Jack Ullrich

@DownWithUpSec You might be interested in drstrace: drmemory.org/page_drstrace.…

AWStrace: Another Windows Strace attempt by me. Using a named pipe and shellcode inside the remote process, send registers back and pretty print the output.

The ZeroAccess Developer and His Windows Kernel-Mode Debugger: r136a1.dev/2025/10/28/zer…

The Azure AD Broker plays a key role in Entra ID sign-in & token handling, but how well do we really understand it? @winternl_t unpacks its on-disk cache, how to decode it, & the security implications. 🔐 ghst.ly/4oTR4v5

Can we eliminate the C2 server entirely and create truly autonomous malware? On the Dreadnode blog, Principal Security Researcher @0xdab0 details how we developed an entirely local, C2-less malware that can autonomously discover and exploit one type of privilege escalation vulnerability. A future where fully autonomous red team assessments are powered by nothing more than a pre-installed local model and a Lua interpreter may be closer than you’d imagine. Read about it here: dreadnode.io/blog/lolmil-li…

Zero-Day used by Stealth Falcon APT group in a spear-phishing campaign: 💥 .URL file exploitation (assigned CVE-2025-33053) 🧰 Custom Mythic implants, LOLBins, and custom payloads 🌍 High-profile targets across the Middle East and Africa research.checkpoint.com/2025/stealth-f…

I'm excited to announce the EMBER2024 dataset, created in collaboration with @mrphilroth, @drhyrum, @EdwardRaffML, @rjzak, and others. The dataset brings an update of 3.2 million malicious and benign files first seen between Sep. 2023 and Dec. 2024. arxiv.org/pdf/2506.05074

Loader Lock Ownership Semantics by @winternl_t winternl.com/loader-lock-ow…

Here is my recent DEF CON talk on Anom, the encrypted phone secretly ran by the FBI. All about the phone, the network, how Anom was structured, who used it, what this means for Signal, Telegram, more youtube.com/watch?v=uFyk5U…

New post detailing a bug found & fixed in donut's reflective loader winternl.com/fixing-a-bug-i…

Why is there a debug directory in release builds? (MSVC) winternl.com/why-is-there-a…

@vxunderground youtube.com/watch?v=CYsiiV…

Today Kaspersky issued a goodbye letter to it's American customers. We are going to miss Kaspersky. Kaspersky was always a solid AV product and the research they conducted was always excellent.

@timmisiak I wonder if @AirbusSecLab has done anything related to this. Qantas Flight 72, involving an A330, likely involved a random bit flip

I just thought of an experiment I want to try... if a program memory starts getting flipped bits at random, what is the expected number/percent of bits flipped before the program crashes?

@TartanLlama awesome work!

I wrote a massive blog post containing many of the things the C++ team at Microsoft worked on last year, please read it for my gratification, thanks devblogs.microsoft.com/cppblog/a-year…

@chompie1337 @FuzzySec nice talk but lol who OK'd these autogenerated captions youtu.be/t7Rx3crobZU?si…

Rootkits, keyloggers, and DKOM (oh my!). The video is finally up for @FuzzySec and I’s BlackHat talk: Close encounters of the advanced persistent kind: Leveraging rootkits for post-exploitation. Check it out ☺️ youtu.be/t7Rx3crobZU?si…

@rainer_grimm Thank you for sharing your story. Your mentorship programs and blog are invaluable resources. Keep going.

My ALS Journey: 2/n As promised, here is what happened in the last three weeks: modernescpp.com/index.php/my-a…. #cpp #cplusplus #als

@Octoberfest73 @filip_dragovic Meet mature and operational BOFs in your area

Tool drop Thursday! Enjoy a mature and operational CobaltStrike BOF of CVE-2023-36874 Windows Error Reporting Local Privilege Escalation. Patch your machines people. github.com/Octoberfest7/C… Thanks to @filip_dragovic for his work. #redteam #cybersecurity #cobaltstrike #malware

The recording of our (CC @m_u00d8) updated talk on next-gen virtualization-based obfuscators from #HITB2023AMS is now online. Recording: youtube.com/watch?v=DRH0oR… Slides: synthesis.to/presentations/…

Been sitting on this for a minute. Much more #AzureAD and #OAuth tradecraft to come. posts.specterops.io/id-tap-that-pa…

Found this LPE by hunting for leaked handles as described by @last0x00 here: aptw.tf/2022/02/10/lea…