John U
John U
The legacy NetLogon ETW provider includes NegotiatedFlags parameter of the NetrServerAuthenticate3 MS-NRPC call. The 2nd bit is the 'Secure RPC' flag which Zerologon needs to disable. Flagging on Netlogon authentication...
> Microsoft Message Analyzer (MMA) was retired and its download packages removed from microsoft.com sites on November 25 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in...
## Description Thread Creation events (ideally via a `PsSetCreateThreadNotifyRoutine` callback) are a useful telemetry source. References - https://bruteratel.com/release/2022/11/17/Release-Resurgence/ "Several changes were also made to how a local thread was created...
Detouring a function should not break our ability to walk the call stack. On X64, suggest that we require the Detour to reside in MEM_IMAGE so that Windows has access...
Hey Detours folks, Just a couple of suggestions for choosing the trampoline location. The X86 range reserved for system DLLs is not up to date. The X64 "not +/- 1GB...
Hey @nasbench I just noticed that some manifests aren't installed by default - and require the OS feature to be enabled first. For example, you need to add the DNS...