This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
Every UAC Prompt Is an ALPC Handshake: A Field Guide to Windows' Most-Attacked Local IPC Fabric
ALPC and LRPC are the asynchronous local-IPC fabric under every Windows service. This is the story of the kernel object Microsoft does not document and the attack surface almost every Patch Tuesday still fixes.
-
Microsoft Defender for Identity: The Defensive AD Stack That Sees What BloodHound Maps
A field guide to Microsoft Defender for Identity, the on-DC sensor and cloud analytics engine descended from Aorato, that fires named alerts on almost every offensive AD primitive in the corpus -- and the five structural blind spots it cannot close.
-
AD Is a Graph: How BloodHound Made Defenders Think Like Attackers
From Lambert's 2015 essay to Microsoft Security Exposure Management in 2024 -- how the attack-path graph became the default model for Active Directory security.
-
Attack Surface Reduction Rules: The Quiet Layer That Stopped Office Macros
How Microsoft built a 19-rule, kernel-mediated behaviour block list inside Windows Defender that turned the Emotet macro chain into a one-row, no-ticket telemetry event.
-
Beyond BitLocker: The Three File-Level Encryption Layers Microsoft Hides in Plain Sight
BitLocker is one layer of four. EFS, Personal Data Encryption, and Purview sensitivity labels close gaps BitLocker structurally cannot -- three roots, three threat models, by design.
-
Living Off the Land on Windows: The LOLBin Catalog and the Structural Ceiling Microsoft Cannot Break
How a 1996 Authenticode design choice produced the LOLBin class, why the LOLBAS catalog has 207 binaries and Microsoft only blocks ~40, and why that gap is permanent.
-
The Card That Wasn't a Card: How Windows Authentication Outgrew the Smart Card Metaphor
Smart cards, virtual smart cards, and Windows authentication 1996-2026: from PC/SC and PIV through the 2014 NTLM-secondary defect to WHfB and FIDO2.
-
The Connection That Refused to Downgrade: Twenty-Five Years of SMB Cryptography, Finally Default-On
How SMB 3.1.1 pre-authentication integrity, AES-256-GCM, and SMB-over-QUIC closed a 25-year attack tradition, and which attacks still survive in 2026.
-
Who Decided This Token Is Good? A Field Guide to Conditional Access and Entra ID Protection
A wire-level tour of Microsoft Entra Conditional Access, Identity Protection, and Continuous Access Evaluation, plus the five things they cannot do.
-
Agentic Identity on Windows: When the Process Acting on Your Behalf Isn't You
Every AI agent on Windows in 2026 runs as the logged-on user. The cloud-identity layer has crossed the agent-attribution gap; the OS layer has not. This article maps the FIDO AATWG pillars onto Windows primitives and asks what is missing.
-
Certified Pre-Owned: AD CS and Active Directory's Second Trust Root
AD CS ESC1-ESC16: how Microsoft shipped Certificate Services in 2000, what SpecterOps named in 2021, and why the catalog grows faster than the patches.
-
Privileged Identity Management: How a Two-State Role Assignment Retired Standing Admin
Microsoft Entra PIM did not add eight features. It added one field to the role-assignment object -- and everything else, from activation policies to GDAP, is downstream.