Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months. This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk. Includes a detailed

This is huge news, #sysmon going native in Windows 11 next year. https://t.co/Bmb7bTyPX3 More cool stuff on custom logging coming this week. Watch this space 😎

YOOO THIS IS SICK

Taking a fun course next week😎

I merged a PR from @ScoubiMtl that now includes compatibility with BHCE. Thanks @ScoubiMtl !

Today I am releasing a new blog on Windows on ARM! It comes from the perspective of one, like myself, who comes from an x86 background and is new, but, interested in Windows on ARM! ELs, OS & hypervisor behavior (with VBS), virtual memory, paging, & more! https://t.co/jUHls4wupu

Here is the direct link to my talk! https://t.co/FzkvP2eMPg

Had a great time speaking at @SAINTCON on my research about Remote EDR! Thank you to the organizers for having me! Live Steam: https://t.co/HfhAYp4EAA Slides: https://t.co/DGv3KfR7O7 Blog:

And just like that, the first iteration of Alerts to Adversaries is complete! 🎉🎉 This week @Level_Effect and I gave the first offering of Alerts to Adversaries. The class started with classification methodology - a valuable skill for anyone working in Detection Engineering or

Today I am happy to release a new blog post about Pointer Authentication (PAC) on Windows ARM64! This post takes a look at the Windows implementation of PAC in both user-mode and kernel-mode. I must say, I have REALLY been enjoying Windows on ARM!! https://t.co/isnItJ0nb3

One of my slides for an upcoming talk 🤣

LETS GOOOOOOOO. Max is the man. Which means his post is the sickest.

Next week will be the first instruction of Alerts to Adversaries! This will be a super fun course as students will learn OS internals, SOC/Detection Methodology, track alerts to real life scenarios, as well as interact with Microsoft Sentinel / KQL. It’s also the first course

This is a crucial mental exercise. I think it’s easy for us to just copy and paste things, but there is immense value in truly understanding the operations taking place under the hood.

Security streams are BACK! 🔴 After focusing on content and live training, we're returning to our Saturday streams starting October 25th. STREAMS: Reverse Engineering 3 - Oct 25 @ 2PM EST Reverse Engineering 4 - Nov 1 @ 2PM EST Malware Analysis Home Lab 1 - Nov 8 Malware

A while back I was curious about the access check that occurs when someone tries to consume from the Threat-Intelligence ETW provider. I decided to write a short blog on the topic. https://t.co/6cpUDSMNF5

Super stoked for the first iteration for this course! If you can, come hang out. All feedback welcome!

I came across a WMI Win_32 Process replacement with some extra useful functionality. https://t.co/aDX8y8XZUy

New video: exploring process snapshotting in Windows. Capture threads, memory, and handles with a single API call using PssCaptureSnapshot. https://t.co/BsQKEtdGIG

Today I am releasing a new blog post on VSM "secure calls" + the SkBridge project to manually issue them!! This blog talks about how VTL 0 requests the services of VTL 1 and outlines common secure call patterns!!! Blog: https://t.co/xzB1s7HoPO SkBridge: https://t.co/0zO0E1L4Sy

Let's gooo!! First CVE👀? With none other than @wdormann :) https://t.co/fNPkp3YwrE