NTFS Owner Rights for Logging

I recently stumbled across the NTFS Owner Rights security principal. This is an obscure security principal that is used to restrict the rights that the owner of the file has. This can come in handy when hardening endpoints in corporate environments. Frequently, we encounter software that has to ...

Public IP Hijacking over LAN

This is a topic that is not commonly discussed. Most articles about IP hijacking deal with the subject at the ISP level, i.e. hijacking of BGP protocol. However, IP hijacking can be performed on the LAN as well. It is possible to use static routes at the gateway to route a public IP address to ...

Authenticating with NRIC numbers v2

4 years ago, I wrote about why we should not use NRIC numbers for authentication. Unfortunately, this mistake was repeated and it can be exploited today to claim free masks from the government. This video shows the exact process to claim one free mask per NRIC. Unfortunately, there is no 2FA. ...

Intelligence-led Red Teaming

When conducting Red Team attacks, I believe it is important to use an intelligence-led approach when doing scenario planning. This is sometimes also known as threat actor emulation. Such an approach involves doing prior background research on the threat actors targeting that specific industry, ...

Crash Windows Event Logging Service

While writing an event log cleaner, I accidentally stumbled upon a way to crash the Windows Event Logging service. This is interesting because crashing the logging service would mean that further adversary actions will not be logged. Hence, this would come in useful for a red team exercise. I ...

Interesting DLL exports

Found a couple of interesting DLL exports while hunting for LOLBAS. Most of these have not been documented as far as I know. There are potentially a lot more out there, the system was behaving strangely when enumerating the list of exports. Unfortunately, I do not know of a good way to ...

Expanding on Pyramid of Pain

I believe most threat hunters would already be familiar with the Pyramid of Pain. Most hunters aim to detect artefacts and tools, as they are higher up the pyramid. However, there is scarce information available to guide them in doing so. Using my red team knowledge, I would like to expand on ...

OSCE review

I have written an OSCP review and a SANS SEC660 review a few years ago. As time passes, I find these reviews harder and harder to write. Over the years, I have learnt on the job, through my own research and through such courses and CTFs. All this prior knowledge has made it very difficult for ...