Windows
Breaking Bitlocker
It was only a matter of time before someone did this. Bitlocker is Microsoft’s technique for encrypting a desktop, laptop, or other MS Windows device. We encrypt the device to protect the ...
Why Windows can’t follow WSL symlinks
By Yarden Shafir Did you know that symbolic links (or symlinks) created through Windows Subsystem for Linux (WSL) can’t be followed by Windows? I recently encountered this rather frustrating issue as I’ve ...
New Windows/Linux Firmware Attack
Interesting attack based on malicious pre-OS logo images: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible ...
ETW internals for security research and forensics
By Yarden Shafir Why has Event Tracing for Windows (ETW) become so pivotal for endpoint detection and response (EDR) solutions in Windows 10 and 11? The answer lies in the value of ...
Uncovering RPC Servers through Windows API Analysis
IntroHave you ever tried to reverse a simple Win32 API? If not, let’s look at one together today! This article serves as a hand-holding walkthrough and documents in detail how I analyzed ...
Patch Tuesday, October 2023 Edition
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released ...
ZenRAT Targets Windows Users with Fake Bitwarden Site
Hackers are using a bogus download page for Bitwarden’s password manager solution to target Windows users with a new remote access trojan (RAT) that’s designed to steal credentials and a range of ...
Shadow Wizard Registry Gang: Structured Registry Querying
Why Do We Need New Tooling for Registry Collection?The Windows registry, an intricate database storing settings for both the operating system and the applications that run on it, is a treasure trove ...
Introducing Windows Notification Facility’s (WNF) Code Integrity
By Yarden Shafir, Senior Security Engineer WNF (Windows Notification Facility) is an undocumented notification mechanism that allows communication inside processes, between processes, or between user mode processes and kernel drivers. Similar to ...
Exploring Impersonation through the Named Pipe Filesystem Driver
IntroductionImpersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging ...