I'm looking for a security researcher focused on Windows internals, reverse engineering, and defensive telemetry to join my team at Prelude! If that sounds like you, send me a DM or use this link to apply:

wellfound.com/jobs/3007066-p…

(Must be located in North America)

Come say hi!

Ready to learn your #EDR platform inside and out? At #RSAC ? Stop by booth 15 at the Early Stage Expo to grab a signed copy of Evading EDR from author and Director of Security Research Matt Hand 📖

You just got 45 more pages of #threatintelligence . Enter Prelude's new set of autonomous capabilities—built to transform that CTI into validated protections...fast.

See how we're leveraging AI to unify SecOps and streamline the threat management process: hubs.la/Q02vS-pF0

I just published a blog and tool for the LSA Whisperer work that was presented at the SpecterOps Conference (SOCON) back in March.

If you are interested in getting credentials from LSASS without accessing its memory, check it out!
medium.com/specter-ops-po…

Happy Friday! I have gotten a lot of questions around ETW Patching as of late. I decided to write a blog on understanding ETW Patching, check it out!

jsecurity101.medium.com/understanding-…

Spent some time this morning diving into some new metadata exposed in Sched Task events. In Win10 versions 1903 and up there 5 new properties shown, one of which is 'RpcCallClientLocality', which is an enum that will tell you if the client call is local, remote, unknown. This

Semgrep is Yara for attackers

Hear me out. A bot that opens the links in any email in a sandboxed browser, locates login forms, and submits honey creds. Any use of those creds immediately triggers a remediation (roll the passwords for anyone who got the email/visited the link) & starts an investigation.

jackson-t.com/are-we-helping/

You know ETW, but did you know ETW could potentially be used for stealthy offensive comms? In this blog, Prelude Principal Security Engineer Jonny Johnson outlines a POC for such an application (and the defensive limitations for detection).

preludesecurity.com/blog/event-tra…

#infosec

How your EDR actually works x.com/i/broadcasts/1…

Attention EDR developers:
In 24H2 MS will allow you to receive notifications for drivers blocked by HVCI through SeRegisterImageVerificationCallback through a new CallbackType.
You'll need to register twice: once for image loads and once for HVCI-blocked images.

Want to create better detections? Get a better sense for how your EDR _actually_ works.

Join Matt Hand's webinar on 2/29 @ 2pm and you can do both.

Reserve your spot over on our Discord ⬇️
discord.gg/MPeKdCf6?event…

#infosec #securityengineering

Great news! Yesterday's Patch Tuesday fixed PPLFault. Thanks so much to everyone at Microsoft who helped get this 510-day bug fixed (🙌 especially Philip Tsukerman and David Kaplan). If you'd like to know more about the fix, see my article: elastic.co/security-labs/… (1/5)

I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings. tiraniddo.dev/2024/02/sudo-o…

The main take away is, writing Rust won't save you from logical bugs :)

Prelude Principal Security Engineer Matt Hand (Matt Hand) had his new book make its way onto Help Net Security's '10 must-read #cybersecurity books for 2024'

Run - don't walk - to grab your copy. Available via No Starch Press

helpnetsecurity.com/2024/02/06/cyb…

#infosec

Thrilled to announce the schedule of my next remote class in June. Checkout details at tandasat.github.io

It is a rare opportunity to quickly learn Intel VT-x, -d, -rp and UEFI by writing a lightweight hypervisor and analyzing design options and security risks!

I get lots of requests for recommended resources for learning Windows, exploitation, VR, etc.

I have some good links but there’s lots of others I don’t know or forgot about.

Give me your best suggestions please! Feel free to link your own stuff, I wanna see it!

Prelude's newest Principal Security Engineer Jonny Johnson wasted no time exploring and sharing his research on missing telemetry from Windows 4688 Event (process forking).

Learn more in his latest blog ⑃
preludesecurity.com/blog/what-the-…

#infosec #blueteam