UEFI Bootkits: The Malware That Lives Below Your Operating System
UEFI bootkits survive OS reinstalls, hide from every AV and EDR tool, and can bypass Secure Boot on fully-patched systems. Here's how they work and what you can do about it.
Windows Security
18 articles
NTLM Relay in 2026: Microsoft Declared It Dead. Attackers Didn't Get the Memo.
Microsoft is officially deprecating NTLM — yet CVE-2025-24054 was actively exploited days after patching, and the Coercion → Relay → ADCS → Domain Admin chain still works in most enterprise environments. Here's the full 2026 kill chain and how to detect it.
DCSync: How Attackers Steal Every Password in Your Domain — and How to Stop Them
DCSync abuses Active Directory replication to pull every password hash from a domain controller without touching it. Here's how the attack works, what it leaves in your logs, and how to build detections that catch it.
Pass-the-Hash & Pass-the-Ticket: How Attackers Move Laterally — and How to Catch Them
A practitioner's guide to PtH and PtT attacks: how they work, what tools attackers use, what evidence they leave behind, and how to build detections with Sigma and Wazuh.
When Your Defender Becomes the Attacker: How Trusted Windows Processes Get Weaponized
Windows Defender and other high-privilege system processes are increasingly targeted by attackers. Learn how security tools become attack surfaces — and what you can do about it.
Active Directory Attacks: The Complete Attack Path Guide
A structured guide to Active Directory attack techniques — from BloodHound enumeration through Kerberoasting, LSASS dumping, ADCS abuse, and Shadow Credentials to Entra ID pivot. Every technique with detection coverage.
Modern Windows Attack Techniques in 2026: Evasion, Delivery, and Stealth
A structured guide to modern Windows attack techniques — BYOVD EDR evasion, LOLBins, invisible character injection, ClickFix delivery, NTFS steganography, and C2 over trusted cloud services. How they work, how to detect them.
BloodHound from First Run to Domain Admin: A Practical Red Team Guide
A hands-on red team guide to BloodHound CE — from SharpHound data collection to reading attack paths and finding the fastest route to Domain Admin in Active Directory.
Trust Me, I'm a Shortcut: How LNK Files Lie to Windows Explorer
Windows .lnk shortcut files can show one target while silently executing another. Discover five spoofing techniques including CVE-2025-9491, how attackers exploit them, and how to detect them.
NTFS Alternate Data Streams: How Attackers Hide in Plain Sight
NTFS Alternate Data Streams let attackers hide executables inside innocent-looking files. Learn how ADS works, how malware uses it, and how to detect it with PowerShell, Sysinternals, and Sysmon.
Shadow Credentials: Account Takeover Without a Password
Shadow Credentials abuse msDS-KeyCredentialLink via DACL misconfiguration to add a rogue certificate, authenticate via PKINIT, and extract NT hashes — no password required.
ADCS Abuse with Certipy: From Low-Priv User to Domain Admin via Certificate Services
Active Directory Certificate Services is installed in most enterprise networks — and almost always misconfigured. Here's how attackers exploit ESC1 through ESC8 with Certipy, and how to detect and stop them.
LOLBins in 2026: How Attackers Use Windows Against Itself
79% of attacks in 2024 used no malware at all. Attackers abuse Windows' own built-in tools — certutil, mshta, rundll32 — to execute code and evade detection. Here's the full attack playbook and how to detect it.
UPnP: The Hidden Door in Your Router That You Never Opened
UPnP lets apps silently open ports on your router without asking. It's enabled by default on almost every home router — and it has been exploited by botnets, malware, and remote attackers for decades. Here's what it is and how to turn it off.
AD Attack Chains: From Initial Access to Domain Admin
A complete purple team walkthrough of Active Directory attack chains — from initial foothold through Kerberoasting, DCSync, and Golden Tickets to full domain compromise, with detection rules for every technique.
Lock the Front Door: Mandatory Security Actions Every Home User Must Take
A practical, no-nonsense guide to the essential security actions every home user should take to protect their computer, network, and personal data from everyday cyber threats.
PathSentry: Detecting and Preventing Windows PATH Hijacking Attacks
Windows PATH hijacking enables attackers to execute malicious code through writable directories. PathSentry uses two-phase detection to identify vulnerable PATH entries before exploitation.
Should I Switch to Linux in 2026? The Honest Answer
Linux hits 5% US market share. With Windows 10 ending support, is switching to Linux the right move? Real stats, costs, and answers.