (booking link will added here closer to the date).

Roll for initiative.
```

Announcement to be made shortly

Whitebox assessments are like unlocking the entire game map, and it's totally up to you to decide what’s worth exploring. Understanding how to decompile apps and navigate them will equip you with the skills to uncover vulnerabilities that are often overlooked and collect those coins.

We’ll guide you through picking the right targets, decompiling Java bytecode, identifying critical routes, and running effective scanners. During this talk we’ll demonstrate vulnerabilities we have found with these techniques, and give you all the tools you need to get started on your journey along the rainbow road of Jira and Confluence plugins. Basically, this is our power-up JAR gift to you.

Whether you’re a seasoned security plumber (internal security team, bug bounty hunter, hobbyist) or just starting out, this interactive session will level up your ability to turn bytecode into bounties.

With the introduction of Kernel Patch Protection, Microsoft created a shared responsibility model where security vendors are now limited to only the kernel visibility and extension points that Microsoft provides. This means that Microsoft is responsible for a) providing the necessary kernel telemetry, and b) servicing bugs in existing kernel telemetry.

So I wrote some Windows telemetry unit tests.

This talk will cover various bugs and other code smells in the security-relevant telemetry generated by Windows.

A four-year investigation into cybercriminal financial operations. Following the money, examining how threat actors generate, transfer, and launder illicit proceeds. Including the operational security and threat modelling required to safely perform this research and what OSINT and blockchain tools and techniques were used.

Have you ever written software so bad you’ve wondered “at what point does this count as malware?” But what’s the point? Why would you make malware? What can you do with it? In this talk we’ll actually make it, from scratch and then automatically like the cool kids (government) do. Ah, but then we’ll realise that the malware we have could do more. Or it might get caught. So the malware gets worse.

Ever wondered what it's like to investigate a phishing campaign? Do you just grep the IOCs and call it a day? But what if you go further, how deep do you go? If you stop at the first email, what are you actually achieving and does doing that actually help? What if investigating further results in the operators abandoning the entire phishing-as-a-service operation?

In this talk, I'll be speaking about the journey and process I took to investigate a previously unknown phishing-as-a-service group that lead to the operators completely shutting down their entire operation within days of publishing the report. I'll be going through some of the opsec failures, source code snippets, as well as other fun facts and examples about how threat actors make the same mistakes we do.

Insomnia by Kong is a popular API client, especially among developers and security testers. Marcio and Justin discovered a critical template injection vulnerability (CVE-2025-1087) in Insomnia, exposing users to remote command execution with just a couple of requests to a malicious HTTP server.

They will walk you through the story in how they stumbled upon the initial "weird behaviour" during a routine API penetration test, examine Insomnia's templating implementation, dive into exotic Nunjucks template injection, dissect their exploitation strategy, and show you how they bypassed several attempted patches by the vendor. They'll close with some thoughts on the disclosure and patching experience, discuss the fragility of quick-fix sanitisation-based mitigations, explore the challenges of bug triage in the real world, and consider how decisions made during software development can lead to trouble down the road.

A malware analysis workshop for beginners where attendees will analyze artifacts left behind by a LummaStealer malware infection in 3 stages:

• Investigate initial infection through browser artifacts
• Go through a pcap to understand how malware communicates with C2, performs exfiltration, plus find an easter egg left by the threat actor
• Uncover some additional details of the sample from sandbox reports and see how it behaves under different circumstances

Workshop will also be run CTF style for those who want to compete and test their skills!

Whether you’re a startup looking to rapidly deploy innovative solutions, an enterprise aiming to optimize operations, or a developer yearning to focus on creative problem-solving, providers like AWS, GCP and Azure have a cloud native service that can work for you. And in addition to helping these boring groups, cloud providers also offer amazing ways for attackers to hide their command and control traffic!

This talk will discuss cloud native services from the three major providers that can be abused to receive callbacks from compromised hosts into your C&C server in the cloud.

With the increasing incidence of critical vulnerabilities on next generation firewalls, vendors and their customers face significant challenges in keeping up with firmware patches, mitigating exploitation risks, and safeguarding their edge devices and organizations.

As an adversary, if you land on a next generation firewall, what could you do next to further compromise the target environment?

This talk addresses that question by examining how attackers can exploit weaknesses and overlooked features in these firewalls for maximum impact. A little-known detail is revisited: Palo Alto’s default master key (often left unchanged) can be leveraged to decrypt stored configuration secrets, exposing credentials and cryptographic keys previously thought to be secure. The speaker demonstrates how a compromised NGFW can be transformed from a security appliance into a valuable platform for credential harvesting, internal reconnaissance, and lateral movement. Beyond extracting sensitive data, an adversary can abuse built-in functionality to move deeper into the environment in ways most defenders have never considered. The speaker also details how the clientless VPN feature can be abused for internal network mapping, and how a threat actor may inject malicious code into VPN login portals to harvest credentials.

The strategies and techniques described in this talk are intended to equip both offensive and defensive security professionals with new approaches for targeting and protecting next generation firewalls. Understanding how perimeter devices can be subverted, and adopting proactive measures to harden and monitor them, is critical to maintaining the integrity of modern network environments.

Join us as we wrap up BSides Canberra 2025 with our closing ceremony! We'll celebrate the standout moments of the conference, recognise the incredible contributions of our community, and hand out awards for Locksport, Best New Speaker, Best Overall Speaker, the BlackBag competition, and our two-day Capture-the-Flag.

We'll also share our transparent financial breakdown - including how your support keeps the conference running - and give a sneak peek at what’s next for BSides Canberra. Come say farewell (for now), cheer on the winners, and help us close out another amazing year.