Olaf Hartong
@olafhartong.nl
Security researcher with a camera | @FalconForce.nl | Microsoft MVP | Snow man role model | https://youtube.com/@olafhartong
Reposted by Olaf Hartong
We’re happy to join #WWHF once more. @olafhartong.nl has prepared a talk on some great #EDR (follow up) research he has been working on: “I’m In Your Logs Again; Spoofing and Causing Chaos”. Join him in-person or online on February 13!
Registration: wildwesthackinfest.com
Registration: wildwesthackinfest.com
January 19, 2026 at 2:45 PM
We’re happy to join #WWHF once more. @olafhartong.nl has prepared a talk on some great #EDR (follow up) research he has been working on: “I’m In Your Logs Again; Spoofing and Causing Chaos”. Join him in-person or online on February 13!
Registration: wildwesthackinfest.com
Registration: wildwesthackinfest.com
Reposted by Olaf Hartong
Microsoft recently published a new feature for Defender for Endpoint (#MDE) called Custom Collection.
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
November 20, 2025 at 1:10 PM
Microsoft recently published a new feature for Defender for Endpoint (#MDE) called Custom Collection.
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
Reposted by Olaf Hartong
@olafhartong.nl presented his research at #KustoCon on using #Kusto and Kusto Graph for something magical. Olaf investigated if it was possible to do the same thing as #BloodHound, but then only using Kusto Graph. He showcased the need for attack path management.
Slides: github.com/olafhartong/...
Slides: github.com/olafhartong/...
November 11, 2025 at 2:25 PM
@olafhartong.nl presented his research at #KustoCon on using #Kusto and Kusto Graph for something magical. Olaf investigated if it was possible to do the same thing as #BloodHound, but then only using Kusto Graph. He showcased the need for attack path management.
Slides: github.com/olafhartong/...
Slides: github.com/olafhartong/...
This is getting into unintentional art 😆 props to the hotel ppl following you and making sure you get these rooms.
October 12, 2025 at 1:50 PM
This is getting into unintentional art 😆 props to the hotel ppl following you and making sure you get these rooms.
Reposted by Olaf Hartong
Last Friday, at BruCON 0X11, @olafhartong.nl showcased his research on how defensive tooling (#EDR) can provide attackers with opportunities for deception and disruption. Trusting your tooling blindly can be a mistake. You need to make sure you can rely on your security data.
September 29, 2025 at 8:29 AM
Last Friday, at BruCON 0X11, @olafhartong.nl showcased his research on how defensive tooling (#EDR) can provide attackers with opportunities for deception and disruption. Trusting your tooling blindly can be a mistake. You need to make sure you can rely on your security data.
Reposted by Olaf Hartong
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Olaf Hartong
BruCON 0X11 is just a few days away. @olafhartong.nl will present his talk “# I’m in your logs now, deceiving your analysts and blinding your EDR” on Friday Sept 26. Olaf will show how defensive tooling (EDRs) can provide attackers with opportunities for deception and disruption.
September 17, 2025 at 11:31 AM
BruCON 0X11 is just a few days away. @olafhartong.nl will present his talk “# I’m in your logs now, deceiving your analysts and blinding your EDR” on Friday Sept 26. Olaf will show how defensive tooling (EDRs) can provide attackers with opportunities for deception and disruption.
Reposted by Olaf Hartong
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
COFFing out the Night Soil
I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …
aff-wg.org
September 10, 2025 at 9:37 PM
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
Reposted by Olaf Hartong
Slides from @olafhartong.nl's talk at #bhusa (I’m in your logs now, deceiving your analysts and blinding your EDR) are available now: i.blackhat.com/BH-USA-25/Pr...
August 29, 2025 at 8:37 AM
Slides from @olafhartong.nl's talk at #bhusa (I’m in your logs now, deceiving your analysts and blinding your EDR) are available now: i.blackhat.com/BH-USA-25/Pr...
Thank you. Glad you liked the speed talk edition!
August 26, 2025 at 6:13 PM
Thank you. Glad you liked the speed talk edition!
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 6, 2025 at 8:49 PM
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
Reposted by Olaf Hartong
It's has been 5 years already! Together with 15 Falcons, we celebrated the 5-year anniversary of FalconForce in style. We teamed up in Greece and went on an amazing trip to sunny Santorini. A trip to remember 🇬🇷 ☀️ 🦅
June 6, 2025 at 7:17 AM
It's has been 5 years already! Together with 15 Falcons, we celebrated the 5-year anniversary of FalconForce in style. We teamed up in Greece and went on an amazing trip to sunny Santorini. A trip to remember 🇬🇷 ☀️ 🦅
Reposted by Olaf Hartong
We are proud to introduce #dAWShund to the world: a framework for putting a leash on naughty AWS permissions. dAWShund helps blue and red teams find resources in #AWS, evaluate their access levels and visualize the relationships between them.
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
April 11, 2025 at 11:55 AM
We are proud to introduce #dAWShund to the world: a framework for putting a leash on naughty AWS permissions. dAWShund helps blue and red teams find resources in #AWS, evaluate their access levels and visualize the relationships between them.
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
Reposted by Olaf Hartong
Upcoming new FalconForce Sentry Respond webinar! Register now: events.teams.microsoft.com/event/0447b5...
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
March 21, 2025 at 2:26 PM
Upcoming new FalconForce Sentry Respond webinar! Register now: events.teams.microsoft.com/event/0447b5...
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
Reposted by Olaf Hartong
I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs.
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
A PowerShell script for installing Sysmon and enabling best-practice audit logs.
A PowerShell script for installing Sysmon and enabling best-practice audit logs. - better_event_logging.ps1
gist.github.com
March 1, 2025 at 8:12 PM
I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs.
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
Looking forward to it. I’ve reported that issue to Microsoft almost 3y ago, it was closed as not important for immediate fixing. Persisted on the urge with several dev teams they have a kernel patch but still are reluctant to release it 😕due to uncertainty whether it could cause disruption.
February 26, 2025 at 6:28 AM
Looking forward to it. I’ve reported that issue to Microsoft almost 3y ago, it was closed as not important for immediate fixing. Persisted on the urge with several dev teams they have a kernel patch but still are reluctant to release it 😕due to uncertainty whether it could cause disruption.
I believe the stack covering westeu has longer running issues. Ingestion delays have been significantly higher there for over a year.
This is also the region where they have a huge client pool so I have a gut feeling that region needs some more hardware or restructuring due to the success.
This is also the region where they have a huge client pool so I have a gut feeling that region needs some more hardware or restructuring due to the success.
February 26, 2025 at 6:20 AM
I believe the stack covering westeu has longer running issues. Ingestion delays have been significantly higher there for over a year.
This is also the region where they have a huge client pool so I have a gut feeling that region needs some more hardware or restructuring due to the success.
This is also the region where they have a huge client pool so I have a gut feeling that region needs some more hardware or restructuring due to the success.
Reposted by Olaf Hartong
For the fourth consecutive year, we will be back in Las Vegas to facilitate our Advanced Detection Engineering in the Enterprise training!
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
February 14, 2025 at 11:06 AM
For the fourth consecutive year, we will be back in Las Vegas to facilitate our Advanced Detection Engineering in the Enterprise training!
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
Reposted by Olaf Hartong
We held our first webinar and had a great time presenting our insights in delivering and maintaining high-fidelity bespoke detection content! Did you miss it? Or forgot to make a note? We got you covered with the recording and a PDF with the slides: falconforce.nl/webinar-sent...
January 23, 2025 at 2:36 PM
We held our first webinar and had a great time presenting our insights in delivering and maintaining high-fidelity bespoke detection content! Did you miss it? Or forgot to make a note? We got you covered with the recording and a PDF with the slides: falconforce.nl/webinar-sent...
Thanks man, that means a lot. So are we 😄 We’re building something we think is super useful and hope to release that this year.
January 25, 2025 at 7:00 AM
Thanks man, that means a lot. So are we 😄 We’re building something we think is super useful and hope to release that this year.
Now I want that based on my region for in my office. Beautiful
January 24, 2025 at 7:15 PM
Now I want that based on my region for in my office. Beautiful
It’s amazing to realize that it has been 5 years already! So proud of the team of amazing individuals who I learn from and enjoy working with every day 🥂🎉🥳
We’re off to a great start in 2025! It is a special year for us, since we are celebrating our 5th anniversary. To celebrate this we made ourselves an AI-generated birthday cake that we would like to share with you. #happybirthday @falconforce.nl 🎉
January 24, 2025 at 3:07 PM
It’s amazing to realize that it has been 5 years already! So proud of the team of amazing individuals who I learn from and enjoy working with every day 🥂🎉🥳
Today at 4PM CET / 3PM GMT / 10AM EST / 7AM PST, we'll host a webinar on our Managed Detection Engineering service. There is still time to join!
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
Microsoft Virtual Events Powered by Teams
Microsoft Virtual Events Powered by Teams
events.teams.microsoft.com
January 22, 2025 at 12:16 PM
Today at 4PM CET / 3PM GMT / 10AM EST / 7AM PST, we'll host a webinar on our Managed Detection Engineering service. There is still time to join!
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
Reposted by Olaf Hartong
n our latest blog, we follow Arnau (www.linkedin.com/in/arnauorte...) on his journey to leverage #WinRM plugins for lateral movement. A deep rabbit hole that ultimately led to a custom plugin, #BOF and a solid detection in our #FalconFriday repository 🦅 falconforce.nl/exploring-wi...
January 20, 2025 at 12:01 PM
n our latest blog, we follow Arnau (www.linkedin.com/in/arnauorte...) on his journey to leverage #WinRM plugins for lateral movement. A deep rabbit hole that ultimately led to a custom plugin, #BOF and a solid detection in our #FalconFriday repository 🦅 falconforce.nl/exploring-wi...
This also accidentally mitigates several domain fronting opportunities for adversaries that could leverage several Microsoft.com subdomains for a long time.
January 13, 2025 at 6:08 PM
This also accidentally mitigates several domain fronting opportunities for adversaries that could leverage several Microsoft.com subdomains for a long time.