Luke Brown — Alluvian SecurityDigital Forensics, Incident Response, and Security Researchhttps://alluvian.org/en-us@@CyBAAA Part 2: Decoding the GUID and Building the Detectionhttps://alluvian.org/posts/credential-guard-ate-my-username-part-2/https://alluvian.org/posts/credential-guard-ate-my-username-part-2/Part 2: After identifying the @@CyBAAA marshaled principal, the next question was whether the GUID could be recovered from network telemetry alone. This post covers the static decode table, the two-GUID problem in CredWom, the ExtraHop trigger design, and the full remediation path.Wed, 27 May 2026 00:00:00 GMTCredential Guard Ate My Username (@@CyBAAA and What It Means)https://alluvian.org/posts/credential-guard-ate-my-username/https://alluvian.org/posts/credential-guard-ate-my-username/How a marshalled credential string masquerading as a username in Event 4625 led me deep into the Windows CredMarshalCredentialW API, Task Scheduler internals and Credential Guard.Wed, 20 May 2026 00:00:00 GMTDecrypting ADWS Traffichttps://alluvian.org/posts/decrypting-adws-traffic/https://alluvian.org/posts/decrypting-adws-traffic/Peeling Back the Layers of .NET Message SecurityTue, 24 Feb 2026 00:00:00 GMTHTB Sauna Writeuphttps://alluvian.org/posts/htb-sauna/https://alluvian.org/posts/htb-sauna/Walking through HTB Sauna, an easy Windows box covering AS-REP Roasting, AutoLogon credential harvesting, and DCSync abuse in Active Directory.Sat, 14 Feb 2026 00:00:00 GMTMy experience with GIAC's GSP Portfolio certificationhttps://alluvian.org/posts/gsp/https://alluvian.org/posts/gsp/My experience earning the GIAC GSPMon, 29 Dec 2025 00:00:00 GMTHTB EscapeTwo Writeuphttps://alluvian.org/posts/htb-escapetwo/https://alluvian.org/posts/htb-escapetwo/HTB EscapeTwo WriteupFri, 18 Apr 2025 00:00:00 GMTPrefetch and Antiforensics on Windows 11https://alluvian.org/posts/prefetch-antiforensics/https://alluvian.org/posts/prefetch-antiforensics/Prefetch Anti-Forensics on Windows 11Sun, 01 Sep 2024 00:00:00 GMTAndroid malware analysishttps://alluvian.org/posts/android-malware-analysis/https://alluvian.org/posts/android-malware-analysis/Analysing an android telegram infostealerTue, 11 Jun 2024 00:00:00 GMTUsing SQLite to query super old iPhone backupshttps://alluvian.org/posts/iphone-backups-sqlite/https://alluvian.org/posts/iphone-backups-sqlite/Using SQLite to query iPhone backupsFri, 17 May 2024 00:00:00 GMTPreparing for and passing the CISSP Examhttps://alluvian.org/posts/cissp/https://alluvian.org/posts/cissp/Preparing for and passing the CISSP ExamThu, 11 Jan 2024 00:00:00 GMT