handle: azqzazq1
roles:
- Security Researcher
- Red Team Engineer
- Vulnerability Analyst
- System-Level Security Specialist
focus:
- Linux / Windows privilege boundaries
- Offensive security research
- Cloud & container attack surfaces
- Root cause analysis & exploit path engineering
- Coordinated disclosure & CVE research
philosophy:
- systems are layered trust models
- assumptions fail before software does
- observation is not always realityResearch conducted on a Linux system component involving authorization logic and privilege boundary handling.
The issue was identified during advanced Red Team and system-level security research and responsibly disclosed to the vendor.
+ Research Area : Linux Authorization Logic
+ Scope : Privilege Boundary Analysis
+ Disclosure : Coordinated with Vendor
+ CVE Status : Assigned
- Technical Data : Temporarily WithheldFull technical analysis and root cause breakdown will be published after coordinated disclosure timelines are completed.
World-first technical analysis of IceWarp CVE-2025-14500, including root cause review and exploitation surface mapping.
+ Research Type : Reverse Engineering
+ Focus : Exploitation Surface Mapping
+ Output : Public Technical Analysis
+ Status : Published
A Red Team research technique focused on changing what defensive systems believe they observed.
Instead of disabling telemetry or terminating agents, this research explores runtime syscall observation and controlled data transformation using eBPF.
+ Technique : eBPF Telemetry Redaction
+ Layer : Syscall Observation Layer
+ Surface : Security Telemetry Streams
+ Model : Runtime Data Transformation
+ Principle : Observation ≠ Reality
NORMAL TELEMETRY FLOW
process → syscall → agent → SIEM → analyst
RESEARCHED ATTACK MODEL
process → syscall → eBPF layer → agent → SIEM
└─ selective transformation
Security systems do not directly observe reality. They observe interpreted runtime data streams.
A Red Team research technique that bypasses AppArmor mandatory access control using eBPF — without disabling it, without modifying it, and without leaving a single audit log entry.
LID attaches a BPF kprobe to the kernel's file-open path and rewrites the filename in user memory before the LSM framework checks it. AppArmor enforces the wrong path. The process reads the protected file.
+ Technique : eBPF Pre-LSM Pathname Rewriting
+ Layer : Syscall Argument Manipulation
+ Surface : LSM Security Decision Input
+ Target : AppArmor (pathname-based MAC)
+ Audit Trail : Zero — denial never occurs
+ Principle : The gate was never breached. It was misdirected.
LID + SUNNYDAYBPF + SUNNYMAPBPF — COMBINED ATTACK MODEL
┌─── LID rewrites path ───┐
│ │
process → syscall → LSM check → VFS → success
│
┌── SunnyDayBPF ─────┘ ┌── SunnyMapBPF
│ │
agent → SIEM → analyst sees nothing │ agent.maps = 0
│ telemetry = dead
└→ agent reports healthy
LID bypasses the security gate. SunnyDayBPF rewrites what the cameras record. SunnyMapBPF kills the cameras entirely. Combined: ghost access, zero telemetry.
A research artifact demonstrating that eBPF-based security monitors (Falco, Tracee, Tetragon) do not protect their own runtime BPF map state against same-privilege tampering.
Instead of killing the agent or modifying config files, this technique writes directly to the kernel-resident BPF maps that control event generation — suppressing all telemetry silently.
+ Technique : BPF Map State Poisoning
+ Layer : Kernel BPF Subsystem (bpf() syscall)
+ Surface : Security Tool Runtime State
+ Targets : Falco, Tracee, Tetragon
+ Result : 100% telemetry suppression, zero logs, zero crashes
+ Principle : The monitor is running. It just can't see.
SUNNYMAPBPF — CROSS-TOOL TELEMETRY SUPPRESSION
TRACEE: config_map.enabled_policies = 0 → all events dropped
TETRAGON: execve_calls prog_array emptied → tail calls fail silently
FALCO: interesting_syscalls[*] = 0 → every syscall skipped
Common trait: no tool uses bpf_map_freeze() or runtime integrity checks.
The monitor stays alive. The telemetry dies.
The tools watch the kernel. Nothing watches the tools.
First public PoC research and attack surface validation for MCP36.
+ Type : Proof of Concept
+ Focus : Attack Surface Research
+ Status : Published
Kernel-level privilege escalation research tooling and Linux exploit framework.
+ Type : Offensive Tooling
+ Focus : Kernel PrivEsc Research
+ Mode : Modular Framework
A novel NTLM hash cracking algorithm that models human password creation as a structured probabilistic process. No wordlists, no OSINT, no GPU — pure algorithmic pattern decomposition.
+ Algorithm : HPD (Hierarchical Probabilistic Decomposition)
+ Approach : Structure → Components → Variations
+ Hash Type : NTLM (MD4 of UTF-16LE)
+ Core Engine : C (-O3 -march=native -pthread)
+ Orchestrator : Crystal (FFI bindings)
+ Principle : Don't crack the password. Crack the idea.BENCHMARK: LXPEN v0.4 vs Hashcat v6.2.6 (CPU-only, 20 NTLM hashes)
LXPEN Hashcat (100K+best64)
Cracked: 18/20 (90%) 13/20 (65%)
Time: 0.56s 3.95s
RAM: 4.4 MB 475 MB
Speedup: 7x faster baseline
RAM efficiency: 108x less baseline
Wordlist: NONE 100K file required
HPD decomposes passwords into behavioral layers:
Pattern: [CapName] + [Year] + [Symbol]
Slots: "Michael" "1994" "!"
Candidate: "Michael1994!"
45 patterns × 900+ slot entries = 4.3M candidates
Covers ~90% of human-chosen pattern-based passwords
Research offensive security from the system boundary.
Not only how to exploit a bug,
but why the design allowed the bug to become exploitable.
Not only how telemetry is collected,
but why defenders trust what they observe.
github: https://github.com/azqzazq1
blog: https://mileniumsec.com