Process Preluding: Child Process Injection Before The Story Begins | Origin By John Uhlmann on 2026-02-17

A fun investigation into EDR callback timing assumptions -
www.originhq.com/blog/process...

The NCSC would like to see passkeys become the default authentication recommendation

Passkeys provide an easier, faster and more secure way to log into online accounts than passwords.🗝️

Read more about how the NCSC is keeping pace with evolving technology⬇️

www.ncsc.gov.uk/collection/ncsc-annual-r...

Paraphrasing the Windows Kernel team: Improving security-relevant kernel telemetry is not a priority for us.

There appears to be a disconnect between Microsoft’s public messaging on security and how it is incentivising its workforce.

Personally I’d love to see a new process security mitigation that blocks the creation of unnamed (aka non-exported) threads. Same for APCs.

Possibly coupled with a new default compiler behaviour that identifies thread entrypoints and adds them to the export table.

Easier to change 10 compilers than 10000 apps…

Wouldn’t using the public symbol of the thread’s entrypoint cover the most common cases?

Variations of this pop up every few years. Mostly to avoid compound behavioural rules.

theevilbit.github.io/posts/divide...

Windows Loader Lock got you down? This might help.

www.preludesecurity.com/blog/escapin...

Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

More Fun With WMI - SpecterOps TL;DR Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability From...

Win32_Process has been the go to WMI class for remote command execution for years.

Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr

Kernel bug details emailed.

Hey @sysinternals.com @markrussinovich.bsky.social
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?

We’re trying something new.

www.preludesecurity.com/runtime-memo...

The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.

aff-wg.org/2025/03/13/t...

Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too BSides Canberra 2025 With the introduction of Kernel Patch Protection, Microsoft created a shared responsibility model where security vendors are now limited to only the kernel visibility and extension points that Microso...

"Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too"
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...

Has this episode been published yet?

The Airlock Digital interviews are the best. 😃

Though software bugs are BAU.
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.

Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?

You should clarify that it was caused by a bug in their kernel driver that was triggered when they forcibly globally deployed a bad content update with buggy unit testing and no integration testing.

Beacon Object Files – Five Years On… When I was active in the red teaming space, one of my stated goals was to act on problems with solutions that would have utility 5-10 years from the time of their release. This long-term thinking w…

Beacon Object Files... Five Years On

aff-wg.org/2025/06/26/b...

I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.

Call Stacks: No More Free Passes For Malware — Elastic Security Labs We explore the immense value that call stacks bring to malware detection and why Elastic considers them to be vital Windows endpoint telemetry despite the architectural limitations.

My final Elastic Security Labs blog -
www.elastic.co/security-lab...

So, here's a little thread on my new open source project:

The Tradecraft Garden.

tradecraftgarden.org

It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.

And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.

This is absolute 🔥- and will significantly harden the path to domain admin against common initial access vectors.

Is it looking likely to be the default for existing installs after upgrade, or just for new installs?

Enhance your application security with administrator protection Introduction Administrator protection is a new Windows 11 platform security feature that aims to protect the admin users on the device while still allowing them to perform the necessary functions whic...

We are removing default admin in Windows 11, get your apps ready now

blogs.windows.com/windowsdevel...

Misbehaving Modalities: Detecting Tools, Not Techniques — Elastic Security Labs We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

ATT&CK never felt quite right to me. I originally thought it was just that the taxonomy was incomplete.

Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.

So I explored the concept of Execution Modality -
www.elastic.co/security-lab...

When are you speaking at AISA PerthSEC though?

One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!

falconforce.nl/why-is-no-on...

BSides Canberra - 25-27th September 2025! BSides Canberra 2025 - BSides Canberra is a technical community conference focussing on the deep understanding of cyber security topics.

www.bsidesau.com.au

I just uploaded slides from an old talk on Windows x64 Stack Walking.

github.com/jdu2600/conf...

I attended last week's Pall Mall Process conference in Paris.

I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).

Good luck.
The 1.11.0 update did not go well for me…