Blog
93 posts.
-
One Event, Three Portals: How a Single Sysmon Line Becomes a Microsoft Defender XDR Incident
Trace a single Sysmon ProcessCreate event through six hops -- from Windows kernel emission to a unified Microsoft Defender XDR incident -- and where the convergence stops.
-
Below the OS: The Pre-Boot Trust Chain Where Secure Boot Inherits Its Trust From
Walk the eleven rungs from CPU reset to winload.efi -- Intel Boot Guard, AMD PSB, CSME, the PSP, KB5025885, and why the April 2023 MSI OEM-key leak is structurally permanent.
-
Rotating Every Cipher: SChannel and the Twenty-Year Algorithm-Agility Story of Windows TLS
How one Windows DLL rotated every TLS primitive from RC4 to ML-KEM without breaking IIS, RDP, SQL Server, or .NET SslStream -- and why Vista's 2007 CNG was the inflection point.
-
The Same-Privilege Paradox: Twenty-One Years of Windows Kernel Self-Defense
PatchGuard, KASLR, KDP, and the Win32k Lockdown are four answers to one paradox -- a defense at the attacker's privilege cannot succeed in principle. The 2005-2026 trajectory is migration out of the kernel.
-
The Twenty-Year Local Admin Password Crisis: From GPP cpassword to Windows LAPS
Microsoft published the AES key that "protected" Group Policy Preferences passwords. Twelve years later, MS14-025 still has not deleted the artefacts. Here is how Windows LAPS finally fixed the architecture -- and what it still cannot solve.
-
A Mitigation That Became a Primitive: The Story of SeImpersonatePrivilege
How a 2003 backward-compatibility privilege became the most-abused Windows service primitive, and why every Microsoft closure path breaks something shipped.
-
Seventy-Eight Minutes That Evicted Antivirus From the Windows Kernel
How a CrowdStrike channel-file update on July 19, 2024 collapsed twenty years of resistance to evicting third-party AV from the Windows kernel.
-
Three Years of PrintNightmare: How the Oldest Windows Service Survived Four Patch Waves
How the Windows Print Spooler produced nine SYSTEM-execution primitives in 2010-2024 and why Microsoft answered with two parallel architectures, not one.
-
AppLocker vs App Control for Business: Two Locks on the Same Door, and Why Windows Still Ships Both in 2026
Windows 11 24H2 ships two parallel application-control systems. One is operational hygiene; the other is the security boundary. The line between them is a single sentence in MSRC servicing criteria.
-
Verify Me, Don't Trust Me: Apple PCC, Azure Confidential AI, and the Architecture of the Modern AI Cloud
Apple Private Cloud Compute and Azure confidential AI ship the same promise through unrecognisably different machinery. On five axes they differ in degree. On one axis -- verifiable transparency of the production fleet -- they differ in kind.
-
Mimikatz and the Credential-Theft Decade: The Windows Security Wars Part 3 (2009-2014)
Microsoft killed the rootkit class with AppLocker, Secure Boot, ELAM, and AppContainer. Then a side project in C named Mimikatz proved the wrong layer had been hardened.
-
SYSTEM in Ten Seconds: How the Potato Family Survived Every Microsoft Mitigation
A decade of Windows local privilege escalation -- HotPotato through FakePotato -- rests on one architectural decision Microsoft has refused to revisit.
-
The Integrity-Level Stack: MIC, UIPI, and Twenty Years of UAC's Quiet Plumbing
What UAC actually is beneath the consent prompt: Mandatory Integrity Control, UIPI, the split-token model, and twenty years of bypass research as proof.
-
From ION to did:web: The Seven-Year Compromise Behind Microsoft Entra Verified ID
Microsoft built a Bitcoin-anchored decentralized identity network, ran it for three years, then quietly turned it off. This is what actually ships in May 2026 and why.
-
The 28-Hour Bargain: How Continuous Access Evaluation Made Long-Lived Tokens Safe
How Microsoft Entra Continuous Access Evaluation lets access tokens safely live up to 28 hours by pairing them with a near-real-time revocation channel.
-
The Layer Above the OS: The Windows Security Wars Part 6 (2023-2026)
How Storm-0558, CrowdStrike, and the Recall saga forced Microsoft to admit the biggest attack surface on a modern Windows PC is no longer the OS itself.
-
Two Months Without Code: The Windows Security Wars Part 1 (1995-2001)
In 1995-2001 the worms won. The Trustworthy Computing memo and the ten-week Windows Security Push that followed taught the industry how to ship secure software.
-
Eight Primitives, One Worm: The Windows Security Wars Part 2 (2002-2008)
How Microsoft re-engineered Windows around security between January 2002 and October 2009 -- and why a wormable RCE patched on October 23, 2008 still infected nine to fifteen million machines.
-
Forged from 2016: How Storm-0558 Turned One Stolen Signing Key into U.S. Government Email Access
A 2016 consumer Microsoft signing key, never rotated, forged tokens that read U.S. government email for six weeks before a paying customer noticed. A technical reconstruction.
-
Pass-the-Hash to Pass-the-PRT: Twenty-Nine Years of Windows Credential Replay in One Family Tree
Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Pass-the-Certificate, and Pass-the-PRT are one architectural lineage. Each defense bought years; none closed the family.
-
Above the Kernel: The Windows Security Wars Part 4 (2015-2019)
Windows 10 ships Virtualization-Based Security and finally puts the credential store above the kernel -- in the same five years that ransomware became a billion-dollar industry.
-
Every UAC Prompt Is an ALPC Handshake: A Field Guide to Windows' Most-Attacked Local IPC Fabric
ALPC and LRPC are the asynchronous local-IPC fabric under every Windows service. This is the story of the kernel object Microsoft does not document and the attack surface almost every Patch Tuesday still fixes.
-
Microsoft Defender for Identity: The Defensive AD Stack That Sees What BloodHound Maps
A field guide to Microsoft Defender for Identity, the on-DC sensor and cloud analytics engine descended from Aorato, that fires named alerts on almost every offensive AD primitive in the corpus -- and the five structural blind spots it cannot close.
-
The Thirteen Months That Made Zero Trust Unavoidable: The Windows Security Wars Part 5 (2020-2023)
Four incidents in thirteen months -- SolarWinds, ProxyLogon, PrintNightmare, Log4Shell -- broke four Windows architectural assumptions and forced the Zero Trust pivot the industry had on the shelf since August 2020.
-
AD Is a Graph: How BloodHound Made Defenders Think Like Attackers
From Lambert's 2015 essay to Microsoft Security Exposure Management in 2024 -- how the attack-path graph became the default model for Active Directory security.
-
Attack Surface Reduction Rules: The Quiet Layer That Stopped Office Macros
How Microsoft built a 19-rule, kernel-mediated behaviour block list inside Windows Defender that turned the Emotet macro chain into a one-row, no-ticket telemetry event.
-
Beyond BitLocker: The Three File-Level Encryption Layers Microsoft Hides in Plain Sight
BitLocker is one layer of four. EFS, Personal Data Encryption, and Purview sensitivity labels close gaps BitLocker structurally cannot -- three roots, three threat models, by design.
-
Living Off the Land on Windows: The LOLBin Catalog and the Structural Ceiling Microsoft Cannot Break
How a 1996 Authenticode design choice produced the LOLBin class, why the LOLBAS catalog has 207 binaries and Microsoft only blocks ~40, and why that gap is permanent.
-
The Card That Wasn't a Card: How Windows Authentication Outgrew the Smart Card Metaphor
Smart cards, virtual smart cards, and Windows authentication 1996-2026: from PC/SC and PIV through the 2014 NTLM-secondary defect to WHfB and FIDO2.
-
The Connection That Refused to Downgrade: Twenty-Five Years of SMB Cryptography, Finally Default-On
How SMB 3.1.1 pre-authentication integrity, AES-256-GCM, and SMB-over-QUIC closed a 25-year attack tradition, and which attacks still survive in 2026.
-
Who Decided This Token Is Good? A Field Guide to Conditional Access and Entra ID Protection
A wire-level tour of Microsoft Entra Conditional Access, Identity Protection, and Continuous Access Evaluation, plus the five things they cannot do.
-
Agentic Identity on Windows: When the Process Acting on Your Behalf Isn't You
Every AI agent on Windows in 2026 runs as the logged-on user. The cloud-identity layer has crossed the agent-attribution gap; the OS layer has not. This article maps the FIDO AATWG pillars onto Windows primitives and asks what is missing.
-
Certified Pre-Owned: AD CS and Active Directory's Second Trust Root
AD CS ESC1-ESC16: how Microsoft shipped Certificate Services in 2000, what SpecterOps named in 2021, and why the catalog grows faster than the patches.
-
Privileged Identity Management: How a Two-State Role Assignment Retired Standing Admin
Microsoft Entra PIM did not add eight features. It added one field to the role-assignment object -- and everything else, from activation policies to GDAP, is downstream.
-
BitUnlocker: When Microsoft's Recovery Environment Becomes the Master Key
In July 2025, Microsoft's internal red team chained four CVEs in WinRE to bypass TPM-only BitLocker in under five minutes -- and the structural lesson is older than Windows 11.
-
The Registry Adventure: How One Researcher Read 100,000 Lines of Windows Kernel C and Found 50 Bugs
Between May 2022 and December 2023, Mateusz Jurczyk audited the Windows registry parser and produced 50 CVEs. The methodology is the story.
-
Windows Security Boundaries: The Document That Decides What Gets a CVE
Microsoft maintains a single public document that decides which Windows vulnerability reports receive a CVE, a Patch Tuesday bulletin, and a bounty payout. Here is how to read it.
-
KRBTGT: The Account That Owns Active Directory
Active Directory ships with one cryptographic key whose disclosure forges valid TGTs for every principal -- and why rotating it is necessary but not sufficient.
-
Rust in the Windows Kernel: A Field Guide to the 2024-2026 Memory-Safety Refit
Rust ships in the Windows 11 kernel today. A primary-sourced field guide to what actually shipped from BlueHat IL 2019 through 24H2 in 2026, and what did not.
-
Who is allowed to log in where? The KDC-side answer to credential theft in Active Directory
A 28-year arc from Paul Ashton's pass-the-hash demonstration to the 2026 reference deployment of Tiering, Protected Users, and Authentication Policy Silos.
-
Windows Downdate: When the Update Itself Is the Attack
How Alon Leviev turned Windows Update into a downgrade primitive, rolling fully-patched Windows 11 back to vulnerable VBS components while every signature still verified.
-
Two Checkmarks and the Keys to the Kingdom: How Active Directory's Replication Protocol Became the Longest-Lived Credential Attack on Windows
MS-DRSR was designed for domain controllers to replicate secrets to each other. Its access check gates on an ACL, not on whether the caller is a DC. Eleven years after Mimikatz proved it, no patch can fix it.
-
The Age Gate That Doesn't Know Your Age: How Anonymous Credentials Finally Crossed the Deployment Chasm
Forty years after David Chaum's manifesto, anonymous credentials -- Privacy Pass, BBS, SD-JWT, Longfellow-zk -- have shipped into every major browser.
-
"The Vault is Solid. The Delivery Truck is Not." -- Microsoft Recall's Two-Year Re-Architecture from Plaintext SQLite to VBS Enclaves
How Microsoft Recall went from a plaintext SQLite database broken in four weeks to a VBS-Enclave + TPM-sealed + Hello-gated architecture, and what TotalRecall Reloaded still extracts. (Article title borrows Alexander Hagenah's framing, attributed in §8.1.)
-
CNG Architecture: BCrypt, NCrypt, KSPs, and How Windows Picks Its Algorithms
A guided tour of the Cryptography API: Next Generation -- the two-tier API, the Key Storage Provider model, the FIPS toggle, and how PQC slots in.
-
eBPF vs ETW: Two Generations of Kernel Observability
Why Windows ETW emits events and Linux eBPF computes them -- and what eBPF-for-Windows reveals about the convergence of two operating systems.
-
Two Routes to Code Integrity: Linux IMA + AppArmor vs Windows WDAC + AMSI
Linux and Windows answer one question -- "is this code allowed to run?" -- with very different machinery. Where the verifier lives matters more than how strong it is.
-
Apple Secure Enclave vs Microsoft Pluton: Two Roads to Hardware Root of Trust
How Apple SEP and Microsoft Pluton solve the same problem -- keeping your secrets safe from a compromised OS -- using two very different silicon strategies.
-
Hyper-V Enlightenments, VMBus, and the Synthetic Device Model
How Hyper-V guests get high-performance device I/O without emulating legacy hardware: enlightenments, the TLFS, VMBus rings, the VSP/VSC pair, and why the host-side parser is the attack surface.
-
The Driver That Was Signed and the Driver That Won't Load: Windows Kernel Code Integrity, 2006-2026
A history of Windows kernel code-signing -- KMCS, BYOVD, HVCI, the Vulnerable Driver Block List, and why a 2026 Windows kernel uses five gates to decide what loads.
-
Windows Sandbox vs Windows Defender Application Guard: Two Hyper-V Sandboxes, Different Threat Models
Two Hyper-V-backed isolation containers shipped in Windows -- one survived, one was retired. The story of why disposable beat persistent, and what each model was actually for.
-
From `cmd.exe` to a Kusto Row in 90 Seconds: How Sysmon and Defender for Endpoint Actually Work
The seven-layer production EDR pipeline -- kernel callback, ETW publisher, MsSense.exe, SenseCncProxy, Kusto, KQL -- traced end to end for Sysmon and Defender for Endpoint.
-
Inside Azure Confidential VMs: SEV-SNP, Intel TDX, and the Paravisor that Makes Them a Cloud Product
Azure Confidential VMs combine AMD SEV-SNP and Intel TDX with the OpenHCL paravisor and MAA policy v1.2. A textbook tour from silicon to relying party.
-
Mark of the Web, SmartScreen, and the Catalog of Trust: How Windows Decides Whether to Warn You
How Windows stacks three trust layers -- origin, reputation, and signed catalog -- and why the 2022-2024 SmartScreen bypass arc was always a propagation bug, never a cryptography bug.
-
AMSI: The Pre-Execution Window Where Defender Catches a Base64 Payload It Has Never Seen Before
How the Antimalware Scan Interface scans script content after deobfuscation but before execution, the seven runtimes it plugs into, and the nearly seven-year bypass arms race that followed.
-
AppContainer and LowBox Tokens: Windows's Capability Sandbox
How a single bit in Windows's access token, two new SID alphabets, and a per-package namespace partition let the kernel give two co-tenanted apps opposite verdicts.
-
Authenticode and Catalog Files: The Crypto Foundation Under WDAC
Every Windows trust decision -- UAC, SmartScreen, WDAC, kernel-driver loading -- bottoms out on the same PKCS#7 SignedData envelope shipped in IE 3 in August 1996. Here is the byte-level reason.
-
Control Flow Integrity on Windows: CFG, XFG, and the CET Shadow Stack
Three generations of control-flow integrity on Windows: the CFG bitmap (2014), the XFG prototype-hash (never fully shipped), and the Intel CET shadow stack (2020). Why each shipped, and what the ~70% memory-safety statistic still leaves open.
-
Direct Anonymous Attestation: The Zero-Knowledge Proof Already in Every TPM
TPM 2.0 names a zero-knowledge group-signature primitive in its spec. A billion chips ship it. Almost nobody verifies it. The story of why DAA won every standardization fight and lost every deployment one.
-
From /hotpatch to \$1.50 a Core: The Live-Patch Pipeline Microsoft Built and Then Made Public
How Windows hot patching evolved from a 1990s compiler flag to a Secure-Kernel-mediated, three-layer pipeline shipping in three product waves between 2022 and 2025.
-
Inside the Primary Refresh Token: The Cryptographic Seam Between Windows Logon and Microsoft Entra ID
How one TPM-bound JWT issued at first sign-in bridges Windows logon and Microsoft Entra ID -- and how Pass-the-PRT taught Microsoft to bind the derivation to the message.
-
Measured Boot: The TCG Event Log from SRTM to PCR-Bound BitLocker
How Windows turns every byte of firmware, every signed boot manager, and every loaded driver into a single 32-byte hash that decides whether BitLocker unlocks your disk -- and why patching that chain breaks it.
-
Protected Process Light: When the Administrator Isn't Enough
How a single byte in EPROCESS encodes a signer lattice that denies SYSTEM-integrity admins the right to read LSASS -- and why every public bypass since 2018 attacks the same structural seam.
-
From Password-in-the-Pipe to Cloud-Issued Session: Twenty-Six Years of RDP Authentication
How five generations of Windows RDP authentication -- classic delegation, NLA via CredSSP, Restricted Admin, Remote Credential Guard, and PRT-over-RDP -- retreated from the 1998 design that gave attackers the keys to every target.
-
The Day 8.5 Million Devices Couldn't Boot -- and How Microsoft Rebuilt Recovery as a Security Surface
The Windows Recovery Environment worked perfectly on July 19, 2024. That was the problem. How WinRE, Quick Machine Recovery, and the Windows Resiliency Initiative re-priced fleet-scale recovery.
-
Windows Filtering Platform: The Kernel-Mode Firewall You Don't See
The Windows Filtering Platform is the kernel-mode engine under wf.msc, IPsec, WinNAT, the Hyper-V vSwitch, and every modern Windows EDR.
-
DPAPI and DPAPI-NG: The Credential Vault Under Everything
A 25-year tour of Windows Data Protection API: the four-stage classic chain, the 2012 DPAPI-NG redesign, the KDS root key, and the five structural ceilings the design cannot close.
-
Edge's Two Password Cryptographies: A Beautiful PSI on the Wire, and Plaintext RAM by Design
Microsoft Edge ships a homomorphic-encryption PSI for breach checking and decrypts every saved password into process RAM at launch. Both designs are deliberate. They defend different threat models.
-
ETW: How Windows 2000's Performance Hack Became the EDR Substrate
Event Tracing for Windows is the kernel-buffered observability bus every modern Windows EDR consumes. This is the architecture, the attacks, and the one provider that survives them.
-
Fuzzy Extractors and the One Inequality That Explains Why Windows Hello Doesn't Use One
Fuzzy extractors turn noisy biometrics into stable cryptographic keys. A single 2004 inequality explains why Windows Hello deliberately does not use one.
-
Kerberos in Windows: The Other Half of NTLMless
After NTLM, Kerberos becomes the load-bearing authentication protocol for Windows. Eight years of attacks, the December 2025 Beyond-RC4 cadence, and the H2 2026 IAKerb / Local KDC broad enable.
-
Plug and Trust: How Windows Decides What to Do When You Plug In a USB Device
In the 250 ms between physical insertion and class-driver attach, Windows executes ten or eleven kernel-mode operations (eleven for composite devices) and trusts ~256 bytes of self-described descriptors.
-
Post-Quantum Cryptography on Windows: The Thirty-Year Migration That Just Arrived
How NIST FIPS 203/204/205 reaches the Windows platform via SymCrypt, CNG, Schannel, and .NET 10 -- the algorithm internals, the wire format, the migration timeline, and the honest accounting.
-
Process Mitigation Policies: CFG, ACG, CIG, and the Layer Between App Identity and the Kernel
A thirty-year history of Windows process mitigation policies -- DEP, ASLR, CFG, XFG, CET, ACG, CIG -- and the structural reason each one exists.
-
The ACPI Tables That Quietly Secure Your Windows Machine
Five small ACPI tables -- DMAR, IORT, WSMT, SDEV, WPBT -- form the firmware-OS contract behind VBS, Credential Guard, Kernel DMA Protection, and BitLocker.
-
The Empty Hash: Credential Guard, the LsaIso Trustlet, and the Eleven-Year LSASS Extraction Tradition
Why a 2026 Mimikatz dump returns [LSA Isolated Data] instead of an NTLM hash, what LsaIso.exe really computes, and the five things Credential Guard was never going to close.
-
The Object Manager Namespace: The Hierarchical Filesystem Underneath Every Windows Security Boundary
A bottom-up tour of the Windows Object Manager namespace, the 1993 Cutler-era kernel data structure that every Windows security boundary quietly assumes.
-
WDAC + HVCI: Code Integrity at Every Layer in Windows
How Windows decides which code is allowed to run, end-to-end: WDAC policy schema, HVCI per-VTL SLAT enforcement, the audit-to-enforce loop, and the residual attack surface neither feature can close.
-
WebAuthn and Passkeys on Windows: From CTAP to the Credential Provider Model
The know/have/are taxonomy collapses against modern phishing kits. Passkeys, WebAuthn Level 3, CTAP 2.x, and Windows 11 24H2 third-party providers score against the criteria that actually matter -- and recovery is the load-bearing column.
-
Above Ring Zero: How the Windows Hypervisor Became a Security Primitive
A deep tour of the Windows hypervisor as the substrate of VBS, HVCI, Credential Guard, and Secure Launch -- its five primitives, the boundary it commits to, and the public failures that calibrate it.
-
Adminless: How Windows Finally Made Elevation a Security Boundary
Administrator Protection replaces UAC with a system-managed admin account created per elevation, gated by Windows Hello, and destroyed when the job is done.
-
NTLMless: The Death of NTLM in Windows
Thirty years of pass-the-hash, NTLM relay, PetitPotam, and ESC8 -- and the Kerberos engineering that finally lets Microsoft turn NTLM off by default.
-
VBS Trustlets: What Actually Runs in the Secure Kernel
A field guide to Virtualization-Based Security trustlets on Windows 11: the five gates a binary passes to become one, the inbox roster, and where the model ends.
-
"Can This Code Do This?" -- Twenty-Five Years of Attacks on the Windows Access-Control Model
How a single kernel function, SeAccessCheck, decides every Windows operation -- and how Mimikatz, the Potato lineage, and seventy UAC bypasses each attack one of its inputs.
-
Pluton: A TPM On Silicon Microsoft Can Patch
How Microsoft moved the TPM onto the SoC die, ran it on Rust firmware, and patched it through Windows Update -- and what that cost in trust centralisation.
-
Secure Boot in Windows: The Chain From Sector Zero to Userinit, and Every Place It Has Broken
How Windows verifies and measures itself from CPU reset to logon, every rung of the boot chain, every public break, and what Pluton is being built to fix.
-
The TPM in Windows: One Primitive, Twenty-Five Years, and the Chip Microsoft Bet On Twice
How a passive 1999 cryptoprocessor became the load-bearing pillar of Windows security, and what twenty-five years of attacks taught us about its limits.
-
"Who Is This Code?" -- The Quiet 33-Year Reinvention of App Identity in Windows
NT 3.1 could prove which user typed at the keyboard but had no answer to which code was running. Eight successive primitives later, Windows is still answering the same question.
-
When Your Password Manager Attacks You: Inside the Bitwarden CLI Supply Chain Compromise
How the @bitwarden/cli npm package was hijacked for 93 minutes on April 22, 2026, subverting trusted publishing to steal AWS, GitHub, and SSH credentials from 334 installs.
-
The Defender's Dilemma: How Microsoft Won the Antivirus War It Can Never Finish
From scoring 0.5/6 in AV-TEST to 100% MITRE detection with zero false positives -- the 20-year transformation of Windows Defender.
-
When SYSTEM Isn't Enough: The Windows Secure Kernel and the End of Total Kernel Trust
How Windows built a hardware-isolated kernel above Ring 0 using Hyper-V, protecting credentials and code integrity even after full NT kernel compromise.
-
No Secrets to Steal: How Windows Hello Eliminated the Shared Secret
How Windows Hello replaced passwords with TPM-backed biometrics, survived a decade of attacks, and helped make passwordless the default.
-
BitLocker on Windows: Architecture, Attacks, and the Limits of Full-Disk Encryption
How BitLocker evolved from an optional enterprise feature to encryption-by-default, its cryptographic architecture, every known attack, and what FDE still cannot protect against.