Olaf Hartong
@olafhartong.nl
Security researcher with a camera | @FalconForce.nl | Microsoft MVP | Snow man role model | https://youtube.com/@olafhartong
Reposted by Olaf Hartong
@olafhartong.nl presented his research at #KustoCon on using #Kusto and Kusto Graph for something magical. Olaf investigated if it was possible to do the same thing as #BloodHound, but then only using Kusto Graph. He showcased the need for attack path management.
Slides: github.com/olafhartong/...
Slides: github.com/olafhartong/...
November 11, 2025 at 2:25 PM
@olafhartong.nl presented his research at #KustoCon on using #Kusto and Kusto Graph for something magical. Olaf investigated if it was possible to do the same thing as #BloodHound, but then only using Kusto Graph. He showcased the need for attack path management.
Slides: github.com/olafhartong/...
Slides: github.com/olafhartong/...
Reposted by Olaf Hartong
Last Friday, at BruCON 0X11, @olafhartong.nl showcased his research on how defensive tooling (#EDR) can provide attackers with opportunities for deception and disruption. Trusting your tooling blindly can be a mistake. You need to make sure you can rely on your security data.
September 29, 2025 at 8:29 AM
Last Friday, at BruCON 0X11, @olafhartong.nl showcased his research on how defensive tooling (#EDR) can provide attackers with opportunities for deception and disruption. Trusting your tooling blindly can be a mistake. You need to make sure you can rely on your security data.
Reposted by Olaf Hartong
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Olaf Hartong
BruCON 0X11 is just a few days away. @olafhartong.nl will present his talk “# I’m in your logs now, deceiving your analysts and blinding your EDR” on Friday Sept 26. Olaf will show how defensive tooling (EDRs) can provide attackers with opportunities for deception and disruption.
September 17, 2025 at 11:31 AM
BruCON 0X11 is just a few days away. @olafhartong.nl will present his talk “# I’m in your logs now, deceiving your analysts and blinding your EDR” on Friday Sept 26. Olaf will show how defensive tooling (EDRs) can provide attackers with opportunities for deception and disruption.
Reposted by Olaf Hartong
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
COFFing out the Night Soil
I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …
aff-wg.org
September 10, 2025 at 9:37 PM
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
Reposted by Olaf Hartong
Slides from @olafhartong.nl's talk at #bhusa (I’m in your logs now, deceiving your analysts and blinding your EDR) are available now: i.blackhat.com/BH-USA-25/Pr...
August 29, 2025 at 8:37 AM
Slides from @olafhartong.nl's talk at #bhusa (I’m in your logs now, deceiving your analysts and blinding your EDR) are available now: i.blackhat.com/BH-USA-25/Pr...
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 6, 2025 at 8:49 PM
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
Reposted by Olaf Hartong
It's has been 5 years already! Together with 15 Falcons, we celebrated the 5-year anniversary of FalconForce in style. We teamed up in Greece and went on an amazing trip to sunny Santorini. A trip to remember 🇬🇷 ☀️ 🦅
June 6, 2025 at 7:17 AM
It's has been 5 years already! Together with 15 Falcons, we celebrated the 5-year anniversary of FalconForce in style. We teamed up in Greece and went on an amazing trip to sunny Santorini. A trip to remember 🇬🇷 ☀️ 🦅
Reposted by Olaf Hartong
We are proud to introduce #dAWShund to the world: a framework for putting a leash on naughty AWS permissions. dAWShund helps blue and red teams find resources in #AWS, evaluate their access levels and visualize the relationships between them.
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
April 11, 2025 at 11:55 AM
We are proud to introduce #dAWShund to the world: a framework for putting a leash on naughty AWS permissions. dAWShund helps blue and red teams find resources in #AWS, evaluate their access levels and visualize the relationships between them.
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
Reposted by Olaf Hartong
Upcoming new FalconForce Sentry Respond webinar! Register now: events.teams.microsoft.com/event/0447b5...
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
March 21, 2025 at 2:26 PM
Upcoming new FalconForce Sentry Respond webinar! Register now: events.teams.microsoft.com/event/0447b5...
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
Reposted by Olaf Hartong
I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs.
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
A PowerShell script for installing Sysmon and enabling best-practice audit logs.
A PowerShell script for installing Sysmon and enabling best-practice audit logs. - better_event_logging.ps1
gist.github.com
March 1, 2025 at 8:12 PM
I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs.
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
Reposted by Olaf Hartong
For the fourth consecutive year, we will be back in Las Vegas to facilitate our Advanced Detection Engineering in the Enterprise training!
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
February 14, 2025 at 11:06 AM
For the fourth consecutive year, we will be back in Las Vegas to facilitate our Advanced Detection Engineering in the Enterprise training!
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
Reposted by Olaf Hartong
We held our first webinar and had a great time presenting our insights in delivering and maintaining high-fidelity bespoke detection content! Did you miss it? Or forgot to make a note? We got you covered with the recording and a PDF with the slides: falconforce.nl/webinar-sent...
January 23, 2025 at 2:36 PM
We held our first webinar and had a great time presenting our insights in delivering and maintaining high-fidelity bespoke detection content! Did you miss it? Or forgot to make a note? We got you covered with the recording and a PDF with the slides: falconforce.nl/webinar-sent...
It’s amazing to realize that it has been 5 years already! So proud of the team of amazing individuals who I learn from and enjoy working with every day 🥂🎉🥳
We’re off to a great start in 2025! It is a special year for us, since we are celebrating our 5th anniversary. To celebrate this we made ourselves an AI-generated birthday cake that we would like to share with you. #happybirthday @falconforce.nl 🎉
January 24, 2025 at 3:07 PM
It’s amazing to realize that it has been 5 years already! So proud of the team of amazing individuals who I learn from and enjoy working with every day 🥂🎉🥳
Today at 4PM CET / 3PM GMT / 10AM EST / 7AM PST, we'll host a webinar on our Managed Detection Engineering service. There is still time to join!
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
Microsoft Virtual Events Powered by Teams
Microsoft Virtual Events Powered by Teams
events.teams.microsoft.com
January 22, 2025 at 12:16 PM
Today at 4PM CET / 3PM GMT / 10AM EST / 7AM PST, we'll host a webinar on our Managed Detection Engineering service. There is still time to join!
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
Reposted by Olaf Hartong
n our latest blog, we follow Arnau (www.linkedin.com/in/arnauorte...) on his journey to leverage #WinRM plugins for lateral movement. A deep rabbit hole that ultimately led to a custom plugin, #BOF and a solid detection in our #FalconFriday repository 🦅 falconforce.nl/exploring-wi...
January 20, 2025 at 12:01 PM
n our latest blog, we follow Arnau (www.linkedin.com/in/arnauorte...) on his journey to leverage #WinRM plugins for lateral movement. A deep rabbit hole that ultimately led to a custom plugin, #BOF and a solid detection in our #FalconFriday repository 🦅 falconforce.nl/exploring-wi...
Reposted by Olaf Hartong
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
ADFS — Living in the Legacy of DRS
It’s no secret that Microsoft have been trying to move customers away from ADFS for a while. Short of slapping a “deprecated” label on it…
buff.ly
January 7, 2025 at 2:33 PM
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
Adding to my ETW research toolkit, a tiny program to consume information from a provider with as little overhead as possible.
PockETWatcher, a tool to get the essential information from a ETW provider to the CLI or a JSON file
github.com/olafhartong/...
PockETWatcher, a tool to get the essential information from a ETW provider to the CLI or a JSON file
github.com/olafhartong/...
GitHub - olafhartong/PockETWatcher: a tiny program to consume an ETW trace for research
a tiny program to consume an ETW trace for research - olafhartong/PockETWatcher
github.com
January 4, 2025 at 9:15 PM
Adding to my ETW research toolkit, a tiny program to consume information from a provider with as little overhead as possible.
PockETWatcher, a tool to get the essential information from a ETW provider to the CLI or a JSON file
github.com/olafhartong/...
PockETWatcher, a tool to get the essential information from a ETW provider to the CLI or a JSON file
github.com/olafhartong/...
While working on some ETW research I whipped up this dirty script to enumerate registered Trace logging providers and more importantly their DACLs which I needed mostly.
gist.github.com/olafhartong/...
gist.github.com/olafhartong/...
January 3, 2025 at 2:11 PM
While working on some ETW research I whipped up this dirty script to enumerate registered Trace logging providers and more importantly their DACLs which I needed mostly.
gist.github.com/olafhartong/...
gist.github.com/olafhartong/...
FalconHound 1.4.2 is out!
* Added Managed identity authentication for Azure based inputs (KeyVaults, MDE, Sentinel, GraphAPI)
* Added report command line option and actions
* Added HTML output option
Grab it here > github.com/FalconForceT...
* Added Managed identity authentication for Azure based inputs (KeyVaults, MDE, Sentinel, GraphAPI)
* Added report command line option and actions
* Added HTML output option
Grab it here > github.com/FalconForceT...
Releases · FalconForceTeam/FalconHound
FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log ag...
github.com
December 30, 2024 at 4:09 PM
FalconHound 1.4.2 is out!
* Added Managed identity authentication for Azure based inputs (KeyVaults, MDE, Sentinel, GraphAPI)
* Added report command line option and actions
* Added HTML output option
Grab it here > github.com/FalconForceT...
* Added Managed identity authentication for Azure based inputs (KeyVaults, MDE, Sentinel, GraphAPI)
* Added report command line option and actions
* Added HTML output option
Grab it here > github.com/FalconForceT...
Reposted by Olaf Hartong
No sleep for us! We will facilitate a 3-day workshop version of our Advanced Detection Engineering in the Enterprise training at #insomnihack in Switzerland. Registration is open! Information and registration: insomnihack.ch/workshops/ad...
#detectionengineering #training #purpleteam
#detectionengineering #training #purpleteam
December 20, 2024 at 9:49 AM
No sleep for us! We will facilitate a 3-day workshop version of our Advanced Detection Engineering in the Enterprise training at #insomnihack in Switzerland. Registration is open! Information and registration: insomnihack.ch/workshops/ad...
#detectionengineering #training #purpleteam
#detectionengineering #training #purpleteam
Reposted by Olaf Hartong
Upcoming FalconForce Sentry Detect webinar! Register now: events.teams.microsoft.com/event/700051... Join us on Wed 22 January 2025, 16:00h CET, to get actionable insights on how we deliver and maintain high-fidelity bespoke detection content. Facilitated by @olafhartong.nl and Henri (x.com/0xffhh).
December 17, 2024 at 1:10 PM
Upcoming FalconForce Sentry Detect webinar! Register now: events.teams.microsoft.com/event/700051... Join us on Wed 22 January 2025, 16:00h CET, to get actionable insights on how we deliver and maintain high-fidelity bespoke detection content. Facilitated by @olafhartong.nl and Henri (x.com/0xffhh).
Detection Engineering is sometimes hard, and may fail. Still a lot of things can be learned by the process. In this blog I cover a lot. I had a detection, currently it's broken but MS is on it :D
medium.com/falconforce/...
medium.com/falconforce/...
Detection engineering rabbit holes — parsing ASN.1 packets in KQL
TL;DR: Detection engineering is sometimes hard. Your efforts may seem to have failed, but perseverance can pay off. Or you can still fail…
medium.com
December 16, 2024 at 2:37 PM
Detection Engineering is sometimes hard, and may fail. Still a lot of things can be learned by the process. In this blog I cover a lot. I had a detection, currently it's broken but MS is on it :D
medium.com/falconforce/...
medium.com/falconforce/...
Reposted by Olaf Hartong
At this year's #DEATHCon I was fortunate enough to present my workshop on #Kusto graph semantics. Now I release it for free to everybody.
#KQL #Security #Kraph
#KQL #Security #Kraph
Workshop: Kusto Graph Semantics Explained
Ho, ho, ho… In Germany on the 6th of December we celebrate “Nikolaus”. Kids put out one shoe the night before in the hopes that, in the morning, it is filled with nuts, mandarin oranges, chocolate...
cloudbrothers.info
December 6, 2024 at 6:49 AM
Reposted by Olaf Hartong
Good lineup of books! www.humblebundle.com/books/hackin...
Humble Tech Book Bundle: Hacking 2024 by No Starch
Level up your hacking and skills with this tech bundle from No Starch. Learn to protect yourself and others! Pay what you want & support charity!
www.humblebundle.com
December 2, 2024 at 8:58 PM
Good lineup of books! www.humblebundle.com/books/hackin...