Deep Threat Modeling &
Defensive Architecture
Original security research focusing on Active Directory attack surfaces, GPO exploitation paths, Linux kernel vulnerabilities, detection engineering, and defense-in-depth hardening frameworks. Blue Team perspective on emerging threat models with DSC configurations, SACL auditing, page cache exploitation, and SIEM detection rules.
High school student from Vietnam passionate about offensive security, binary exploitation, and Active Directory attacks. Member of W4LLZ CTF team.
DirtyDecrypt / DirtyCBC — CVE-2026-31635
Local privilege escalation to root via rxgk_decrypt_skb — a missing COW guard vulnerability in the Linux kernel rxgk module that allows bypassing Copy-On-Write protection and writing directly into the page cache. This research analyzes the root cause, a 5-step exploit chain from unprivileged user to root shell, comparison with the Page Cache vulnerability family (Copy Fail, Dirty Frag, Fragnesia), disclosure timeline, mitigation, and a Red Team perspective. Affected distros: Fedora, Arch Linux, openSUSE. Public PoC available, no in-the-wild exploitation recorded yet.
ShadowPolicy — GPO Preference State-Injection
Advanced detection and auditing framework for the ShadowPolicy threat model: exploiting GPO Preference Scheduled Task XML injection via SYSVOL state modification in Windows Server 2022 / Active Directory environments. Covers the complete attack chain from GPO Editor access to SYSTEM-level RCE across the entire domain, four critical logic flaws in GPO Preference design, alternative execution vectors (ScheduledTasks.xml + Registry.xml), and a full defensive architecture built on PowerShell DSC hardening, SACL auditing, integrity monitoring, and SIEM detection rules (KQL + Sigma).