Writing
Notes from the field
Research, forensics deep-dives, and incident write-ups.
2026
- HTB Checkpoint Writeup Jun 16 Walking through HTB Checkpoint, a medium difficulty Windows AD box on HackTheBox. Full write-up coming once the box is retired.
- HTB Connected Writeup Jun 8 Walking through HTB Connected, an easy difficulty Linux box running a FreePBX/Asterisk VoIP stack. Full write-up coming once the box is retired.
- @@CyBAAA Part 2: Decoding the GUID and Building the Detection May 27 Part 2: After identifying the @@CyBAAA marshaled principal, the next question was whether the GUID could be recovered from network telemetry alone. This post covers the static decode table, the two-GUID problem in CredWom, the ExtraHop trigger design, and the full remediation path.
- Credential Guard Ate My Username (@@CyBAAA and What It Means) May 20 How a marshalled credential string masquerading as a username in Event 4625 led me deep into the Windows CredMarshalCredentialW API, Task Scheduler internals and Credential Guard.
- Decrypting ADWS Traffic Feb 24 Peeling Back the Layers of .NET Message Security
- HTB Sauna Writeup Feb 14 Walking through HTB Sauna, an easy Windows box covering AS-REP Roasting, AutoLogon credential harvesting, and DCSync abuse in Active Directory.
2025
2024
- Prefetch and Antiforensics on Windows 11 Sep 1 Prefetch Anti-Forensics on Windows 11
- Android malware analysis Jun 11 Analysing an android telegram infostealer
- Using SQLite to query super old iPhone backups May 17 Using SQLite to query iPhone backups
- Preparing for and passing the CISSP Exam Jan 11 Preparing for and passing the CISSP Exam