Automating MS-RPC research shows how NtObjectManager, dynamic RPC clients, fuzzing, canary tracing, ProcMon and Neo4j can map interfaces, test procedures, find crashes and uncover coercion-style Windows bugs.
Credential Dumping: Local Security Authority (LSA|LSASS.EXE)
The article surveys LSASS credential dumping techniques, explains what secrets LSASS stores, and recommends defenses such as Credential Guard, LSASS PPL, ASR rules, SIEM monitoring, and least privilege.
RPC Proxy Injection Part II: Breaking Elastic EDR Telemetry
The article explains enhancing RPC Proxy Injection to evade Elastic EDR telemetry by avoiding common API calls like WriteProcessMemory and CreateRemoteThread, using custom shellcode delivery via thread descriptions and APCs to hide malicious behavior.
EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969)
SafeBreach Labs disclosed a critical RCE in the MS-EVEN RPC service (CVE-2025-29969) that lets low-privilege users write arbitrary files remotely on Windows 11/Server 2025, bypassing share limits. Patched May 2025.
ALPC Uncovered: The Hidden Backbone of Local RPC in Windows 11 and Server 2025
This article explores ALPC in Windows 11 and Windows Server 2025, covering hardened server design, message attributes, section-based transfer, and its role in Local RPC. It also analyzes ALPC as a security boundary and attack surface.