Applying Test-Driven Development to Detection EngineeringKnow for sure that your detections cover the cases you think they doOct 30, 2024Oct 30, 2024
Hypervisor Detection with SystemHypervisorDetailInformationReversing how Windows gets hypervisor informationSep 15, 2023Sep 15, 2023
CVE-2023–28072: Local Privilege Escalation in Alienware Command CenterBackgroundSep 1, 2023Sep 1, 2023
Hang Fire: Challenging our Mental Model of Initial AccessFor as long as I’ve been working in security, initial access has generally looked the same. While there are high degrees of variation…Jun 16, 2022Jun 16, 2022
Formalized CuriosityI grew up as an insanely curious kid. My parents have seemingly endless numbers of stories of me taking things apart and trying to put them…Oct 25, 2021Oct 25, 2021
Life is Pane: Persistence via Preview HandlersUsing shell preview handlers for privileged persistenceOct 21, 2021Oct 21, 2021
Adventures in Dynamic EvasionMost teams I have worked with rely heavily on anecdotal evidence when it comes to evasion. If an operator is asked why they chose a…Dec 7, 2020A response icon1Dec 7, 2020A response icon1
CVE-2020–14979: Local Privilege Escalation in EVGA PrecisionX1A few weeks ago, I reported a Local Privilege Escalation (LPE)affecting version <1.0.7 of EVGA’s Precision X1 performance software. This…Aug 12, 2020A response icon1Aug 12, 2020A response icon1
Methodology for Static Reverse Engineering of Windows Kernel DriversIntroductionApr 15, 2020A response icon2Apr 15, 2020A response icon2
Mimidrv In Depth: Exploring Mimikatz’s Kernel DriverMimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows…Jan 13, 2020Jan 13, 2020
