Field Notes

How adversaries weaponize MSIX packages for initial access, and how to detect it. Plus introducing MSIXBuilder for safe testing of detection coverage.

Real attack analysis from HoneyHarbor - catching a CVE-2025-3248 exploitation attempt in the wild and analyzing the attacker's techniques.

Major update to ClickGrab - migrated to Python with enhanced threat intelligence capabilities for detecting ClickFix and FakeCAPTCHA attacks.

The launch of my personal site and what to expect from Field Notes.

Analysis of the ClickFix social engineering technique where fake CAPTCHAs trick users into executing malicious PowerShell commands via clipboard hijacking.

Why proof of concept testing is essential for detection engineering - building detections that actually work against real attacks.

Introducing Bootloaders.io - a curated database of malicious bootloaders with detection rules and hash-based prevention.

Deep dive into SharePoint exploitation techniques and how attackers use malicious IIS modules for stealthy persistence in enterprise environments.

Introducing LOLRMM - Living Off The Land Remote Monitoring & Management. A comprehensive resource for tracking RMM tools abused by adversaries.

Deep dive into malicious LNK (shortcut) files used in phishing campaigns - how they work, real-world examples, and detection strategies.

A comprehensive guide to Security Descriptor Definition Language (SDDL) - the cryptic but powerful language that controls Windows access permissions.

Deep dive into Attack Surface Reduction rules, testing them with Atomic Red Team, and building comprehensive detection coverage in Splunk.

Introducing ASRGen - a tool to simplify configuring, testing, and deploying Microsoft Defender Attack Surface Reduction rules.

Part 2 of the AppLocker series focusing on testing your policies, monitoring for bypasses, and building detection coverage in Splunk.

Analysis of the CrushFTP server-side template injection vulnerability and detection strategies for identifying exploitation attempts.

Part 1 of the AppLocker series covering deployment strategies, policy creation, and testing methodologies for effective application whitelisting.

PowerShell Web Access (PSWA) provides browser-based remote PowerShell - a legitimate feature that attackers love to abuse for persistence and remote access.

Analysis of critical TeamCity authentication bypass vulnerabilities and detection strategies for identifying exploitation in your environment.

ShellSweepX is the most advanced version of the ShellSweep family, featuring machine learning prediction, YARA rule matching, AI-powered triage, and a comprehensive API for enterprise deployment.

Deep dive into Windows Subject Interface Packages (SIPs) - how they work, how attackers abuse them for code signing bypass, and how to detect malicious SIP hijacking.

Comprehensive guide to detecting SQL Server attacks including xp_cmdshell abuse, credential theft, and lateral movement through database servers.

Analysis of the Atlassian Confluence template injection RCE vulnerability and comprehensive detection coverage for your environment.

Comprehensive guide to detecting Bring Your Own Vulnerable Driver (BYOVD) attacks and leveraging LOLDrivers for defense.

Deep dive into Active Directory Certificate Services (AD CS) attacks and comprehensive detection strategies for ESC1-ESC8 and beyond.

ShellSweepPlus builds on ShellSweep with multi-layered detection including entropy analysis, standard deviation, heuristics, and pattern matching for more accurate web shell identification.

How attackers abuse API mocking services like Mockbin for C2, data exfiltration, and payload staging - and how to detect it.

Major update to LOLDrivers with enhanced detection capabilities, new drivers, and improved community features.

Comprehensive guide to detecting malicious IIS modules used for persistence, credential theft, and backdoor access on web servers.

ShellSweep is a PowerShell/Python/Lua tool designed to detect potential web shell files using entropy analysis. High entropy indicates randomness - a characteristic of obfuscated or encrypted malicious code.

Understanding the relationship between LOLDrivers and Hypervisor-Protected Code Integrity (HVCI) - how they work together to protect against driver-based attacks.

The story behind LOLDrivers.io - how we built the definitive resource for vulnerable driver detection and what we learned along the way.

Official 1.0 release of LOLDrivers - the community-driven project for tracking vulnerable Windows drivers.

Deep dive into NTLM relay attacks - understanding the technique, modern variations, and detection strategies for defenders.

Introduction to the BYOVD threat - how attackers abuse vulnerable drivers and why defenders need to pay attention.

Analysis of ProxyNotShell, ProxyShell, and related Exchange vulnerabilities - understanding the attack chains and building comprehensive detection coverage.

Comprehensive guide to detecting LSASS credential dumping - analyzing Mimikatz, Cobalt Strike, and other tools with updated Splunk detections.

Using Atomic Red Team to test LSASS credential dumping detections - validating your security controls against real attack techniques.

Analysis of the Follina vulnerability (CVE-2022-30190) and the broader attack surface of Windows protocol handlers for remote code execution.

Techniques for hunting malicious .NET assemblies - detecting in-memory execution, assembly loading, and CLR-based attacks.

How to use PowerShell Script Block Logging to detect malicious scripts - configuration, analysis, and detection strategies.

Running Suricata IDS on Windows for network threat detection - installation, configuration, and integration with your security stack.

Understanding Cobalt Strike's Malleable C2 profiles - how attackers customize traffic and how defenders can detect it.