Microsoft is disabling the NT LAN Manager (NTLM) protocol by default in Windows 11 and Windows Server to enhance security. Despite its long history, NTLM is outdated and vulnerable to attacks, prompting the shift towards more secure protocols like Kerberos. Many organizations still use NTLM, but the risks now outweigh the benefits.

AppControl Manager is a tool for managing App Control and Code Integrity on Windows devices. It provides a user-friendly interface and operates securely without third-party dependencies. The application supports various Windows versions and focuses on maintaining a strong security posture.

This article introduces Swarmer, a tool designed for stealthy modification of the Windows Registry without triggering endpoint detection systems. It leverages legacy Windows features, specifically mandatory user profiles and the Offline Registry API, to achieve persistence without typical detection methods. The authors share insights from its operational use in engagements over the past year.

This article explains the Projected File System (ProjFS) in Windows, which allows virtual files to be projected from a backing datastore. It covers the system's architecture, how it operates, and its potential use cases for offensive and defensive applications.

NEBULA is a PowerShell tool designed for testing Windows execution and persistence methods, including LOLBAS techniques. It provides a menu-driven interface for security researchers and teams to execute tests and log results. Example payloads sourced from Atomic Red Team are included for safe experimentation.

This article explains a technique for establishing registry persistence using an NTUSER.MAN file, which allows for registry writes without triggering typical monitoring callbacks. By placing a crafted NTUSER.MAN in a user's profile directory, attackers can load persistence keys directly into HKCU during logon, avoiding detection by conventional EDR solutions.

NoMoreStealer is a kernel-mode minifilter driver for Windows that monitors file system access to prevent untrusted processes from reaching protected paths. It uses allowlists for process trust and communicates with a Wails frontend for real-time notifications. The project is a demo with several limitations and should be used for educational purposes only.

Microsoft addressed a problem where third-party security software falsely flagged WinSqlite3.dll, a core Windows component, as vulnerable. The company updated the DLL in January 2026, encouraging users to install the latest updates for their devices. This issue affected both Windows 10 and 11, as well as Windows Server versions 2012 to 2025.

Microsoft issued out-of-band updates to fix two critical issues affecting Windows 10, Windows 11, and Windows Server. One problem disrupts remote desktop access to Microsoft 365 Cloud PC sessions, while the other prevents some Windows 11 devices with Secure Launch from shutting down or hibernating.

Microsoft will integrate Sysmon into Windows 11 and Windows Server 2025 next year, eliminating the need for standalone installations. This built-in functionality will allow users to monitor and log various system events, making management easier in large IT environments.

DbgNexum demonstrates a method for injecting shellcode into a target process via the Windows Debugging API and shared memory, bypassing direct memory access. It manipulates the target's execution context to load and run the payload. The example uses XORed msfvenom shellcode to spawn "calc.exe".

Microsoft is rolling out smartphone-like app permission prompts in Windows 11, allowing users to control access to sensitive resources like files and cameras. This change aims to enhance user consent and privacy, addressing issues with apps overriding settings or installing unwanted software. The updates are part of the Secure Future Initiative following a recent security breach.

Microsoft’s November 2025 Patch Tuesday updates resolved 63 vulnerabilities, including a critical zero-day in the Windows kernel actively under attack. The updates also addressed an Office vulnerability allowing unauthorized code execution. This month saw a significant decrease in reported flaws compared to October.

Microsoft is testing its AI-powered Windows Recall feature, which allows users to take snapshots of their active windows for easier searching of content, with a rollout to Windows 11 Insiders. Concerns over privacy led to enhancements including opt-in functionality and security measures like Windows Hello authentication. The feature is designed to help users manage snapshots while ensuring sensitive information is filtered out.

Exploring remote EDR capabilities without traditional agents, the author demonstrates how to utilize Performance Logs and Alerts APIs for stealthy monitoring of security events on target systems. This method allows both offensive and defensive teams to enhance their visibility while avoiding the complexities of agent deployment.

Microsoft's August 2025 Patch Tuesday addressed 107 vulnerabilities, including a critical zero-day in Windows Kerberos that could allow domain administrator privilege escalation. The update also fixed thirteen critical vulnerabilities, predominantly related to remote code execution and information disclosure, highlighting ongoing security challenges for Windows users.

Microsoft has identified a new malware, Lumma, which has been found on approximately 394,000 Windows PCs. The Lumma password stealer is designed to capture sensitive login information, raising significant security concerns for users. Microsoft is urging users to take precautions to protect their devices from this threat.

Hells Hollow introduces a novel technique for SSDT hooking, leveraging Alt Syscalls to bypass Microsoft’s PatchGuard protections on Windows 11. This method allows rootkits to intercept and manipulate system calls by modifying the KTRAP_FRAME, thus enabling a range of malicious activities while highlighting the vulnerabilities within the Windows kernel. Limitations of the technique are discussed, including its resistance to certain security measures like Hyper-V and HVCI.

The blog discusses PatchGuard, or Kernel Patch Protection (KPP), a critical security feature in Windows that protects the kernel from unauthorized modifications. It explains how PatchGuard operates asynchronously to monitor key kernel structures, triggers a blue screen of death (BSOD) upon detecting tampering, and delves into its initialization process and the challenges of reverse engineering it. Additionally, the article hints at potential bypasses for this security mechanism.

SetupHijack is a security research tool designed to exploit vulnerabilities in Windows installer and update processes by hijacking file drops in writable directories. It allows attackers to replace legitimate files with malicious payloads, executing them with elevated privileges without needing admin access. The tool is intended for red team, penetration testing, and security research applications, emphasizing controlled and authorized use only.

The article discusses a recent research study that reveals vulnerabilities in Windows' Endpoint Privilege Management (EPM) system, which can be exploited by attackers to gain unauthorized access and escalate privileges. Researchers detail the methodologies used to uncover these security flaws and emphasize the need for improved protective measures within the Windows operating system.

ShadowCrypt is a project that enhances ransomware protection by camouflaging files with system-like extensions and hiding them in system directories, utilizing Windows shortcut files for easy access. It builds upon research from the paper "Hiding in the Crowd" and offers improved functionalities such as streamlined hiding processes, versatile recovery options, and integration with the right-click context menu for user convenience. The project aims to provide a cost-effective and user-friendly solution for secure file management on Windows systems.

NovaHypervisor is a defensive x64 Intel hypervisor designed to protect against kernel-based attacks by safeguarding memory structures and defense products on Windows 10 and later. Written in C++ and Assembly, it is in early development, not yet suitable for production, and includes instructions for setup, memory protection commands, and logging. Users must enable specific virtualization features to run the hypervisor effectively.

Bugfish Nuke is a Windows tool designed for emergency data deletion, allowing users to securely erase sensitive files and system traces with customizable overwrite options. It features an advanced function to lock out system access by corrupting Windows login files, and includes user-friendly elements like customizable audio notifications during the deletion process. Users are warned against misuse and encouraged to comply with legal guidelines while using the tool.

A critical flaw in the Windows version of WhatsApp has been discovered, allowing hackers to exploit the application and potentially sneak in malicious files. Users are advised to update their software immediately to protect against these vulnerabilities and safeguard their data.