A fun investigation into EDR callback timing assumptions -
www.originhq.com/blog/process...
A fun investigation into EDR callback timing assumptions -
www.originhq.com/blog/process...
The NCSC would like to see passkeys become the default authentication recommendation
Passkeys provide an easier, faster and more secure way to log into online accounts than passwords.ποΈ
Read more about how the NCSC is keeping pace with evolving technologyβ¬οΈ
https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025/chapter-03-keeping-pace-with-evolving-technology
Paraphrasing the Windows Kernel team: Improving security-relevant kernel telemetry is not a priority for us.
There appears to be a disconnect between Microsoftβs public messaging on security and how it is incentivising its workforce.
Personally Iβd love to see a new process security mitigation that blocks the creation of unnamed (aka non-exported) threads. Same for APCs.
30.11.2025 02:34 β π 2 π 0 π¬ 0 π 0
Possibly coupled with a new default compiler behaviour that identifies thread entrypoints and adds them to the export table.
Easier to change 10 compilers than 10000 appsβ¦
Wouldnβt using the public symbol of the threadβs entrypoint cover the most common cases?
30.11.2025 02:27 β π 0 π 0 π¬ 2 π 0
Variations of this pop up every few years. Mostly to avoid compound behavioural rules.
theevilbit.github.io/posts/divide...
Windows Loader Lock got you down? This might help.
www.preludesecurity.com/blog/escapin...
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
Win32_Process has been the go to WMI class for remote command execution for years.
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Kernel bug details emailed.
11.09.2025 05:15 β π 0 π 0 π¬ 0 π 0
Hey @sysinternals.com @markrussinovich.bsky.social
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?
Weβre trying something new.
www.preludesecurity.com/runtime-memo...
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
"Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too"
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...
Has this episode been published yet?
The Airlock Digital interviews are the best. π
Though software bugs are BAU.
So Iβm more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.
Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?
You should clarify that it was caused by a bug in their kernel driver that was triggered when they forcibly globally deployed a bad content update with buggy unit testing and no integration testing.
04.07.2025 01:21 β π 1 π 0 π¬ 1 π 0
Beacon Object Files... Five Years On
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
My final Elastic Security Labs blog -
www.elastic.co/security-lab...
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
This is absolute π₯- and will significantly harden the path to domain admin against common initial access vectors.
Is it looking likely to be the default for existing installs after upgrade, or just for new installs?
We are removing default admin in Windows 11, get your apps ready now
blogs.windows.com/windowsdevel...
ATT&CK never felt quite right to me. I originally thought it was just that the taxonomy was incomplete.
Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.
So I explored the concept of Execution Modality -
www.elastic.co/security-lab...
When are you speaking at AISA PerthSEC though?
14.05.2025 10:01 β π 1 π 0 π¬ 1 π 0
One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!
falconforce.nl/why-is-no-on...
I just uploaded slides from an old talk on Windows x64 Stack Walking.
github.com/jdu2600/conf...
I attended last week's Pall Mall Process conference in Paris.
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
Good luck.
The 1.11.0 update did not go well for meβ¦
