Happy Friday! I have gotten a lot of questions around ETW Patching as of late. I decided to write a blog on understanding ETW Patching, check it out!

jsecurity101.medium.com/understanding-…

Spent some time this morning diving into some new metadata exposed in Sched Task events. In Win10 versions 1903 and up there 5 new properties shown, one of which is 'RpcCallClientLocality', which is an enum that will tell you if the client call is local, remote, unknown. This…

Semgrep is Yara for attackers

Hear me out. A bot that opens the links in any email in a sandboxed browser, locates login forms, and submits honey creds. Any use of those creds immediately triggers a remediation (roll the passwords for anyone who got the email/visited the link) & starts an investigation.

jackson-t.com/are-we-helping/

You know ETW, but did you know ETW could potentially be used for stealthy offensive comms? In this blog, Prelude Principal Security Engineer Jonny Johnson outlines a POC for such an application (and the defensive limitations for detection).

preludesecurity.com/blog/event-tra…

#infosec

How your EDR actually works twitter.com/i/broadcasts/1…

Attention EDR developers:
In 24H2 MS will allow you to receive notifications for drivers blocked by HVCI through SeRegisterImageVerificationCallback through a new CallbackType.
You'll need to register twice: once for image loads and once for HVCI-blocked images.

Want to create better detections? Get a better sense for how your EDR _actually_ works.

Join Matt Hand's webinar on 2/29 @ 2pm and you can do both.

Reserve your spot over on our Discord ⬇️
discord.gg/MPeKdCf6?event…

#infosec #securityengineering

Great news! Yesterday's Patch Tuesday fixed PPLFault. Thanks so much to everyone at Microsoft who helped get this 510-day bug fixed (🙌 especially Philip Tsukerman and David Kaplan). If you'd like to know more about the fix, see my article: elastic.co/security-labs/… (1/5)

I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings. tiraniddo.dev/2024/02/sudo-o…

The main take away is, writing Rust won't save you from logical bugs :)

Prelude Principal Security Engineer Matt Hand (Matt Hand) had his new book make its way onto Help Net Security's '10 must-read #cybersecurity books for 2024'

Run - don't walk - to grab your copy. Available via No Starch Press

helpnetsecurity.com/2024/02/06/cyb…

#infosec

Thrilled to announce the schedule of my next remote class in June. Checkout details at tandasat.github.io

It is a rare opportunity to quickly learn Intel VT-x, -d, -rp and UEFI by writing a lightweight hypervisor and analyzing design options and security risks!

I get lots of requests for recommended resources for learning Windows, exploitation, VR, etc.

I have some good links but there’s lots of others I don’t know or forgot about.

Give me your best suggestions please! Feel free to link your own stuff, I wanna see it!

Prelude's newest Principal Security Engineer Jonny Johnson wasted no time exploring and sharing his research on missing telemetry from Windows 4688 Event (process forking).

Learn more in his latest blog ⑃
preludesecurity.com/blog/what-the-…

#infosec #blueteam

New CS blog: Introducing the Mutator Kit - Creating Object File Monstrosities with Sleep Mask and LLVM cobaltstrike.com/blog/introduci…

Never thought I'd say this, but I've actually found a book I can't put down! 📚 'Evading EDR' by Matt Hand is like finding the cheat codes to the cybersecurity game. 🎮 Keeping a low profile from EDRs? Turns out it's simpler than I thought – kind of like realizing those…

What's new with our detection & response testing platform? Come see for yourself in our Discord on 1/22 at 1:30pm ET as we walkthrough Prelude Detect 1.6.0 with Matt Hand + our VP/Product.

🔗 to Discord event: discord.gg/kteRs94R?event…

#infosec #blueteam

Write up of the HVCI bypass vuln (CVE-2024-21305) with Andrea Allievi !
tandasat.github.io/blog/2024/01/1…

Ever wonder which Endpoint Security events your EDR subscribes to? You might be surprised with the results 😆. You can follow along here: github.com/redcanaryco/ma…

Sample code: gist.github.com/Brandon7CC/14c…