2026·05·21
A Deep Dive into Codex Windows Sandbox
OpenAI recently published a writeup on their new Windows sandbox design.
Windows Internals · Adversarial Tradecraft & Detection · AI Security Research
2026·05·11
EtwWatcher
A research passion of mine is telemetry.
2026·04·20
Windows ProjFS Internals: A Technical Deep Dive
A deep dive into the Projected File System (ProjFS): how Windows projects virtual files into the file system on demand, and what that mechanism looks like under the hood.
2026·03·16
WSL, COM Hooking, & RTTI
Recently I ran across a situation where I needed to get telemetry on the COM method CreateLxProcess’s invocation.
2025·12·18
RAG, ICL, and Windows Events: Building a Human-Guided Security Analyst
Leveraging AI in the defensive/offensive space has taken off the past couple of years.
2025·09·29
Peeling Back the Mask: How the Threat Intelligence Provider is Protected
If you’re an offensive or defensive engineer, a Windows endpoint engineer, or a Windows researcher, chances are you’ve come across Microsoft’s Threat-Intelligence ETW provider and understand the immense value it offers for telemetry.
2025·06·06
No Agent, No Problem: Discovering Remote EDR
As the reader, I’m sure you’re thinking — “oh great, another EDR internals or bypass post”.
2025·03·17
The Truth About Telemetry: The Role of Primary and Secondary Telemetry Sources
Detection Engineers, Threat Hunters, and SOC Analysts all rely on one critical thing to do their jobs effectively — telemetry.
2024·12·04
Behind the Mask: Unpacking Impersonation Events
Microsoft continuously marches forward in providing us security events that uncovers activity that has long been used by attackers.
2024·10·31
Silencing the EDR Silencers
A walkthrough of how attackers use Windows Filtering Platform rules to silence EDR network traffic, and how products can protect themselves from this attack.
2024·06·12
Refining Detection: New Perspectives on ETW Patching Telemetry
Not long ago I wrote a blog called Understanding ETW Patching where I walked through how ETW patching is a hyper-focused version of a function patch.
2024·04·12
Understanding ETW Patching
As of late, I have gotten a lot of questions around Event Tracing for Windows (ETW) patching, specifically the following questions:
2024·04·04
What the Fork: Exploring Telemetry Gaps in Microsoft’s 4688 Event
A walk through process forking on Windows, how an adversary might leverage it, how you can identify this behavior, and where the 4688 event's metadata falls short.
2024·04·04
Event Tracing for Windows (ETW): Your Friendly Neighborhood IPC Mechanism
A walk through ETW's core components and how they can be leveraged for offensive interprocess communications.
2024·01·08
Changing Primary Tokens Session ID
Recently I was handed some malware to look at and during analysis I came across an interesting code block that was dealing with setting the SessionId token member.
2023·12·18
Uncovering Adversarial LDAP Tradecraft
A deep dive into adversarial LDAP tradecraft - exposing the telemetry available for LDAP activity and offering guidance on detecting malicious behavior, co-authored with the TrustedSec research team.
2023·12·18
Mastering Windows Access Control: Understanding SeDebugPrivilege
A deep dive into SeDebugPrivilege - which Windows security checks it actually bypasses, which ones it doesn't, and what that means for offensive and defensive work.
2023·10·11
The Client/Server Relationship — A Match Made In Heaven
A walk through the client/server relationship at the heart of RPC and COM activity, and why that context is critical for detection engineering and incident response.
2023·10·11
Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks
A deep dive into DLL hijacking - the basics, the different types of hijacks, and detection ideas for an attack that's historically been considered hard to spot.
2023·07·21
ThreadSleeper: Suspending Threads via GMER64 Driver
A walkthrough of how the gmer.sys driver was abused to terminate EDR processes - and a counter-technique that uses the same driver to suspend offensive threads instead.
2023·06·12
Understanding Telemetry: Kernel Callbacks
I’ve published blogs around telemetry mechanisms like Event Tracing for Windows (ETW) in the Uncovering Windows Events series, but one mechanism I haven’t discussed yet are kernel callback functions.
2023·05·03
Exploring Impersonation through the Named Pipe Filesystem Driver
Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user.
2023·03·15
Uncovering Windows Events Part 3
Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s.
2023·02·10
Telemetry Layering
Creating detections can be challenging.
2023·01·18
The Defender’s Guide to Windows Services
Part 2 of the Defender's Guide series: how Windows services work under the hood, the metadata available for them, and how to spot service abuse in telemetry.
2022·12·14
Uncovering Windows Events Part 2
In part 1 of this series, I touched on how data is the foundation for defensive capabilities and the importance for defenders to understand where and how telemetry is being generated.
2022·11·14
Uncovering Windows Events Part 1
Data is the foundation by which defense is built upon.
2022·09·12
WMI Internals Part 3
In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions.
2022·08·15
WMI Internals Part 2
In a previous post WMI Internals Part 1: Understanding the Basics I walked through some of the basic internal information behind WMI.
2022·07·26
Better know a data source: Logon sessions
A walk through Windows logon sessions - what they are, how they're tied to tokens and processes, and how defenders can use that link to tell the full story around suspicious activity.
2022·07·05
WMI Internals Part 1
Recently I have taken up an interest in WMI internals and thought I would write a blog series on some of my findings.
2022·05·09
Defending the Three Headed Relay
A look at the Kerberos Relaying attacks made popular by KrbRelayUp - what's actually being relayed, what defenders should be looking for, and where existing detections might be missing the mark.
2022·04·20
Better know a data source: Access tokens (and why they’re hard to get)
Detection engineers are frequently beset with the challenge of detecting a technique for which optics are poor, non-existent, or difficult to collect at scale.
2022·04·05
Bypassing Access Mask Auditing Strategies
This past week I briefly talked about Process Access data within a talk that Olaf and I gave at ATT&CKCON 3.0 (YouTube link isn’t live yet).
2022·02·16
Exploring Token Members Part 2
The Elastic Research team recently released work surrounding stripping the Windows Defender binary (MsMpEng.exe) of its privileges, making it effectively useless.
2022·01·04
Exploring Token Members Part 1
In an attempt to understand access tokens at a deeper level as of late, I have come across a couple of members within the TOKEN structure that have connected some dots for me.
2021·12·13
Better know a data source: Process integrity levels
In this second installment of our Better know a data source series, we’re showcasing process integrity levels.
2021·11·22
The dark side of Microsoft Remote Procedure Call protocols
A look at how adversaries abuse Microsoft RPC (MSRPC) for privilege escalation - and where the detection opportunities sit, from PetitPotam to PrintNightmare.
2021·07·20
Dataset Prioritization
A common issue within the investigation process is alert fatigue.
2021·06·01
Evadere Classifications
The term evasion is derived from the Latin word “evadere” which means — “To escape, to get away.” The DOD defines evasion as — “The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control.”
2021·03·15
Abstracting Scheduled Tasks
Applying Capability Abstraction to scheduled tasks: walking the static and dynamic analysis used to map the behavior end-to-end and turn it into reliable detection.
2020·07·06
Utilizing RPC Telemetry
A few months ago, Jared Atkinson released a blog post that introduced a detection engineering methodology he referred to as Capability Abstraction.
2020·05·18
Engineering Process Injection Detections - Part 2: Data Modeling
During Part 1 of this blog series: Engineering Process Injection Detections — Part 1: Research, I covered how you can maximize your detection efforts by following a concept outlined by Jared Atkinson: Capability Abstraction.
2020·04·28
Did Someone Say Data Analytics?
One thing that the SpecterOps defensive team likes to pride ourselves in, is our ability to manipulate data in a way to best help our client’s needs.
2020·03·06
Engineering Process Injection Detections - Part 1: Research
Often within detection engineering, we come across an attack technique that we want to create a detection for but don’t know where to start the process to effectively do so.
2019·10·09
Uncovering The Unknowns
From a defensive perspective, one of the most dangerous things we apply to security is assumptions.
2019·09·16
You Can Run, But You Can’t Hide - Detecting Process Reimaging Behavior
Around 3 months ago, a new attack technique was introduced to the InfoSec community known as “Process Reimaging.” This technique was released by the McAfee Security team in a blog titled — “In NTDLL I Trust — Process Reimaging and Endpoint Security Solution Bypass.” A few days after this attack technique was released, a co-worker and friend of mine — Dwight Hohnstein — came out with proof of concept code demonstrating this technique, which can be found on his GitHub.
2019·05·29
Apache Guacamole Local and/or AWS Install
A walkthrough for installing Apache Guacamole on top of Chris Long's Detection Lab - locally or on AWS, with notes on the config differences between the two.
2019·04·14
Syncing Into the Shadows
As an adversary, one of the goals is to capture Domain Admin (DA) credentials, change/modify objects inside of Active Directory, and to be able to evade any detection systems that an environment may have in place.
2019·03·12
Injecting Into The Hunt
Process Injection is a very common Defense Evasion/Privilege Escalation technique.
2019·01·17
IOC differences between Kerberoasting and AS-REP Roasting
A walk through the IOC differences between Kerberoasting and AS-REP Roasting - two attack techniques that look similar at a glance but leave distinctly different traces.