banner
olafhartong.nl
Olaf Hartong
@olafhartong.nl
1.7K followers 210 following 40 posts
Security researcher with a camera | @FalconForce.nl | Microsoft MVP | Snow man role model | https://youtube.com/@olafhartong
youtube.com
Posts Media Videos Starter Packs
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · 10d
Last Friday, at BruCON 0X11, @olafhartong.nl showcased his research on how defensive tooling (#EDR) can provide attackers with opportunities for deception and disruption. Trusting your tooling blindly can be a mistake. You need to make sure you can rely on your security data.
1 1 3
Reposted by Olaf Hartong
dirkjanm.io
Dirk-jan @dirkjanm.io · 21d
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
9 38 85
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · 21d
BruCON 0X11 is just a few days away. @olafhartong.nl will present his talk “# I’m in your logs now, deceiving your analysts and blinding your EDR” on Friday Sept 26. Olaf will show how defensive tooling (EDRs) can provide attackers with opportunities for deception and disruption.
2 3
Reposted by Olaf Hartong
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 28d
COFFing out the Night Soil

aff-wg.org/2025/09/10/c...

A COFF-focused Crystal Palace update:

* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too

Linker stuff.
COFFing out the Night Soil
I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …
aff-wg.org
5 11
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Aug 29
Slides from @olafhartong.nl's talk at #bhusa (I’m in your logs now, deceiving your analysts and blinding your EDR) are available now: i.blackhat.com/BH-USA-25/Pr...
falconforce.nl
FalconForce @falconforce.nl · Aug 21
A big thank you to all participants who joined our 4-day Advanced Detection Engineering in the Enterprise training at BlackHat. It has been a pleasure to have such an engaging group of professionals. We also had a great time in Las Vegas at the #bhusa and #DEFCON conferences. Until next time!
2 3
olafhartong.nl
Olaf Hartong @olafhartong.nl · Aug 26
Thank you. Glad you liked the speed talk edition!
2
olafhartong.nl
Olaf Hartong @olafhartong.nl · Aug 6
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.

github.com/olafhartong/...

Slides available here:
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
15 24
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Jun 6
It's has been 5 years already! Together with 15 Falcons, we celebrated the 5-year anniversary of FalconForce in style. We teamed up in Greece and went on an amazing trip to sunny Santorini. A trip to remember 🇬🇷 ☀️ 🦅
1 2
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Apr 11
We are proud to introduce #dAWShund to the world: a framework for putting a leash on naughty AWS permissions. dAWShund helps blue and red teams find resources in #AWS, evaluate their access levels and visualize the relationships between them.

falconforce.nl/dawshund-fra...

#blueteaming #redteaming
1 3 11
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Mar 21
Upcoming new FalconForce Sentry Respond webinar! Register now: events.teams.microsoft.com/event/0447b5...

Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
3 1
Reposted by Olaf Hartong
eric.zip
Eric Capuano @eric.zip · Mar 1
I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs.

So I made one! Feel free to inspect it and repurpose.

gist.github.com/ecapuano/42f...
A PowerShell script for installing Sysmon and enabling best-practice audit logs.
A PowerShell script for installing Sysmon and enabling best-practice audit logs. - better_event_logging.ps1
gist.github.com
4 19 72
olafhartong.nl
Olaf Hartong @olafhartong.nl · Feb 26
Looking forward to it. I’ve reported that issue to Microsoft almost 3y ago, it was closed as not important for immediate fixing. Persisted on the urge with several dev teams they have a kernel patch but still are reluctant to release it 😕due to uncertainty whether it could cause disruption.
2
olafhartong.nl
Olaf Hartong @olafhartong.nl · Feb 26
I believe the stack covering westeu has longer running issues. Ingestion delays have been significantly higher there for over a year.
This is also the region where they have a huge client pool so I have a gut feeling that region needs some more hardware or restructuring due to the success.
1 3
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Feb 14
For the fourth consecutive year, we will be back in Las Vegas to facilitate our Advanced Detection Engineering in the Enterprise training!

Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...

#detectionengineering #training
1 1 5
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Jan 23
We held our first webinar and had a great time presenting our insights in delivering and maintaining high-fidelity bespoke detection content! Did you miss it? Or forgot to make a note? We got you covered with the recording and a PDF with the slides: falconforce.nl/webinar-sent...
1 5
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 25
Thanks man, that means a lot. So are we 😄 We’re building something we think is super useful and hope to release that this year.
1 1
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 24
Now I want that based on my region for in my office. Beautiful
1
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 24
It’s amazing to realize that it has been 5 years already! So proud of the team of amazing individuals who I learn from and enjoy working with every day 🥂🎉🥳
falconforce.nl
FalconForce @falconforce.nl · Jan 24
We’re off to a great start in 2025! It is a special year for us, since we are celebrating our 5th anniversary. To celebrate this we made ourselves an AI-generated birthday cake that we would like to share with you. #happybirthday @falconforce.nl 🎉
2 1 7
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 22
Today at 4PM CET / 3PM GMT / 10AM EST / 7AM PST, we'll host a webinar on our Managed Detection Engineering service. There is still time to join!

events.teams.microsoft.com/event/700051...

Looking forward to seeing you there.
Microsoft Virtual Events Powered by Teams
Microsoft Virtual Events Powered by Teams
events.teams.microsoft.com
3
Reposted by Olaf Hartong
falconforce.nl
FalconForce @falconforce.nl · Jan 20
n our latest blog, we follow Arnau (www.linkedin.com/in/arnauorte...) on his journey to leverage #WinRM plugins for lateral movement. A deep rabbit hole that ultimately led to a custom plugin, #BOF and a solid detection in our #FalconFriday repository 🦅 falconforce.nl/exploring-wi...
1 6
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 13
This also accidentally mitigates several domain fronting opportunities for adversaries that could leverage several Microsoft.com subdomains for a long time.
1
Reposted by Olaf Hartong
xpnsec.com
XPN @xpnsec.com · Jan 7
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
ADFS — Living in the Legacy of DRS
It’s no secret that Microsoft have been trying to move customers away from ADFS for a while. Short of slapping a “deprecated” label on it…
buff.ly
2 18 36
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 5
onbetroubare mense!
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 5
At least I’m happy to see them use the metric system, the only proper standard.
1
olafhartong.nl
Olaf Hartong @olafhartong.nl · Jan 4
Obviously, there are way more mature tools like SilkETW, Sealighter and ETWInspector. These tools are amazing. I just needed something fast and with basic CLI output while doing research on providers and certain events. This was just easier than reconfiguring them constantly.
2