Excellent post by Johnathan Johnson (Jonny Johnson) on leveraging PLA (Performance Logs and Alerts) DCOM library to get to ETW telemetry remotely. We touched the same topic in our RTO: Evasion course, when TraceDataProvider interface was used to locate a "hidden" SysMon

WE DID IT AGAIN

excited bc today Huntress is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠 we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)! huntress.com/blog/inside-bl…

Happy to finally share a new blog with Charlie Clark on our work revisiting the Kerberos Diamond Ticket. ✅ /opsec for a more genuine flow ✅ /ldap to populate the PAC 🆕 Forge a diamond service ticket using an ST We finally gave it a proper cut 💎 huntress.com/blog/recutting…

Modern lateral movement techniques detection (mainly DCOM/DCE/RPC/RDP) with examples. Some assumptions worth mentioning: visibility into source IP/port/hostname, logon activity, remote process metadata. A blog post by Huntress team. Awesome read, guys!

Phenomenal course and great instructors! Highly recommend.

New video out 😊 showing how you can take control of port 445 and perform those magical relay attacks toward AD CS when working from a C2 agent. Way easier than before thanks to some great research by Nick Powers youtube.com/watch?v=e4f3h5…

Enroll now for our 40-hour live workshop “EDR Internals: R&D,” co-taught with Uriel Kosayev. Starts 23 Oct 2025. Dissect & build EDR drivers, master evasion techniques. Early-bird $1,450 ends 30 Sep. Details: trainsec.net/courses/edr-in… #EDR #WindowsInternals

When in doubt, Windbg it out. ™️

I don't know which update specifically, but in a recent update of 24H2 it looks like the Win32k system call table is protected by Kernel Data Protection (read-only SLAT entry)! I believe CI!g_CiOptions and msseccore's SecKdpSe PE section were the only things using it before.

Super excited to be speaking at SAINTCON this year!

Olaf Hartong is ridin' into Wild West Hackin' Fest - Deadwood 2025 with his talk, "I'm In Your Logs Now, Deceiving Your Analysts and Blinding Your EDR" Don't ya go missin' it, grab yer tickets to the con today: wildwesthackinfest.com/register-for-w… #WWHF #Deadwood2025 #TheFutureIs

All I can say is wow. This is different than how anyone else is approaching endpoint security. This is truly amazing work.

Connor “Shadow Stacks” McGarr 😎

In about an hour I’ll present my talk I’m in your logs now, deceiving your analysts and blinding your EDR at #BHUSA25 Black Hat in Islander E/I. Come and hang out!

⁦Dirk-jan⁩ dropping a ton of interesting info at BlackHat. Including a day-fresh CVE

Congratulations to a close friend of mine for his first (of many) BH talks!

Out Of Control: How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel by Connor McGarr i.blackhat.com/BH-USA-25/Pres…