Excited to share my hardest research about UAC 🤯 "Bypassing UAC with SSPI Datagram Contexts" 🔥 Enjoy the read! 👇 splintercod3.blogspot.com/p/bypassing-ua…

I forgot to post it earlier: I'm writing public Native API docs. Previously I covered thread and token operations; today it's NtQueryInformationProcess, NtSetInformationProcess, and details on 100+ PROCESSINFOCLASS values 🥳 Enjoy it on NtDoc: ntdoc.m417z.com/processinfocla…

It's that time again: the end-year tradition with my Top 10 infosec research of 2023! 🚀 Each selected research is not just for its technical content but for how impactful it has been for me this year 🧵

I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings. tiraniddo.dev/2024/02/sudo-o… The main take away is, writing Rust won't save you from logical bugs :)

When is it generally safe to CreateRemoteThread? A short blog post with interesting observations regarding remote thread creation. m417z.com/When-is-it-gen…

This new book has finally arrived. Thank's to No Starch Press as well as Bill Pollock -- [email protected] for making it happen as well as Lee Holmes as my tech reviewer.

My new blog post for Hunt & Hackett is out! 🥳 It describes how it's possible to create a novel forensic tool that can reconstruct (malicious) executables on Windows without relying on collecting files or parsing attacker-controlled process memory. huntandhackett.com/blog/reconstru…

New #blogpost! ✍️ We’re excited to share the first in a new three-part blog series, which will explore approaches to achieving passive persistence in an Active Directory (AD) environment. Check out Part 1 here: huntandhackett.com/blog/how-to-ac…

Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws memorycorruption.net/posts/rce-lua-…

People don't seem to understand that BSOD is an OS defense mechanism. Kernel is a trusted highly privileged environment. If something unexpected happens there (like an unhandled exception), the best option is to shut down immediately. Not to continue with an inconsistent state.

A new blog post on OS design principles, the purpose of BSOD, and challenges of driver dev "On System Reliability and Why the (Conceptual) Design of the Blue Screen on Windows Is a Good Thing" I cannot lie; the idea was inspired by some recent events 😉 huntandhackett.com/blog/on-system…

My new blog post about interesting technical aspects of Akira ransomware is out. Like its use of the Restart Manager API 💡 The next part will be a forensic tool release to collect artifacts left by using this Windows feature, so stay tuned!

Restart Manager is an API to identify & close programs locking a given file. 💡 We're releasing a forensic tool at Hunt & Hackett to parse the artifacts it leaves behind. They exist in a volatile registry key which is not persisted in the hive file. huntandhackett.com/blog/introduci…

After my latest newsletter issue, diversenok reached out to me with an interesting observation: a password can be encrypted and still functions identically to a cleartext one in CreateProcessWithLogonW(). 😮 This brought up two intriguing questions: 1. How can I decrypt

Better socket handle visibility coming soon to System Informer 🔥 When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩

The feature is live in the latest Canary builds and displays even more properties than initially planned 😍 Also, a blog post that explains the basics of AFD API and its forensic potential is coming soon.😉

I think the list of unloaded modules (aka. RtlGetUnloadEventTraceEx) is underappreciated. Ntdll records metadata about DLLs that unloaded from the process and even includes modules that attempted to load but failed their DllMain. learn.microsoft.com/en-us/windows/…

My new blog post 🥳 Improving AFD Socket Visibility for Windows Forensics & Troubleshooting It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥 huntandhackett.com/blog/improving…

Did you know Windows has built-in RAM disk? Not just your regular RAM disk. It's pmem/nvdimm, via scmbus.sys built-in hack! That means you can make 🦆🦆🦆 #dax volume, so data/image mappings (section views) will use "drive" directly! No data persistence; ws22/w11+. EZ 📀 create:

I am excited to talk at #RomHack2025 this September!