2026·04·20
Windows ProjFS Internals: A Technical Deep Dive
A deep dive into the Projected File System (ProjFS): how Windows projects virtual files into the file system on demand, and what that mechanism looks like under the hood.
Tag
reverse engineering
/ 22 posts2026·03·16
WSL, COM Hooking, & RTTI
Recently I ran across a situation where I needed to get telemetry on the COM method CreateLxProcess’s invocation.
2025·09·29
Peeling Back the Mask: How the Threat Intelligence Provider is Protected
If you’re an offensive or defensive engineer, a Windows endpoint engineer, or a Windows researcher, chances are you’ve come across Microsoft’s Threat-Intelligence ETW provider and understand the immense value it offers for telemetry.
2024·10·31
Silencing the EDR Silencers
A walkthrough of how attackers use Windows Filtering Platform rules to silence EDR network traffic, and how products can protect themselves from this attack.
2024·06·12
Refining Detection: New Perspectives on ETW Patching Telemetry
Not long ago I wrote a blog called Understanding ETW Patching where I walked through how ETW patching is a hyper-focused version of a function patch.
2024·04·12
Understanding ETW Patching
As of late, I have gotten a lot of questions around Event Tracing for Windows (ETW) patching, specifically the following questions:
2024·04·04
What the Fork: Exploring Telemetry Gaps in Microsoft’s 4688 Event
A walk through process forking on Windows, how an adversary might leverage it, how you can identify this behavior, and where the 4688 event's metadata falls short.
2024·04·04
Event Tracing for Windows (ETW): Your Friendly Neighborhood IPC Mechanism
A walk through ETW's core components and how they can be leveraged for offensive interprocess communications.
2024·01·08
Changing Primary Tokens Session ID
Recently I was handed some malware to look at and during analysis I came across an interesting code block that was dealing with setting the SessionId token member.
2023·12·18
Mastering Windows Access Control: Understanding SeDebugPrivilege
A deep dive into SeDebugPrivilege - which Windows security checks it actually bypasses, which ones it doesn't, and what that means for offensive and defensive work.
2023·10·11
The Client/Server Relationship — A Match Made In Heaven
A walk through the client/server relationship at the heart of RPC and COM activity, and why that context is critical for detection engineering and incident response.
2023·10·11
Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks
A deep dive into DLL hijacking - the basics, the different types of hijacks, and detection ideas for an attack that's historically been considered hard to spot.
2023·07·21
ThreadSleeper: Suspending Threads via GMER64 Driver
A walkthrough of how the gmer.sys driver was abused to terminate EDR processes - and a counter-technique that uses the same driver to suspend offensive threads instead.
2023·06·12
Understanding Telemetry: Kernel Callbacks
I’ve published blogs around telemetry mechanisms like Event Tracing for Windows (ETW) in the Uncovering Windows Events series, but one mechanism I haven’t discussed yet are kernel callback functions.
2023·05·03
Exploring Impersonation through the Named Pipe Filesystem Driver
Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user.
2023·01·18
The Defender’s Guide to Windows Services
Part 2 of the Defender's Guide series: how Windows services work under the hood, the metadata available for them, and how to spot service abuse in telemetry.
2022·09·12
WMI Internals Part 3
In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions.
2022·08·15
WMI Internals Part 2
In a previous post WMI Internals Part 1: Understanding the Basics I walked through some of the basic internal information behind WMI.
2022·07·05
WMI Internals Part 1
Recently I have taken up an interest in WMI internals and thought I would write a blog series on some of my findings.
2022·04·05
Bypassing Access Mask Auditing Strategies
This past week I briefly talked about Process Access data within a talk that Olaf and I gave at ATT&CKCON 3.0 (YouTube link isn’t live yet).
2022·02·16
Exploring Token Members Part 2
The Elastic Research team recently released work surrounding stripping the Windows Defender binary (MsMpEng.exe) of its privileges, making it effectively useless.
2022·01·04
Exploring Token Members Part 1
In an attempt to understand access tokens at a deeper level as of late, I have come across a couple of members within the TOKEN structure that have connected some dots for me.