Blog
Offensive tradecraft, evasion research, and red team engineering.
The Token Game
The keys to the kingdom are kernel objects, not passwords
Access tokens control everything in Windows. Who you are, what you can touch, where you can go. Most operators treat them as an afterthought. That's a mistake.
Trust is a Graph Problem
Active Directory trusts visualised as attack paths
Every AD trust is an edge in an attack graph. Bidirectional trusts double the attack surface. SID filtering is the only real boundary, and most orgs don't enforce it.
Bring Your Own LOLBin
Finding execution primitives that AV vendors haven't signatured yet
The public LOLBAS list has over 200 entries and every AV vendor signatures them. The interesting ones are the signed binaries you find yourself that nobody has reported yet.
Unhook Before You Walk
Restoring ntdll to factory settings in 20 lines of code
EDR hooks ntdll.dll to intercept every syscall you make. A clean copy is sitting on disk, waiting to be mapped over the hooked one. Here's how and when it actually matters.
AMSI is a Screen Door
6 bytes between you and arbitrary code execution
Microsoft built an entire antimalware scanning interface into the runtime. It takes 6 bytes to turn it off. Here's why AMSI was never a real security boundary and why every bypass keeps working.
Your Pipe is Showing
Every potato exploit is just a creative pipe trick
JuicyPotato, PrintSpoofer, GodPotato, SweetPotato. They all do the same thing. Trick a privileged process into connecting to your named pipe, then steal the token. Here's how it actually works.
svchost is a Honeypot
Why your injection target matters more than your loader
Everyone injects into svchost. Defender knows this. Your choice of sacrifice process matters more than your shellcode loader. Here's what to use instead.