Martin Smolar (2023). BlackLotus UEFI bootkit: Myth confirmed . https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ Accessed 2026-05-09. March 1, 2023 ESET writeup; signed-but-unrevoked epitaph; HVCI/BitLocker/Defender disablement.
Thomas Lambertz (2024). BitLocker: Screwed without a screwdriver . https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/ Accessed 2026-05-09. 38C3 (December 2024) Bitpixie writeup; Rairii August 2022 discovery.
Wack0. CVE-2022-21894 (Baton Drop) . https://github.com/Wack0/CVE-2022-21894 Accessed 2026-05-09. Truncatememory abuse; Baton Drop technical primitive.
Martin Smolar, Peter Strycek (2024). Bootkitty: Analyzing the first UEFI bootkit for Linux . https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/ Accessed 2026-05-09. November 27, 2024 ESET research; the BoB attribution update of December 2, 2024; Allievi 2012 anchor.
Binarly REsearch (2024). LogoFAIL Exploited to Deploy Bootkitty . https://www.binarly.io/blog/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux Accessed 2026-05-09. Bootkitty exploits CVE-2023-40238 to inject MOK certs from a malicious BMP.
Microsoft. Microsoft Pluton security processor . https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor Accessed 2026-05-09. Pluton silicon list and Windows Update firmware path; Rust-based foundation on 2024+ AMD/Intel parts.
Microsoft. Pluton as TPM . https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/pluton-as-tpm Accessed 2026-05-09. Pluton implements TPM 2.0 functionality and is the silicon root of trust.
Sergey Golovanov, Igor Soumenkov (2011). TDL4: Top Bot . https://securelist.com/tdl4-top-bot/36152/ Accessed 2026-05-09. Canonical Kaspersky SecureList post on TDL-4; reports 4,524,488 infections in the first three months of 2011 (post-ID 36152, distinct from the 2005 slug-collision at /36060/).
Microsoft. Secure the Windows boot process . https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process Accessed 2026-05-09. Microsoft Learn overview of the Trusted Boot quartet and the SRTM event log.
Microsoft. Trusted Boot . https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot Accessed 2026-05-09. Canonical Microsoft definition: bootloader verifies the kernel; the kernel verifies every other boot component.
IBM. IBM Personal Computer Technical Reference . https://dn790002.ca.archive.org/0/items/bitsavers_ibmpcpc602renceAug81_17295874/6025008_PC_Technical_Reference_Aug81.pdf Accessed 2026-05-09. Original IBM PC BIOS technical reference; bootstrap loader checks AA55h, loads the boot sector at 0000:7C00, and passes control to it.
Wikipedia. Stoned (computer virus) . https://en.wikipedia.org/wiki/Stoned_(computer_virus) Accessed 2026-05-09. 1987 boot sector virus, Wellington student attribution.
F-Secure. Brain . https://www.f-secure.com/v-descs/brain Accessed 2026-05-09. 1986 Brain boot-sector virus text identifies Brain Computer Services in Lahore, Pakistan; infection hooks INT 13h and hides infected boot sectors.
ESET. Malware of the 90s: Remembering the Michelangelo and Melissa viruses . https://www.welivesecurity.com/2018/11/12/malware-90s-michelangelo-melissa-viruses/ Accessed 2026-05-09. Michelangelo discovered in 1991; infects hard-disk MBRs and floppy boot sectors; Stoned variant with a March 6 destructive payload.
Derek Soeder, Ryan Permeh (2005). eEye BootRoot . https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-soeder.pdf Accessed 2026-05-09. Black Hat USA 2005 BootRoot slides.
Vipin Kumar, Nitin Kumar. Vbootkit 2.0 (April 2007 release page, archived) . https://web.archive.org/web/20211027223059/https://nvlabs.in/vkumar/vbootkit Accessed 2026-05-09. Wayback Machine snapshot of the original NVlabs Vbootkit project page; dates the release to April 2007 and identifies Vipin and Nitin Kumar as authors.
Brett Stone-Gross et al. Your Botnet is My Botnet: Analysis of a Botnet Takeover . https://web.stanford.edu/class/cs114/readings/JO-Stone-Gross.pdf Accessed 2026-05-09. Torpig/Sinowal botnet analysis; Mebroot replaces the system MBR and executes before the operating system.
Marco Giuliani / Webroot (2011). Mebromi: the first BIOS rootkit in the wild . https://web.archive.org/web/20110924155423/http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ Accessed 2026-06-09. Webroot analysis of Mebromi's Award BIOS, CBROM, SMI-port flashing, and MBR reinfection mechanics.
"Who Is This Code?" — The Quiet 33-Year Reinvention of App Identity in Windows . 2026. https://paragmali.com/blog/windows-app-identity-33-year-reinvention/ . Accessed 2026-05-10. Sibling article on Authenticode, AppContainer, Package SID derivation, and the layered code-identity stack.
TianoCore. PI Boot Flow . https://github.com/tianocore/tianocore.github.io/wiki/PI-Boot-Flow Accessed 2026-05-09. Canonical SEC → PEI → DXE → BDS phase descriptions.
Intel. Intel Trusted Execution Technology Software Development Guide . https://cdrdv2-public.intel.com/315168/315168_TXT_MLE_DG_rev_017_7.pdf Accessed 2026-05-09. Intel TXT GETSEC[SENTER] and TPM locality 4/PCR measured-launch mechanics.
IOActive. Exploring AMD Platform Secure Boot . https://www.ioactive.com/exploring-amd-platform-secure-boot/ Accessed 2026-05-09. AMD PSB chain of trust; vendor-misconfiguration finding.
AMD. AMD Strengthens Security Solutions Through Technology Partnership With ARM . https://ir.amd.com/news-events/press-releases/detail/385/amd-strengthens-security-solutions-through-technology-partnership-with-arm Accessed 2026-05-09. AMD announcement of ARM TrustZone integration and a platform security processor using an ARM Cortex-A5 CPU, with 2013 development platforms.
ESET Research (2018). LoJax: First UEFI rootkit found in the wild . https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ Accessed 2026-05-09. September 27, 2018 first in-the-wild UEFI rootkit; Sednit/Fancy Bear; Boot Guard remediation guidance.
Microsoft. OEM UEFI . https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-uefi Accessed 2026-05-09. UEFI 2.3.1 as the WHCP firmware floor for Windows 10 security features.
NIST (2011). NIST SP 800-147: BIOS Protection Guidelines . https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-147.pdf Accessed 2026-05-09. April 2011 BIOS-update signing baseline.
Microsoft. OEM Secure Boot . https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot Accessed 2026-05-09. WHCP firmware-signing floor (RSA-2048 + SHA-256) and the PK/KEK/db/dbx hierarchy.
Microsoft. PE Format (Portable Executable and Common Object File Format Specification) . https://learn.microsoft.com/en-us/windows/win32/debug/pe-format Accessed 2026-05-09. Canonical Microsoft PE/COFF specification; describes the Attribute Certificate Table and notes that the Authenticode image digest must exclude the Checksum and Certificate Table entry in Optional Header Data Directories.
rhboot/shim contributors. SBAT: Secure Boot Advanced Targeting . https://github.com/rhboot/shim/blob/main/SBAT.md Accessed 2026-05-09. BootHole event consumed ~10 kB of ~32 kB dbx; generation-number revocation design.
Microsoft (2025). Windows Secure Boot certificate expiration and CA updates (KB5062710) . https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e Accessed 2026-06-10. Certificate table: Microsoft Windows Production PCA 2011 expires 19 October 2026; Microsoft UEFI CA 2011 expires 27 June 2026.
Microsoft (2023). KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 . https://support.microsoft.com/help/5025885 Accessed 2026-05-09. May 9, 2023 published; July 2024 mitigations; July 2025 enforcement; opt-in irreversibility caution.
Matthew Garrett (2012). shim release note . https://mjg59.dreamwidth.org/20303.html Accessed 2026-06-09. November 30, 2012 shim release; documents MOK enrolment and credits SUSE engineers with the MOK concept and implementation work.
z3bra. Elysium bootkit -- writing a Windows bootkit . https://z3bra.cat/posts/elysium-bootkit/ Accessed 2026-05-09. Reverse-engineered call chain: OslLoadDrivers → OslLoadImage → LdrpLoadImage → BlImgLoadPEImageEx → ImgpLoadPEImage → ImgpValidateImageHash inside winload.efi bootlib.
Geoff Chappell. LOADER_PARAMETER_EXTENSION . https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/arc/loader_parameter_extension/index.htm Accessed 2026-05-09. The under-documented loader-to-kernel handoff structure that carries validated SiPolicy across the boundary.
n4r1b. Smart App Control Internals -- Part 1 . https://n4r1b.com/posts/2022/08/smart-app-control-internals-part-1/ Accessed 2026-05-09. CodeIntegrityData / CodeIntegrityDataSize fields added to LOADER_PARAMETER_EXTENSION in Windows 11 22H2 to carry serialised CI state across the loader/kernel boundary.
SySS Research (2024). Bitpixie: Defeating BitLocker through unverified PXE boot . https://blog.syss.com/posts/bitpixie/ Accessed 2026-05-09. PCR allocation table; SHA-256 extend formula; downgrade attack flow.
Trusted Computing Group. Trusted Computing Group Releases TPM 2.0 Specification for Improved Platform and Device Security . https://web.archive.org/web/20170823111717/https://trustedcomputinggroup.org/trusted-computing-group-releases-tpm-2-0-specification-improved-platform-device-security/ Accessed 2026-05-09. Archived TCG announcement for TPM 2.0 specification availability on April 9, 2014.
Microsoft. Trusted Platform Module Technology Overview . https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview Accessed 2026-06-09. Microsoft overview of TPM integrity measurements and TPM-bound keys.
The TPM in Windows: One Primitive, Twenty-Five Years, and the Chip Microsoft Bet On Twice (2026). https://paragmali.com/blog/the-tpm-in-windows-one-primitive-twenty-five-years-and-the-c/ Note: The prior article in this series; its conclusions on dTPM, Intel PTT, and AMD fTPM are required reading here.
Microsoft. How hardware-based root of trust helps protect Windows . https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows Accessed 2026-05-09. SRTM allowlist explosion; DRTM late-launch via Secure Launch in Windows 10 1809+.
BitLocker on Windows: Architecture, Attacks, and the Limits of Full-Disk Encryption . https://paragmali.com/blog/bitlocker-on-windows-architecture-attacks-and-the-limits-of-/ Accessed 2026-05-09. Sibling article; VMK/FVEK key hierarchy; TPM-only protector mechanics.
Microsoft. Early Launch Antimalware . https://learn.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware Accessed 2026-05-09. ELAM ordering, PPL execution, classification surface for boot-start drivers.
Microsoft. ELAM driver requirements . https://learn.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements Accessed 2026-05-09. INF requirements for an ELAM driver; verbatim three-class prose ("known good binary, known bad binary, or an unknown binary") plus the Early-Launch service-group requirement.
Microsoft. _BDCB_CLASSIFICATION enumeration (ntddk.h) . https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ne-ntddk-_bdcb_classification Accessed 2026-06-09. Microsoft WDK enum reference listing ELAM boot-start image classifications, including BdCbClassificationKnownBadImageBootCritical.
Microsoft. Kernel DMA Protection (Thunderbolt / USB4 / CFexpress) . https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt Accessed 2026-05-09. Kernel DMA Protection blocks DMA from PCIe hot-plug peripherals using the system IOMMU until an authorized user signs in or unlocks the screen.
When SYSTEM Isn't Enough: The Windows Secure Kernel and the End of Total Kernel Trust . 2026. https://paragmali.com/blog/the-windows-secure-kernel/ . Accessed 2026-05-10. Sibling article on VBS / IUM / VTL0-VTL1, Trustlet API, Credential Guard, HVCI.
No Secrets to Steal: How Windows Hello Eliminated the Shared Secret . https://paragmali.com/blog/your-face-is-not-your-password-inside-windows-hellos-hardwar/ Accessed 2026-05-09. Sibling article; Windows Hello, TPM-backed biometrics, FIDO2 / passkeys mechanism.
AMD (2022). AMD Unveils New Ryzen Mobile Processors Uniting "Zen 3+" core with AMD RDNA 2 Graphics in Powerhouse Design . https://ir.amd.com/news-events/press-releases/detail/1039/amdunveils-new-ryzen-mobile-processors-uniting-zen-3-core-with-amd-rdna-2-graphics-in-powerhousedesign Accessed 2026-06-09. January 4, 2022 Ryzen 6000 launch; states Ryzen 6000 processors integrated the Microsoft Pluton security processor.
David Weston — Meet the Microsoft Pluton processor — The security chip designed for the future of Windows PCs (2020). https://www.microsoft.com/en-us/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ Note: November 17, 2020 announcement; AMD, Intel, Qualcomm partnership; SHACK; Cerberus complementarity.
Martin Smolar, Anton Cherepanov (2021). UEFI threats moving to the ESP: Introducing ESPecter bootkit . https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ Accessed 2026-05-09. October 5, 2021 ESET disclosure of ESPecter; ESP-resident bootkit category.
Kaspersky GReAT (2021). FinSpy: unseen findings . https://securelist.com/finspy-unseen-findings/104322/ Accessed 2026-05-09. September 2021 first public analysis of a real-world UEFI bootkit replacing bootmgfw.efi.
Microsoft DART/MSTIC (2023). Guidance for investigating attacks using CVE-2022-21894: the BlackLotus campaign . https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ Accessed 2026-05-09. April 11, 2023 incident-response guide; six BlackLotus forensic artefact classes.
NSA, CISA (2023). BlackLotus Mitigation Guide . https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF Accessed 2026-05-09. June 22, 2023 joint US government cybersecurity information sheet.
The Register (2012). Researcher creates proof-of-concept Win 8 UEFI rootkit . https://www.theregister.com/2012/09/19/win8_rootkit/ Accessed 2026-05-09. September 19, 2012 reporting of the Allievi/ITSEC PoC.
Binarly REsearch (2023). The Far-Reaching Consequences of LogoFAIL . https://www.binarly.io/blog/far-reaching-consequences-of-logofail Accessed 2026-06-09. Original LogoFAIL disclosure describing image-parser vulnerabilities across AMI, Insyde, and Phoenix firmware and BMP/GIF/JPEG/PCX/TGA parser exposure.
NIST NVD. CVE-2024-20666: BitLocker Security Feature Bypass Vulnerability . https://nvd.nist.gov/vuln/detail/CVE-2024-20666 Accessed 2026-05-09. NVD entry establishing the CVE and BitLocker security-feature-bypass classification.
Heise (2025). Attack bypasses BitLocker using Windows Recovery Environment . https://www.heise.de/en/news/Attack-bypasses-BitLocker-using-Windows-Recovery-Environment-11292729.html Accessed 2026-06-09. Technical reporting on WinRE/BitLocker downgrade attacks using older signed bootmgfw.efi and the PCA-2011 to CA-2023 migration.
Microsoft (2024). KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666 . https://support.microsoft.com/en-us/topic/kb5034957-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2024-20666-0190331b-1ca3-42d8-8a55-7fc406910c10 Accessed 2026-06-09. Microsoft guidance tying CVE-2024-20666 mitigation to WinRE partition updates.
NVD (2023). CVE-2023-24932 -- Secure Boot Security Feature Bypass Vulnerability . https://nvd.nist.gov/vuln/detail/CVE-2023-24932 Accessed 2026-05-09. NVD entry for the KB5025885 paired CVE.
Microsoft. microsoft/secureboot_objects . https://github.com/microsoft/secureboot_objects Accessed 2026-05-09. Canonical KEK/db/dbx distribution since 2024.
Apple. Boot process for an Apple device . https://support.apple.com/guide/security/boot-process-secb3000f149/web Accessed 2026-05-09. Apple application-processor boot chain: Boot ROM → LLB (legacy) → iBoot → kernel; Apple Root CA public key in Boot ROM.
Apple. Secure Enclave . https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web Accessed 2026-05-09. Secure Enclave Processor as a dedicated subsystem integrated into Apple SoC; sepOS L4 microkernel; mailbox interface.
Apple. System security overview . https://support.apple.com/guide/security/system-security-overview-sec114e4db04/web Accessed 2026-05-09. Apple secure-boot continuity model: silicon-rooted chain of trust through software, including Secure Enclave secure boot.
Trusted Firmware-A project. Trusted Firmware-A . https://trustedfirmware-a.readthedocs.io/en/latest/ Accessed 2026-05-09. Reference secure-world software for Armv7-A and Armv8-A platforms; Secure Monitor at EL3; PSCI / TBBR / SMC Calling Convention.
Trusted Firmware-A. Trusted Board Boot . https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html Accessed 2026-05-09. Trusted Board Boot Requirements (TBBR, Arm DEN0006D) and the BL1 → BL2 → BL31/BL32 → BL33 chain anchored on the ROTPK fused per silicon family.
Microsoft — Introducing Windows 11 (2021). https://blogs.windows.com/windowsexperience/2021/06/24/introducing-windows-11/
David Weston — Windows 11 enables security by design from the chip to the cloud . https://www.microsoft.com/en-us/security/blog/2021/06/25/windows-11-enables-security-by-design-from-the-chip-to-the-cloud/
Microsoft — TPM 2.0 -- OEM mandate . https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm
Richard Stallman — Can You Trust Your Computer? . https://www.gnu.org/philosophy/can-you-trust.html
Gates Ushers in Next Generation of PC Computing With Launch of Windows 2000 — Microsoft News Center; 2000. https://news.microsoft.com/source/2000/02/17/gates-ushers-in-next-generation-of-pc-computing-with-launch-of-windows-2000/
Microsoft — Cryptography portal (Win32) . https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography-portal
Microsoft — How Windows uses the TPM . https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/how-windows-uses-the-tpm
Wikipedia contributors — Trusted Computing Group . https://en.wikipedia.org/wiki/Trusted_Computing_Group
Trusted Computing Group — TPM Main Specification (Version 1.2) . https://trustedcomputinggroup.org/resource/tpm-main-specification/
Johns Hopkins APL Technical Digest — Trusted Platform Module Evolution . https://secwww.jhuapl.edu/techdigest/Content/techdigest/pdf/V32-N02/32-02-Osborn.pdf
Paul England, Butler Lampson, John Manferdelli, Marcus Peinado, Bryan Willman — A Trusted Open Platform . https://www.microsoft.com/en-us/research/publication/trusted-open-platform/
Microsoft — Secure Startup-Full Volume Encryption: Technical Overview . https://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/secure-start_tech.doc
Denis Andzakovic — Extracting BitLocker keys from a TPM . https://pulsesecurity.co.nz/articles/TPM-sniffing
Microsoft — BitLocker overview . https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/
Elaine Barker, Allen Roginsky — NIST SP 800-131A Rev. 2 -- Transitioning the Use of Cryptographic Algorithms and Key Lengths . https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov. Announcing the first SHA1 collision . https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Microsoft — Microsoft Announces the Release of Windows NT Workstation 4.0 . https://news.microsoft.com/source/1996/07/31/microsoft-announces-the-release-of-windows-nt-workstation-4-0/
Trusted Computing Group — TPM 2.0 Library Specification . https://trustedcomputinggroup.org/resource/tpm-library-specification/
ISO/IEC — ISO/IEC 11889-1:2015 -- Information technology -- Trusted platform module library -- Part 1: Architecture . https://www.iso.org/standard/66510.html
Will Arthur, David Challener, Kenneth Goldman — A Practical Guide to TPM 2.0 . https://link.springer.com/book/10.1007/978-1-4302-6584-9
Microsoft — Measured boot and host attestation . https://learn.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation
Configure Credential Guard / Virtualization-based security (overview). https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/
Microsoft — How Windows Hello for Business works . https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/how-it-works
Microsoft — TPM key attestation . https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation
Denis Andzakovic — lpc_sniffer_tpm . https://github.com/denandz/lpc_sniffer_tpm
Henri Nurmi — Sniff There, Leaks My BitLocker Key (2022). https://labs.withsecure.com/publications/sniff-there-leaks-my-bitlocker-key
Thomas Dewaele, Julien Oberson — TPM sniffing . https://blog.scrt.ch/2021/11/15/tpm-sniffing/
SCRT — Privilege escalation through TPM sniffing when BitLocker PIN is enabled . https://blog.scrt.ch/2024/10/28/privilege-escalation-through-tpm-sniffing-when-bitlocker-pin-is-enabled/
Intel — Intel NUC 13 Extreme Technical Product Specification . https://www.intel.com/content/dam/support/us/en/documents/intel-nuc/NUC13SB-RN_TechProdSpec.pdf
Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, Nadia Heninger — TPM-Fail . https://tpm.fail/
NIST NVD — CVE-2019-11090 -- Intel PTT timing leak (TPM-Fail) . https://nvd.nist.gov/vuln/detail/CVE-2019-11090
NIST NVD — CVE-2019-16863 -- STMicroelectronics ST33 TPM-FAIL . https://nvd.nist.gov/vuln/detail/CVE-2019-16863
Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, Nadia Heninger — TPM-FAIL: TPM meets Timing and Lattice Attacks . https://www.usenix.org/conference/usenixsecurity20/presentation/moghimi
Hans Niklas Jacob, Christian Werling, Robert Buhren, Jean-Pierre Seifert — faulTPM: Exposing AMD fTPMs Deepest Secrets (2023). https://arxiv.org/abs/2304.14717
PSPReverse — ftpm_attack -- proof-of-concept code for faulTPM . https://github.com/PSPReverse/ftpm_attack
AMD — TPM Attestation Failure on AMD Platforms with ASP fTPM . https://www.amd.com/en/resources/support-articles/faqs/pa-420.html
Microsoft — Trusted launch for Azure VMs . https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch
Microsoft Security — Microsoft and partners design new device security requirements to protect against targeted firmware attacks . https://www.microsoft.com/en-us/security/blog/2019/10/21/microsoft-and-partners-design-new-device-security-requirements-to-protect-against-targeted-firmware-attacks/
System Guard Secure Launch and SMM protection (2026-05-10). Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection
BitLocker Countermeasures (Microsoft Learn) , 2024. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures
Microsoft Learn — Get-Tpm . https://learn.microsoft.com/en-us/powershell/module/trustedplatformmodule/get-tpm
NIST NVD — CVE-2023-21563 -- BitLocker Security Feature Bypass . https://nvd.nist.gov/vuln/detail/CVE-2023-21563
NIST — FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) . https://csrc.nist.gov/pubs/fips/203/final
NIST — FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA) . https://csrc.nist.gov/pubs/fips/204/final
NIST — FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA) . https://csrc.nist.gov/pubs/fips/205/final
NIST — Post-Quantum Cryptography project . https://csrc.nist.gov/projects/post-quantum-cryptography
U.S. Federal Register — Announcing Issuance of Federal Information Processing Standards (FIPS) -- FIPS 203, 204, and 205 . https://www.federalregister.gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based
Microsoft — ms-tpm-20-ref releases . https://github.com/microsoft/ms-tpm-20-ref/releases
Fraunhofer SIT — Post-Quantum Cryptography for TPM . https://www.sit.fraunhofer.de/en/pqcryptography/post-quantum-cryptography-for-tpm/
Trusted Computing Group — PC Client Platform TPM Profile (PTP) Specification . https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/
Mike Ounsworth, John Gray, Massimiliano Pala, Jan Klaussner, Scott Fluhrer — Composite ML-DSA for X.509 (IETF LAMPS WG draft) . https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/
Douglas Stebila, Scott Fluhrer, Shay Gueron — Hybrid key exchange in TLS 1.3 (IETF TLS WG draft) . https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
Microsoft Security — Quantum-safe security: Progress towards next-generation cryptography . https://www.microsoft.com/en-us/security/blog/2025/08/20/quantum-safe-security-progress-towards-next-generation-cryptography/
CRoCS Masaryk University — ROCA detection tool . https://github.com/crocs-muni/roca
NIST NVD — CVE-2017-15361 -- Infineon ROCA . https://nvd.nist.gov/vuln/detail/CVE-2017-15361
Wikipedia contributors — ROCA vulnerability . https://en.wikipedia.org/wiki/ROCA_vulnerability
Dan Goodin — Crypto failure cripples millions of high-security keys, 750k Estonian IDs . https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
Microsoft Security Response Center — MSRC Advisory ADV170012 -- Vulnerability in TPM Could Allow Security Feature Bypass . https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
Microsoft — Continuous access evaluation in Microsoft Entra ID (2025). https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation
Microsoft — CNG DPAPI (DPAPI-NG) . https://learn.microsoft.com/en-us/windows/win32/seccng/cng-dpapi
Microsoft — DPAPI-NG protection descriptors . https://learn.microsoft.com/en-us/windows/win32/seccng/protection-descriptors
Brandon Vigliarolo — Dell, Lenovo and HP responses to Microsoft Pluton . https://www.theregister.com/2022/03/09/dell_pluton_microsoft/
Mark Hachman — Why the biggest laptop vendors are ignoring Microsoft Pluton security tech (2022). https://www.pcworld.com/article/621767/why-the-biggest-laptop-vendors-are-ignoring-microsofts-pluton-security-tech.html
Michael Larabel — Pluton TPM CRB driver merged for Linux 6.3 (2023). https://www.phoronix.com/news/Pluton-TPM-CRB-Merged-Linux-6.3
Matthew Garrett — Bringing Pluton support to Linux (2022). https://mjg59.dreamwidth.org/58879.html Note: AMD Ryzen 6000 / Asus G14 BIOS reverse-engineering; PSP soft-fuse 0xB BIT36; observed Pluton firmware blob appeared to contain chunks of TPM 2.0 reference code and decompiled as ARM.
Vijay Sarvepalli — CERT/CC VU#282450 — TPM 2.0 reference implementation OOB read in CryptHmacSign (2025). https://www.kb.cert.org/vuls/id/282450 Note: Anonymous reporter; document author Vijay Sarvepalli; Date Public 2025-06-10.
Anatomy of a secured MCU (2018). https://azure.microsoft.com/en-us/blog/anatomy-of-a-secured-mcu/ Note: First publicly verifiable use of the "Pluton" name (April 2018).
From research idea to research-powered product: Behind the scenes with Azure Sphere . https://www.microsoft.com/en-us/research/blog/from-research-idea-to-research-powered-product-behind-the-scenes-with-azure-sphere Note: Codename 4x4 = 4 MB RAM + 4 MB Flash; AI+Research NExT origin (2015).
Galen Hunt, George Letey, Edmund Nightingale — The Seven Properties of Highly Secure Devices (2017). https://www.microsoft.com/en-us/research/publication/seven-properties-highly-secure-devices/ Note: MSR-TR-2017-16 (March 2017); the architectural manifesto behind Azure Sphere and Pluton.
Microsoft open-sources effort to build a hardware chip that protects firmware (2017). https://siliconangle.com/2017/11/09/microsoft-open-sources-effort-build-hardware-chip-protects-firmware-hackers/
Project Cerberus — Open Compute Project / Project Olympus . https://github.com/opencomputeproject/Project_Olympus/tree/master/Project_Cerberus Note: Architecture, Challenge Protocol, Firmware Update, HPFR, Processor Cryptography PDFs.
Project Cerberus reference implementation . https://github.com/Azure/Project-Cerberus Note: Microsoft-maintained Cerberus reference implementation; FreeRTOS and Linux ports.
Project Cerberus (Microsoft Learn) . https://learn.microsoft.com/en-us/azure/security/fundamentals/project-cerberus Note: NIST 800-193 alignment; Platform Firmware Manifest; Azure Host Attestation Service.
NIST SP 800-193: Platform Firmware Resiliency Guidelines (2018). https://csrc.nist.gov/pubs/sp/800/193/final
Galen Hunt — Introducing Microsoft Azure Sphere: Secure and power the intelligent edge (2018). https://azure.microsoft.com/en-us/blog/introducing-microsoft-azure-sphere-secure-and-power-the-intelligent-edge/ Note: Azure Sphere preview at RSA 2018 (April 16, 2018); custom silicon "inspired by 15 years of experience and learnings from Xbox".
Microsoft Azure Blog — A secure foundation for IoT, Azure Sphere now generally available (2020). https://azure.microsoft.com/en-us/blog/a-secure-foundation-for-iot-azure-sphere-now-generally-available/ Note: February 24, 2020 Azure Sphere general-availability announcement.
Azure Sphere—Microsoft's answer to escalating IoT threats—reaches general availability (Microsoft Security Blog, 2020). https://www.microsoft.com/en-us/security/blog/2020/02/24/azure-sphere-microsoft-answer-iot-threats-reaches-general-availability/
AMD Platform Security Processor (Wikipedia) . https://en.wikipedia.org/wiki/AMD_Platform_Security_Processor
Michael Larabel — AMD Ryzen 6000 to ship with Microsoft Pluton (2022). https://www.phoronix.com/news/AMD-Ryzen-6000-Pluton
AMD — AMD Unveils New Ryzen Mobile Processors Uniting "Zen 3+" core with AMD RDNA 2 Graphics (2022). https://www.amd.com/en/newsroom/press-releases/2022-1-4-amd-unveils-new-ryzen-mobile-processors-uniting-z.html Note: AMD's January 4, 2022 announcement; states Ryzen 6000 Series integrated the Microsoft Pluton security processor.
Caliptra: open-source datacenter Root of Trust . https://github.com/chipsalliance/Caliptra Note: Datacenter-class on-die RTM IP; CHIPS Alliance source stewardship.
Caliptra specification (CHIPS Alliance Pages) . https://chipsalliance.github.io/Caliptra/
TPMScan: a wide-scale study of security-relevant properties of TPM 2.0 chips (2024). https://crocs.fi.muni.cz/_media/publications/pdf/2024-ches-tpmscan.pdf Note: CHES 2024.
Petr Svenda, Antonin Dufka, Milan Broz, Roman Lacko, Tomas Jaros, Daniel Zatovic, Josef Pospisil — TPMScan: A wide-scale study of security-relevant properties of TPM 2.0 chips (2024). https://tches.iacr.org/index.php/TCHES/article/view/11444 Note: IACR TCHES vol. 2024 issue 2 pp. 714-734; DOI 10.46586/tches.v2024.i2.714-734; iTPM corpus includes Pluton-based iTPMs.
Tock embedded operating system . https://github.com/tock/tock
Linux 6.3 Pluton TPM CRB merge commit . https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=219ac97a486c1ad9c110cb96ebdad7ba068236fb
The Secure Enclave (Apple Platform Security) . https://support.apple.com/guide/security/the-secure-enclave-sec59b0b31ff/web Note: Cross-confirmation source for Apple SEP universal-deployment scope across iPhone 5s+, iPad Air+, and Apple-silicon Mac generations.
Apple T2 (Wikipedia) . https://en.wikipedia.org/wiki/Apple_T2
Titan M makes Pixel 3 our most secure phone yet (2018). https://blog.google/products-and-platforms/devices/pixel/titan-m-makes-pixel-3-our-most-secure-phone-yet/
Pixel 6: Setting a new standard for mobile security (2021). https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html Note: Google Online Security Blog post on Titan M2 / Pixel 6 (October 2021); in-house RISC-V security chip with AVA_VAN.5 target.
OpenTitan . https://opentitan.org/
OpenTitan reaches commercial availability (lowRISC) (2024). https://lowrisc.org/news/opentitan-commercial-availability/ Note: February 13, 2024; nine coalition members; lowRISC = host.
NVD CVE-2025-2884 (2025). https://nvd.nist.gov/vuln/detail/CVE-2025-2884 Note: CryptHmacSign OOB read in TCG TPM 2.0 reference (Level 00, Revision 01.83).
Intel Security Advisory SA-01209 . https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01209.html
Siemens SSA-628843 . https://cert-portal.siemens.com/productcert/html/ssa-628843.html
CVE-2025-49133 (libtpms) . https://www.cve.org/CVERecord?id=CVE-2025-49133
libtpms commit 04b2d8e9 (CVE-2025-49133) . https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1
TCG VRT0009 Advisory . https://trustedcomputinggroup.org/wp-content/uploads/VRT0009-Advisory-FINAL.pdf
IETF Key Transparency (KEYTRANS) Working Group . https://datatracker.ietf.org/wg/keytrans/about/ Note: Active IETF working group on transparency-logged identity keys; the closest active venue for the multi-signer transparency thread, although KEYTRANS scope is end-user identity keys, not firmware-signing keys.
Cyber Resilience Act . https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act Note: European Commission policy page; verbatim "The CRA entered into force on 10 December 2024. The main obligations introduced by the Act will apply from 11 December 2027, with reporting obligations to apply as of 11 September 2026."
BSI-CC-PP-0084 — Security IC Platform Protection Profile . https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/PP/aktuell/PP_0084.html Note: German BSI Common Criteria PP-0084 (current version PP-0084-V2-2026; 2014 historical version); EAL4 / AVA_VAN.5 baseline used historically for Infineon SLB 9670 / 9672 dTPMs.
DMTF DSP0274 — Security Protocol and Data Model (SPDM) . https://www.dmtf.org/dsp/DSP0274 Note: Canonical SPDM 1.3 reference; publication cadence 1.3.0 (Jun 2023) → 1.3.2 (Sep 2024) → 1.3.3 (Dec 2025); content mirror via caliptra-mcu-spdm.
Caliptra MCU SPDM Responder . https://chipsalliance.github.io/caliptra-mcu-sw/spdm.html Note: Rust SPDM 1.3 responder design; X.509v3-anchored mutual auth; canonical mirror of DSP0274 v1.3.2 content.
Caliptra at OCP Global Summit 2024 — 2.0 RTL Design Freeze (2024). https://www.chipsalliance.org/news/caliptra-ocp-global-summit-2024/ Note: Caliptra 2.0 RTL freeze October 2024; Dilithium / Kyber commitment; Reference Stack: MCTP PLDM, SPDM.
L. Lundblade, G. Mandyam, J. O'Donoghue, C. Wallace — RFC 9711 — The Entity Attestation Token (EAT) (2025). https://datatracker.ietf.org/doc/rfc9711/ Note: Standards Track, April 2025; CWT/JWT evidence/result token format.
H. Birkholz, T. Fossati, Y. Deshpande, N. Smith, W. Pan — draft-ietf-rats-corim-10 — Concise Reference Integrity Manifest . https://datatracker.ietf.org/doc/draft-ietf-rats-corim/ Note: In WG Last Call as of March 2026; appraisal-time profile for endorsements + reference values.
H. Birkholz, N. Smith, T. Fossati, H. Tschofenig, D. Glaze — draft-ietf-rats-msg-wrap-23 — Conceptual Message Wrapper . https://datatracker.ietf.org/doc/draft-ietf-rats-msg-wrap/ Note: In RFC Editor queue since December 2025; CBOR tag + JWT/CWT claims + X.509 extension envelope.
IETF RATS WG Documents . https://datatracker.ietf.org/wg/rats/documents/ Note: Active Internet-Draft inventory: corim-10, msg-wrap-23, multi-verifier-00, posture-assessment-04, EAR-03, epoch-markers-03, pkix-key-attestation-05.
OCP S.A.F.E. — Security Appraisal Framework and Enablement . https://github.com/opencomputeproject/OCP-Security-SAFE/blob/main/Documentation/framework.md Note: v2.0 March 2026 added CoRIM SFR support; third-party-audit framework for firmware appraisal.
TCG DICE Architecture Landing Page . https://trustedcomputinggroup.github.io/DICE/ Note: Hardware Root of Trust as a component-level identity primitive; UDS / CDI canonical reference.
Open Profile for DICE — Specification v2.6 . https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/specification.md Note: Reference profile citing TCG DICE; defines UDS / CDI primitives.
BSI-DSZ-CC-1021-V2-2017 — Infineon SLB 9670 EAL4+ . https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/CC/SmartCards_IC_Cryptolib/1021_1021V2.html Note: BSI Common Criteria certificate for Infineon SLB 9670 family; EAL4+ ALC_FLR.1 AVA_VAN.4 against TCG TPM PC Client PP; the most recent public CC certification of the Infineon SLB 9670 / 9672 family at that posture.
Trusted Computing Group — TPM 2.0 Library Specification, Part 2: Structures . https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf Note: Defines the TPM 2.0 structures and permanent properties, including TPM_PT_MANUFACTURER, the four-byte manufacturer identifier surfaced by Windows as ManufacturerIdTxt.
Secured-core PCs (OEM highly secure 11). https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11
A Secure and Reliable Bootstrap Architecture. https://www.cs.umd.edu/~waa/pubs/oakland97.pdf
Wikipedia: Trusted Platform Module . https://en.wikipedia.org/wiki/Trusted_Platform_Module
Tbsi_Get_TCG_Log function (tbs.h). https://learn.microsoft.com/en-us/windows/win32/api/tbs/nf-tbs-tbsi_get_tcg_log
UEFI Forum specifications index. https://uefi.org/specifications
NIST SP 800-155 IPD (December 2011 draft PDF). https://csrc.nist.gov/files/pubs/sp/800/155/ipd/docs/draft-SP800-155_Dec2011.pdf
PC Client Platform Firmware Profile Specification (TCG). https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
Microsoft Learn: Microsoft Azure Attestation overview . https://learn.microsoft.com/en-us/azure/attestation/overview
tpm2_eventlog man page. https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_eventlog.1.md
How a hardware-based root of trust helps protect Windows (2026-05-10). Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
Wack0/bitlocker-attacks index (GitHub). https://github.com/Wack0/bitlocker-attacks
How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
tpmtool. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tpmtool
tpm2-software/tpm2-tools. https://github.com/tpm2-software/tpm2-tools
Configure BitLocker (TPM platform validation profile for native UEFI; Microsoft Learn) , 2024. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os
manage-bde protectors. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors
Attacking Intel Trusted Execution Technology. https://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf
TrenchBoot project home. https://trenchboot.org/
TrenchBoot documentation (GitHub). https://github.com/TrenchBoot/documentation
Bootstrapping Trust in a "Trusted" Platform. https://www.usenix.org/legacy/event/hotsec08/tech/full_papers/parno/parno.pdf
Microsoft Azure Attestation — TPM attestation concepts . https://learn.microsoft.com/en-us/azure/attestation/tpm-attestation-concepts
Bryan Parno — faculty page (CMU). https://www.andrew.cmu.edu/user/bparno/
MSRC advisory for CVE-2023-21563 (bitpixie). https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21563
Windows BitLocker: Screwed without a Screwdriver (38C3). https://events.ccc.de/congress/2024/hub/en/event/windows-bitlocker-screwed-without-a-screwdriver/
martanne/bitpixie proof-of-concept (GitHub). https://github.com/martanne/bitpixie
CVE-2022-21894: Secure Boot Security Feature Bypass Vulnerability (Baton Drop). https://nvd.nist.gov/vuln/detail/CVE-2022-21894
x86 virtualization (2026-05-10). Wikipedia. https://en.wikipedia.org/wiki/X86_virtualization
BitLocker Group Policy settings. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings
Microsoft Graph — deviceHealthAttestationState resource type . https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-devicehealthattestationstate?view=graph-rest-1.0
Ernie Brickell, Jan Camenisch, Liqun Chen — Direct Anonymous Attestation . https://research.ibm.com/publications/direct-anonymous-attestation
AWS Nitro Enclaves — Set up attestation . https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
Establishing your app integrity (App Attest) . https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity
Play Integrity API overview . https://developer.android.com/google/play/integrity/overview
Web Authentication: An API for accessing Public Key Credentials -- Level 2 (latest). W3C. https://www.w3.org/TR/webauthn-2/
Trusted Computing Group — About the Trusted Computing Group . https://web.archive.org/web/20030415224302/http://www.trustedcomputinggroup.org/about
Rolf Lindemann — FIDO ECDAA Algorithm v2.0 . https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html
Ross Anderson — Trusted Computing Frequently Asked Questions — TC / TCG / LaGrande / NGSCB / Longhorn / Palladium / TCPA Version 1.1 . https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Ross Anderson — Cryptography and Competition Policy — Issues with Trusted Computing . https://www.cl.cam.ac.uk/~rja14/Papers/tcpa.pdf
Seth Schoen — Trusted Computing: Promise and Risk . https://www.eff.org/wp/trusted-computing-promise-and-risk
David Chaum, Eugène van Heyst — Group Signatures . https://doi.org/10.1007/3-540-46416-6_22
Jan Camenisch, Markus Stadler — Efficient group signature schemes for large groups . https://doi.org/10.1007/BFb0052252
Giuseppe Ateniese, Jan Camenisch, Marc Joye, Gene Tsudik — A Practical and Provably Secure Coalition-Resistant Group Signature Scheme . https://doi.org/10.1007/3-540-44598-6_16
Jan Camenisch, Markus Michels — A Group Signature Scheme with Improved Efficiency . https://doi.org/10.1007/3-540-49649-1_14
Jan Camenisch, Anna Lysyanskaya — An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation . https://doi.org/10.1007/3-540-44987-6_7
Jan Camenisch, Anna Lysyanskaya — Signature Schemes and Anonymous Credentials from Bilinear Maps . https://doi.org/10.1007/978-3-540-28628-8_4
Dan Boneh, Xavier Boyen, Hovav Shacham — Short Group Signatures . https://doi.org/10.1007/978-3-540-28628-8_3
Ernie Brickell, Jan Camenisch, Liqun Chen — Direct Anonymous Attestation . https://eprint.iacr.org/2004/205
David Bernhard, Georg Fuchsbauer, Essam Ghadafi, Nigel Smart, Bogdan Warinschi — Anonymous attestation with user-controlled linkability . https://link.springer.com/article/10.1007/s10207-013-0191-z
Ben Smyth, Mark Ryan, Liqun Chen — Formal analysis of privacy in Direct Anonymous Attestation schemes . https://doi.org/10.1016/j.scico.2015.04.004
Ernie Brickell, Liqun Chen, Jiangtao Li — Simplified security notions of Direct Anonymous Attestation and a concrete scheme from pairings . https://doi.org/10.1007/s10207-009-0076-3
Ernie Brickell, Jiangtao Li — Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities . https://doi.org/10.1145/1314333.1314337
Ernie Brickell, Jiangtao Li — Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities . https://doi.org/10.1109/TDSC.2011.63
Intel — Intel® Enhanced Privacy ID (EPID): Foundation for IoT Security . https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/intel-epid-white-paper.pdf
Intel EPID SDK (archived) . https://github.com/Intel-EPID-SDK/epid-sdk
Ernie Brickell, Liqun Chen, Jiangtao Li — A New Direct Anonymous Attestation Scheme from Bilinear Maps . https://link.springer.com/chapter/10.1007/978-3-540-68979-9_13
Liqun Chen, Dan Page, Nigel Smart — On the Design and Implementation of an Efficient DAA Scheme . https://link.springer.com/chapter/10.1007/978-3-642-12510-2_16
Liqun Chen, Paul Morrissey, Nigel Smart — Pairings in Trusted Computing . https://link.springer.com/chapter/10.1007/978-3-540-85538-5_1
Liqun Chen, Paul Morrissey, Nigel Smart — On Proofs of Security for DAA Schemes . https://link.springer.com/chapter/10.1007/978-3-540-88733-1_11
Liqun Chen, Jiangtao Li — A note on the Chen-Morrissey-Smart Direct Anonymous Attestation scheme . https://doi.org/10.1016/j.ipl.2010.04.017
Smart Card Research and Advanced Applications (CARDIS 2010) . https://link.springer.com/book/10.1007/978-3-642-12510-2
Liqun Chen, Dan Page, Nigel Smart — On the Design and Implementation of an Efficient DAA Scheme . https://eprint.iacr.org/2009/598
Paulo S. L. M. Barreto, Michael Naehrig — Pairing-Friendly Elliptic Curves of Prime Order . https://doi.org/10.1007/11693383_22
Taechan Kim, Razvan Barbulescu — Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case . https://doi.org/10.1007/978-3-662-53018-4_20
David Bernhard, Georg Fuchsbauer, Essam Ghadafi, Nigel Smart, Bogdan Warinschi — Anonymous attestation with user-controlled linkability . https://eprint.iacr.org/2011/658
Jan Camenisch, Manu Drijvers, Anja Lehmann — Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited . https://link.springer.com/chapter/10.1007/978-3-319-45572-3_1
Jan Camenisch, Manu Drijvers, Anja Lehmann — Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited . https://eprint.iacr.org/2016/663
Jan Camenisch, Liqun Chen, Manu Drijvers, Anja Lehmann, David Novick, Rainer Urian — One TPM to Bind Them All: Fixing TPM 2.0 for Provably Secure Anonymous Attestation . https://eprint.iacr.org/2017/639
ISO/IEC 20008-1:2013 - Information technology - Security techniques - Anonymous digital signatures - Part 1: General . https://www.iso.org/standard/57018.html
ISO/IEC 20008-2:2013 - Information technology - Security techniques - Anonymous digital signatures - Part 2: Mechanisms using a group public key . https://www.iso.org/standard/56916.html
ISO/IEC 20009-2:2013 - Information technology - Security techniques - Anonymous entity authentication - Part 2: Mechanisms based on signatures using a group public key . https://www.iso.org/standard/56913.html
FIDO Alliance Authenticator Certification Levels . https://web.archive.org/web/2024/https://fidoalliance.org/certification/authenticator-certification-levels
Web Authentication: An API for accessing Public Key Credentials -- Level 1 (W3C Recommendation, 4 March 2019). W3C; 2019. https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
Migrating from java-webauthn-server v1 (Yubico) . https://github.com/Yubico/java-webauthn-server/blob/main/doc/Migrating_from_v1.adoc
U2F / FIDO2 Attestation and Metadata (Yubico Developer) . https://developers.yubico.com/U2F/Attestation_and_Metadata/
Microsoft Learn — Windows Hello for Business overview . https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/
Meet the Microsoft Pluton processor — The security chip designed for the future of Windows PCs . https://web.archive.org/web/2024/https://www.microsoft.com/en-us/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs
Microsoft Learn — Windows 11 requirements . https://learn.microsoft.com/en-us/windows/whats-new/windows-11-requirements
Microsoft Learn — Get-TpmEndorsementKeyInfo . https://learn.microsoft.com/en-us/powershell/module/trustedplatformmodule/get-tpmendorsementkeyinfo?view=windowsserver2025-ps
Dan Boneh, Saba Eskandarian, Ben Fisch — Post-quantum EPID Signatures from Symmetric Primitives . https://doi.org/10.1007/978-3-030-12612-4_13
Rachid El Bansarkhani, Ali El Kaafarani — Direct Anonymous Attestation from Lattices . https://eprint.iacr.org/2017/1022
Liqun Chen, Patrick Hough, Nada El Kassem — Collaborative, Segregated NIZK (CoSNIZK) and More Efficient Lattice-Based Direct Anonymous Attestation . https://eprint.iacr.org/2024/864
Liqun Chen, Changyu Dong, Nada El Kassem, Christopher Newton, Yalan Wang — Hash-Based Direct Anonymous Attestation . https://link.springer.com/chapter/10.1007/978-3-031-40003-2_21
Benjamin Delpy. gentilkiwi/mimikatz . https://github.com/gentilkiwi/mimikatz . Accessed 2026-05-10. Mimikatz repository; privilege::debug, token::elevate, sekurlsa::logonpasswords, lsadump::sam command surface.
"Enable virtualization-based protection of code integrity (OEM VBS requirements)". https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs . accessed 2026-05-10.
Helen Custer, “Inside Windows NT.” Microsoft Press, 1992, ISBN 978-1-55615-481-2
Greg Hoglund, Jamie Butler, “Rootkits: Subverting the Windows Kernel.” Addison-Wesley, 2005, ISBN 0-321-29431-9
Microsoft, “Microsoft Acquires Winternals Software.” https://news.microsoft.com/source/2006/07/18/microsoft-acquires-winternals-software/
Microsoft, “Patching Policy for x64-Based Systems.” https://web.archive.org/web/20080411065859/http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx
Kernel-mode code signing policy (Windows Vista and later). https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later
Microsoft, “Data Execution Prevention.” https://learn.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
Microsoft, “Overview of Threat Mitigations in Windows 10.” https://learn.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
“InfinityHook.” https://github.com/everdox/InfinityHook
Microsoft. Microsoft Recommended Driver Block Rules . https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules . Accessed 2026-05-10. Vulnerable-driver blocklist enabled by default since the Windows 11 2022 update; covers BYOVD attack class.
Hovav Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86).” https://hovav.net/ucsd/papers/s07.html
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh, “On the Effectiveness of Address Space Randomization.” https://crypto.stanford.edu/~eujin/papers/asrandom/index.html
Microsoft, “Virus:Win32/Alureon.A.” https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3AWin32%2FAlureon.A
Microsoft, “System Requirements for Hyper-V on Windows and Windows Server.” https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/host-hardware-requirements
Brad Anderson, Microsoft Ignite 2015 keynote (May 4, 2015). https://news.microsoft.com/speeches/brad-anderson-ignite-2015/
Alex Ionescu, "Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture". 2015. https://github.com/tpn/pdfs/blob/master/Battle%20of%20SKM%20and%20IUM%20-%20How%20Windows%2010%20Rewrites%20OS%20Architecture%20-%20Alex%20Ionescu%20-%202015%20(blackhat2015) .pdf. accessed 2026-05-10. Black Hat USA 2015 PDF mirror.
Rafal Wojtczuk, "Analysis of the Attack Surface of Windows 10 Virtualization-Based Security". 2016. https://infocondb.org/con/black-hat/black-hat-usa-2016/analysis-of-the-attack-surface-of-windows-10-virtualization-based-security . accessed 2026-05-10.
Enable virtualization-based protection of code integrity (2026-05-10). Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
"VBS Enclaves". https://learn.microsoft.com/en-us/windows/win32/trusted-execution/vbs-enclaves . accessed 2026-05-10.
Hari Pulapaka, "Securely design your applications and protect your sensitive data with VBS enclaves". 2024. https://techcommunity.microsoft.com/blog/windowsosplatform/securely-design-your-applications-and-protect-your-sensitive-data-with-vbs-encla/4179543 . accessed 2026-05-10.
"VBS Enclaves Development Guide". https://learn.microsoft.com/en-us/windows/win32/trusted-execution/vbs-enclaves-dev-guide . accessed 2026-05-10.
"Everything Old Is New Again: Hardening the Trust Boundary of VBS Enclaves". 2025. https://techcommunity.microsoft.com/blog/microsoft-security-blog/everything-old-is-new-again-hardening-the-trust-boundary-of-vbs-enclaves/4386961 . accessed 2026-05-10. Microsoft Security Blog (MORSE), June 24 2025.
Microsoft, “Device Health Attestation.” https://learn.microsoft.com/en-us/windows-server/security/device-health-attestation
Microsoft, “HealthAttestation CSP.” https://learn.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp
Microsoft, “Windows compliance settings in Microsoft Intune.” https://learn.microsoft.com/en-us/intune/device-security/compliance/ref-windows-settings
Microsoft, “Introducing Windows Defender System Guard runtime attestation.” https://www.microsoft.com/en-us/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/
Microsoft, “Secured-core Windows 11 PCs.” https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers
Intel, “Intel Software Guard Extensions.” https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/overview.html
“Foreshadow: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution.” https://foreshadowattack.eu/
Intel, “Intel® Core™ i7-1165G7 Processor Specifications.” https://www.intel.com/content/www/us/en/products/sku/208921/intel-core-i71165g7-processor-12m-cache-up-to-4-70-ghz-with-ipu/specifications.html
AMD, “AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More.” https://www.amd.com/en/developer/sev.html
"Intel Trust Domain Extensions (Intel TDX)". https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html . accessed 2026-05-10.
ARM, “ARM TrustZone Technology.” https://developer.arm.com/documentation/102418/latest/
Saar Amar, Daniel King, "Breaking VSM by Attacking Secure Kernel: Hardening Secure Kernel through Offensive Research". 2020. https://github.com/microsoft/MSRC-Security-Research/blob/master/presentations/2020_08_BlackHatUSA/Breaking_VSM_by_Attacking_SecureKernel.pdf . accessed 2026-05-10. Black Hat USA 2020, MSRC Security Research repository.
Saar Amar, "Publications". https://saaramar.github.io/Publications/ . accessed 2026-05-10.
Oliver Lyak, “PassTheChallenge.” https://raw.githubusercontent.com/ly4k/PassTheChallenge/main/README.md
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, “Spectre Attacks: Exploiting Speculative Execution.” https://spectreattack.com/spectre.pdf
Microsoft, “Understanding the Performance Impact of Spectre and Meltdown Mitigations on Windows Systems.” https://www.microsoft.com/en-us/security/blog/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, Simon Winwood, “seL4: Formal Verification of an OS Kernel.” https://trustworthy.systems/publications/nicta_full_text/1971.pdf
Microsoft Security Response Center. Microsoft Security Servicing Criteria for Windows . https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria . Accessed 2026-05-10. The security-boundary definition; the kernel-mode / user-mode separation as a classic boundary; UAC and admin-to-kernel are not in the enumerated list.
Microsoft, “KB5042562: Guidance for blocking rollback of VBS security updates.” https://support.microsoft.com/en-us/topic/guidance-for-blocking-rollback-of-virtualization-based-security-vbs-related-security-updates-b2e7ebf4-f64d-4884-a390-38d63171b8d3
Alon Leviev, “Downgrade Attacks Using Windows Updates.” https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
CVE-2024-21302 (Windows Secure Kernel Mode EoP / Windows Downdate) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2024-21302
Alon Leviev, “Update on Windows Downdate Downgrade Attacks.” https://www.safebreach.com/blog/update-on-windows-downdate-downgrade-attacks/
Ori David, “Virtualized (In)Security: How Attackers Can Weaponize VBS Enclaves.” https://www.akamai.com/blog/security-research/virtualized-insecurity-attackers-weaponize-vbs-enclaves
Jonathan Jagt, “Analysis of Windows Secure Kernel Security Bugs.” https://www.cs.ru.nl/masters-theses/2025/J_Jagt___Analysis_of_Windows_Secure_Kernel_security_bugs.pdf
Tom's Hardware, “Tested: Default Windows VBS Setting Slows Games Up to 10%, Even on RTX 4090.” https://www.tomshardware.com/news/windows-vbs-harms-performance-rtx-4090
"VbsEnclaveTooling (GitHub repository)". https://github.com/microsoft/VbsEnclaveTooling . accessed 2026-05-10.
"Isolated User Mode (IUM) Processes". https://learn.microsoft.com/en-us/windows/win32/procthread/isolated-user-mode--ium--processes . accessed 2026-05-10. Microsoft Win32 SDK documentation.
"How Credential Guard works". https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/how-it-works . accessed 2026-05-10.
"Debugging Windows Isolated User Mode (IUM) Processes". https://blog.quarkslab.com/debugging-windows-isolated-user-mode-ium-processes.html . accessed 2026-05-10.
Michael D. Schroeder, Jerome H. Saltzer, "A Hardware Architecture for Implementing Protection Rings". 1972. https://multicians.org/protection.html . accessed 2026-05-10. Multicians.org full-text mirror of the CACM 15(3) paper.
"Multics bibliography". https://multicians.org/papers.html . accessed 2026-05-10.
"Multics History". https://multicians.org/history.html . accessed 2026-05-10.
William A. Wulf, Roy Levin, Samuel P. Harbison, "HYDRA/C.mmp: An Experimental Computer System". 1981. http://bitsavers.informatik.uni-stuttgart.de/pdf/cmu/hydra_c.mmp/Wulf_HYDRA_Cmmp_An_Experimental_Computer_System_1981.pdf . accessed 2026-05-10.
Henry M. Levy, "Capability-Based Computer Systems, Chapter 6: Hydra". Digital Press. 1984. https://homes.cs.washington.edu/~levy/capabook/Chapter6.pdf . accessed 2026-05-10.
Kevin Elphinstone, Gernot Heiser, "L4 Microkernels: The Lessons from 20 Years of Research and Deployment". 2013. https://rcs.uwaterloo.ca/~ali/cs350-f19/papers/l4.pdf . accessed 2026-05-10.
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, Simon Winwood, "seL4: Formal Verification of an OS Kernel". 2009. https://trustworthy.systems/publications/nicta_full_text/1852.pdf . accessed 2026-05-10. SOSP 2009 canonical paper PDF.
"GitHub REST API: seL4/seL4 repository metadata". https://api.github.com/repos/seL4/seL4 . accessed 2026-05-10.
"seL4 Foundation: About seL4". https://sel4.systems/About/ . accessed 2026-05-10.
Virtual Secure Mode -- Hyper-V Top Level Functional Specification (2026-05-10). Microsoft Learn. https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm
Microsoft. Administrator Protection (Adminless) . https://learn.microsoft.com/en-us/windows/security/application-security/application-control/administrator-protection/ . Accessed 2026-05-10. Adminless / Administrator Protection on Windows 11; just-in-time elevation via Windows Hello plus a hidden, profile-separated user account that issues an isolated admin token.
"Protected Media Path". https://learn.microsoft.com/en-us/windows/win32/medfound/protected-media-path . accessed 2026-05-10.
Microsoft Learn — AppContainer Isolation — 2024. https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation
James Forshaw, "Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege". 2018. https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html . accessed 2026-05-10. Google Project Zero, August 2018.
Microsoft Learn — Protecting Anti-Malware Services (2024). https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services
itm4n (Clement Labro) — Do You Really Know About LSA Protection (RunAsPPL)? , 2021. https://itm4n.github.io/lsass-runasppl/
Alex Ionescu, "The Evolution of Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)". https://web.archive.org/web/2023/http://www.alex-ionescu.com/?p=146. accessed 2026-05-10. Wayback Machine snapshot; original alex-ionescu.com offline.
Alex Ionescu, "The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1". https://web.archive.org/web/2023/http://www.alex-ionescu.com/?p=97. accessed 2026-05-10. Wayback Machine snapshot; original alex-ionescu.com offline.
itm4n, "The End of PPLdump". https://itm4n.github.io/the-end-of-ppldump/ . accessed 2026-05-10. Companion post documenting the build 19044.1826 (July 2022) NTDLL patch that prevents PPLs from loading Known DLLs; the github.com/itm4n/PPLdump README carries the same verbatim build/date statement at https://github.com/itm4n/PPLdump .
"Windows 10 - release information". https://learn.microsoft.com/en-us/windows/release-health/release-information . accessed 2026-05-10. Microsoft release table for Windows 10 release history, including version 1507 build 10240 availability.
"Hyper-V Architecture". https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/architecture . accessed 2026-05-10.
"A Virtual Journey: From Hardware Virtualization to Hyper-V's Virtual Trust Levels". https://blog.quarkslab.com/a-virtual-journey-from-hardware-virtualization-to-hyper-vs-virtual-trust-levels.html . accessed 2026-05-10.
"Black Hat USA 2015 conference archive". https://infocondb.org/con/black-hat/black-hat-usa-2015/ . accessed 2026-05-10.
Andrea Allievi, Mark E. Russinovich, Alex Ionescu, David A. Solomon, "Windows Internals, Seventh Edition, Part 2". Microsoft Press. 2021. Chapter 9: Management mechanisms, trustlet architecture reference. ISBN 978-0135462409.
Oliver Lyak, "Pass-the-Challenge: Defeating Windows Defender Credential Guard". 2022. https://web.archive.org/web/20231217204121/https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22. accessed 2026-05-10. Wayback Machine snapshot; original returns 403 to non-browser agents.
"Guarded Fabric and Shielded VMs Overview". https://learn.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms . accessed 2026-05-10.
"Windows Hello Enhanced Sign-in Security". https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security . accessed 2026-05-10.
"October 28, 2025: KB5067036 (OS Builds 26200.7019 and 26100.7019) Preview". https://support.microsoft.com/en-us/topic/october-28-2025-kb5067036-os-builds-26200-7019-and-26100-7019-preview-ec3da7dc-63ba-4b1d-ac41-cf2494d2123a . accessed 2026-05-10.
"TEE Client API Specification v1.0". https://globalplatform.org/wp-content/uploads/2010/07/TEE_Client_API_Specification-V1.0.pdf . accessed 2026-05-10.
"Software Guard Extensions". https://en.wikipedia.org/wiki/Software_Guard_Extensions . accessed 2026-05-10.
"Intel x86 SGX instructions: ENCLS (ring 0 supervisor) and ENCLU (ring 3 user) -- Intel SDM Volume 3D, Chapters 36-38". https://www.felixcloutier.com/x86/encls . accessed 2026-05-10. Felix Cloutier's machine-checkable mirror of the Intel 64 and IA-32 Architectures Software Developer's Manual. ENCLS reference (https://www.felixcloutier.com/x86/encls ) states verbatim 'any attempt to execute the instruction when CPL > 0 results in #UD'; ENCLU reference (https://www.felixcloutier.com/x86/enclu ) states verbatim 'any attempt to execute this instruction when CPL < 3 results in #UD'. Both pages enumerate the SGX leaf functions (ECREATE, EADD, EINIT, EREMOVE on ENCLS; EENTER, EEXIT, EGETKEY, EREPORT on ENCLU).
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, Raoul Strackx, "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution". 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/bulck . accessed 2026-05-10. USENIX Security 2018.
"SGAxe: How SGX Fails in Practice". https://sgaxe.com/ . accessed 2026-05-10. Canonical project page by the CacheOut / SGAxe authors; SGAxe extracts SGX private attestation keys.
"Plundervolt: Software-based Fault Injection Attacks against Intel SGX". https://plundervolt.com/ . accessed 2026-05-10. Canonical project page; first reported June 7, 2019 by Murdock, Oswald, Garcia, Van Bulck, Piessens, Gruss.
Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, Ten H. Lai, "SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution". 2019. https://arxiv.org/abs/1802.09085 . accessed 2026-05-10. IEEE EuroS&P 2019; arXiv preprint 1802.09085.
"AMD EPYC 7003 Series CPUs Set New Standard as Highest Performance Server Processor". https://www.amd.com/en/newsroom/press-releases/2021-3-15-amd-epyc-7003-series-cpus-set-new-standard-as-hig.html . accessed 2026-05-10. AMD press release announcing EPYC 7003 on March 15, 2021 and SEV-SNP support.
"Intel Launches 4th Gen Xeon Scalable Processors, Max Series CPUs and GPUs". https://download.intel.com/newsroom/archive/2025/en-us-2023-01-10-intel-launches-4th-gen-xeon-scalable-processors-max-series-cpus.pdf . accessed 2026-05-10. Intel Newsroom PDF for the January 10, 2023 4th Gen Xeon Scalable launch.
"AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More". https://docs.amd.com/api/khub/documents/~uAtQszeypAVVEk_B91Ojg/content . accessed 2026-05-10.
"Arm Architecture Reference Manual Armv7-A and Armv7-R edition". https://developer.arm.com/documentation/ddi0406/latest/ . accessed 2026-05-10. Arm architecture manual documenting the Security Extensions/TrustZone architecture, Secure and Non-secure worlds, and Secure Monitor Call model.
"About OP-TEE". https://optee.readthedocs.io/en/latest/general/about.html . accessed 2026-05-10.
"NVD - CVE-2020-0917". https://nvd.nist.gov/vuln/detail/CVE-2020-0917 . accessed 2026-05-10.
"NVD - CVE-2020-0918". https://nvd.nist.gov/vuln/detail/CVE-2020-0918 . accessed 2026-05-10.
"Trusted Platform Module Technology Overview". https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview . accessed 2026-05-10.
tandasat/ExploitCapcom. https://github.com/tandasat/ExploitCapcom
rapid7/metasploit-framework#7363 -- Add LPE exploit module for the capcom driver flaw. https://github.com/rapid7/metasploit-framework/pull/7363
FuzzySecurity Capcom Rootkit POC. https://fuzzysecurity.com/tutorials/28.html
Cryptography tools. https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptography-tools
Windows Hardware Lab Kit. https://learn.microsoft.com/en-us/windows-hardware/test/hlk/
Sony, Rootkits and Digital Rights Management Gone Too Far. https://web.archive.org/web/20051102053346/http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
Kernel-mode code signing requirements (Windows previous-versions). https://learn.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653567(v=vs.85)
Cross-Certificates for Kernel Mode Code Signing (2020 archive of the historical CA list). https://web.archive.org/web/2020/https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
Cross-certificates for kernel-mode code signing. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
Gabriel Landau — Forget Vulnerable Drivers — Admin Is All You Need (2024). https://www.elastic.co/security-labs/forget-vulnerable-drivers-admin-is-all-you-need
Microsoft Security Advisory 932596: Update to Improve Kernel Patch Protection. https://learn.microsoft.com/en-us/security-updates/securityadvisories/2007/932596
skape, Skywing. Bypassing PatchGuard on Windows x64 . Uninformed. http://www.uninformed.org/?v=3&a=3&t=pdf
W32.Stuxnet Dossier. https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
Stuxnet signed binary: signed malware, certs and trust chains. https://www.microsoft.com/en-us/security/blog/2010/07/16/stuxnet-signed-binary-signed-malware-cert-auth-trust-chains/
NIST National Vulnerability Database. CVE-2019-16098 (RTCore64.sys) . 2019. https://nvd.nist.gov/vuln/detail/CVE-2019-16098 . Accessed 2026-05-10. Micro-Star MSI Afterburner driver allows arbitrary memory read/write; signed driver used by BlackByte ransomware to disable EDR.
Sophos News. BlackByte ransomware returns . 2022. https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/ . Accessed 2026-05-10. October 2022 BlackByte BYOVD via RTCore64.sys (CVE-2019-16098); disables ~1000 security drivers; references mhyprot2.sys / aswArPot.sys precedents.
NIST National Vulnerability Database. CVE-2018-19320 (GIGABYTE gdrv.sys) . 2018. https://nvd.nist.gov/vuln/detail/CVE-2018-19320 . Accessed 2026-05-10. gdrv.sys exposes ring0 memcpy-like functionality; CISA Known Exploited Vulnerabilities Catalog listing 2022-10-24, due date 2022-11-14.
Cybersecurity and Infrastructure Security Agency. Known Exploited Vulnerabilities Catalog (CSV). https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
Sophos gdrv.sys / RobbinHood technical coverage. https://www.sophos.com/en-us/blog/tag/gdrv-sys
How DoppelPaymer hunts and kills Windows processes. https://www.crowdstrike.com/en-us/blog/how-doppelpaymer-hunts-and-kills-windows-processes/
g_CiOptions in a virtualized world. https://www.trustedsec.com/blog/g_cioptions-in-a-virtualized-world
Code signing attestation. https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-attestation
Improve Kernel Security with the New Microsoft Vulnerable and Malicious Driver Reporting Center. 2021. https://www.microsoft.com/en-us/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/
Driver Code Signing Requirements. https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs
App Control for Business. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol
Microsoft vulnerable driver blocklist: getting better and better. https://techcommunity.microsoft.com/blog/microsoft-security-baselines/microsoft-vulnerable-driver-blocklist-getting-better-and-better/4172168
Microsoft — KB5020779: The vulnerable driver blocklist after the October 2022 preview release (2022). https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936
Available today: the Windows 11 2022 Update , 2022. https://blogs.windows.com/windowsexperience/2022/09/20/available-today-the-windows-11-2022-update/
Attack surface reduction rules reference , 2026. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference
Living Off The Land Drivers , Michael Haag, Magicsword.io. https://www.loldrivers.io/
magicsword-io/LOLDrivers. https://github.com/magicsword-io/LOLDrivers
Breaking boundaries: investigating vulnerable drivers and mitigating risks. https://research.checkpoint.com/2024/breaking-boundaries-investigating-vulnerable-drivers-and-mitigating-risks/
Smart App Control frequently asked questions. https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003
DeviceGuardSoftwareSecure Enum. https://learn.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.deviceguardsoftwaresecure?view=powershellsdk-1.1.0
Unveiling BYOVD threats: kernel-driver dynamic analysis at scale. https://www.eurecom.fr/publication/8384
Unveiling BYOVD threats: kernel-driver dynamic analysis at scale (NDSS 2026 paper PDF). https://www.s3.eurecom.fr/docs/ndss26_monzani.pdf
Linux kernel module signing. https://docs.kernel.org/admin-guide/module-signing.html
kernel_lockdown(7) -- Linux manual page. https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html
Legacy system extensions in macOS. https://support.apple.com/en-us/HT210999
DriverKit (Apple Developer Documentation). https://developer.apple.com/documentation/driverkit
System Integrity Protection (Apple Platform Security). https://support.apple.com/guide/security/system-integrity-protection-secb7ea06b49/web
Securely extending the kernel in macOS (Apple Platform Security). https://support.apple.com/guide/security/securely-extending-the-kernel-sec8e454101b/web
Microsoft — microsoft/sbom-tool (2024). https://github.com/microsoft/sbom-tool
Would Hardware Dev Center for CRA compliance change?. https://learn.microsoft.com/en-us/answers/questions/5732099/would-hardware-dev-center-for-cra-compliance-chang
Windows Hardware Compatibility Program Specifications and Policies. https://learn.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies
Unveiling BYOVD threats: malware use and abuse of kernel drivers. https://www.s3.eurecom.fr/post/2025/10/13/unveiling-byovd-threats-malwares-use-and-abuse-of-kernel-drivers/
Exploring vulnerable Windows drivers. https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/
Driver compatibility with Hypervisor-Protected Code Integrity (HVCI). https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard
Riot Games Vanguard restriction guidance. https://support.riotgames.com/en-us/riot/penalties/error-van-restriction-5
Symantec W32.Stuxnet Dossier. https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier
Hyper-V Architecture (2026-05-10). Microsoft Learn. https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/hyper-v-architecture
Hypervisor Top-Level Functional Specification v6.0b (2026-05-10). Microsoft. https://github.com/MicrosoftDocs/Virtualization-Documentation/raw/live/tlfs/Hypervisor%20Top%20Level%20Functional%20Specification%20v6.0b.pdf
Intel. Intel 64 and IA-32 Architectures Software Developer's Manual . https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
AMD. AMD64 Architecture Programmer's Manual Volume 2: System Programming . https://www.amd.com/system/files/TechDocs/24593.pdf
David A. Hepkin, Arun U. Kishan. US Patent 9,430,642 B2: Providing virtual secure mode with different virtual trust levels (2016). Microsoft Technology Licensing, LLC. https://patents.google.com/patent/US9430642B2/en
John S. Robin, Cynthia E. Irvine. Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor . USENIX Security 2000. https://www.usenix.org/legacy/events/sec00/full_papers/robin/robin.pdf
Microsoft. Hyper-V hits RTM . Microsoft Community Hub. https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/hyper-v-hits-rtm/333167
Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch. SubVirt: Implementing malware with virtual machines (2006). IEEE Symposium on Security and Privacy. https://web.eecs.umich.edu/~pmchen/papers/king06.pdf
Blue Pill (software) (2026-05-10). Wikipedia. https://en.wikipedia.org/wiki/Blue_Pill_(software)
CVE-2009-1244 (CLOUDBURST: VMware SVGA display function) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2009-1244
Joanna Rutkowska. Introducing Qubes OS (2010). Invisible Things Lab. https://blog.invisiblethings.org/2010/04/07/introducing-qubes-os.html
Microsoft. Your free upgrade is here: Windows 10 launches with worldwide celebrations with fans, #UpgradeYourWorld and more . https://blogs.microsoft.com/blog/2015/07/28/your-free-upgrade-is-here-windows-10-launches-with-worldwide-celebrations-with-fans-upgradeyourworld-and-more/
CVE-2024-21407 (Windows Hyper-V Remote Code Execution / UAF) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2024-21407
Microsoft Hyper-V Bounty Program (2026-05-10). Microsoft Security Response Center. https://www.microsoft.com/en-us/msrc/bounty-hyper-v
Pwn2Own Berlin 2025: Day Three Results (2025). Zero Day Initiative. https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
seL4 White Paper (2026-05-10). seL4 Project. https://sel4.systems/About/seL4-whitepaper.pdf
CVE-2021-28476 (Windows Hyper-V Remote Code Execution) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2021-28476
CVE-2025-21333 (Windows Hyper-V NT Kernel Integration VSP EoP) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-21333
CVE-2024-30092 (Windows Hyper-V Remote Code Execution) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2024-30092
CVE-2024-49117 (Windows Hyper-V Remote Code Execution) (2026-05-10). NIST National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2024-49117
Bjorn Ruytenberg. Thunderspy (2020). https://thunderspy.io/
Hyper-V (2026-05-10). Wikipedia. https://en.wikipedia.org/wiki/Hyper-V
Windows 10 (2026-05-10). Wikipedia. https://en.wikipedia.org/wiki/Windows_10
Hypervisor (2026-05-10). Wikipedia. https://en.wikipedia.org/wiki/Hypervisor
Kernel Patch Protection (2026-05-10). Wikipedia. https://en.wikipedia.org/wiki/Kernel_Patch_Protection
Alex Ionescu — The Evolution of Protected Processes — Part 1: Pass-the-Hash Mitigations in Windows 8.1 (2013). https://www.alex-ionescu.com/?p=97
Alex Ionescu — The Evolution of Protected Processes — Part 2: Exploit/Jailbreak Mitigations (2013). https://www.alex-ionescu.com/?p=116
Alex Ionescu — The Evolution of Protected Processes — Part 3 (2014). https://www.alex-ionescu.com/?p=146
itm4n — Bypassing LSA Protection in Userland (2021). https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/
itm4n — Ghost in the PPL Part 1: BYOVDLL (2024). https://itm4n.github.io/ghost-in-the-ppl-part-1/
Microsoft Learn — Configuring Additional LSA Protection (2024). https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
Microsoft Learn — Microsoft Virus Initiative Criteria (2024). https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/virus-initiative-criteria
Benjamin Delpy — mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c at commit fe4e98405589e96ed6de5e05ce3c872f8108c0a0 (2018). https://github.com/gentilkiwi/mimikatz/blob/fe4e98405589e96ed6de5e05ce3c872f8108c0a0/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c
Microsoft Corporation — Protected Processes in Windows Vista (2006). https://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_vista.doc
James Forshaw — Injecting Code into Windows Protected Processes Using COM — Part 1 (2018). https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html
Alex Ionescu — Why Protected Processes Are A Bad Idea (2007). https://www.alex-ionescu.com/?p=34
Mateusz "j00ru" Jurczyk — CSRSS Win32k Reserved System Call List (2012). https://j00ru.vexillium.org/?p=1393
IANA — Private Enterprise Numbers (PEN) — entry 311 (Microsoft) (2024). https://www.iana.org/assignments/enterprise-numbers/?q=311
oid-base.com (OID Repository) — OID 1.3.6.1.4.1.311.10.3 — Microsoft Enhanced Key Usage (purpose) (2024). https://oid-base.com/get/1.3.6.1.4.1.311.10.3
Microsoft Corporation — Early Launch Anti-Malware Driver sample (Windows-driver-samples/security/elam) (2024). https://github.com/microsoft/Windows-driver-samples/tree/main/security/elam
Microsoft Support — Microsoft Security Advisory: Update to improve credentials protection and management — May 13, 2014 (KB2871997) (2014). https://support.microsoft.com/en-US/security/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014
Alex Ionescu, James Forshaw — Unknown Known DLLs and other Code Integrity Trust Violations (2018). https://recon.cx/2018/montreal/
James Forshaw — Bypassing VirtualBox Process Hardening on Windows (2017). https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html
itm4n — PPLdump (GitHub repository) (2021). https://github.com/itm4n/PPLdump
Forrest Orr — Malicious Memory Artifacts: Part I — DLL Hollowing (2020). https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
Gabriel Landau — PPLdump Is Dead. Long Live PPLdump! (2023). https://i.blackhat.com/Asia-23/AS-23-Landau-PPLdump-Is-Dead-Long-Live-PPLdump.pdf
Gabriel Landau — Inside Microsoft's Plan to Kill PPLFault (2023). https://www.elastic.co/security-labs/inside-microsofts-plan-to-kill-pplfault
Gabriel Landau — PPLFault (GitHub repository) (2023). https://github.com/gabriellandau/PPLFault
k0shl — Isolate Me from Sandbox — Explore Elevation of Privilege of CNG Key Isolation (2023). https://whereisk0shl.top/post/isolate-me-from-sandbox-explore-elevation-of-privilege-of-cng-key-isolation
NIST — CVE-2023-28229 — Windows CNG Key Isolation Service Elevation of Privilege (2023). https://nvd.nist.gov/vuln/detail/CVE-2023-28229
NIST — CVE-2023-36906 — Windows Cryptographic Information Disclosure (2023). https://nvd.nist.gov/vuln/detail/CVE-2023-36906
Y3A — CVE-2023-28229 PoC (GitHub repository) (2023). https://github.com/Y3A/CVE-2023-28229
Microsoft Security Response Center — Windows Security Servicing Criteria (Wayback archive) (2023). https://web.archive.org/web/20230506125554/https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
Mark Russinovich — Process Explorer (Sysinternals) (2026). https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Microsoft Learn — NtQueryInformationProcess function (winternl.h) (2024). https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
Wikipedia contributors. Mimikatz . https://en.wikipedia.org/wiki/Mimikatz . Accessed 2026-05-10. Mimikatz first-release date (May 2011); Benjamin Delpy attribution.
__fastfail . https://learn.microsoft.com/en-us/cpp/intrinsics/fastfail?view=msvc-170
SetProcessMitigationPolicy function . https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy
PROCESS_MITIGATION_POLICY enum . https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-process_mitigation_policy
Aleph One (Elias Levy) — Smashing The Stack For Fun And Profit (1996). http://phrack.org/issues/49/14.html
Alexander Peslyak (Solar Designer) — Return-into-libc overflow exploit + non-exec stack patch (1997). https://seclists.org/bugtraq/1997/Aug/63
Openwall Project — Openwall Linux kernel patch README . https://www.openwall.com/linux/README
PaX PAGEEXEC design . https://pax.grsecurity.net/docs/pageexec.txt
AMD64 Architecture Programmer’s Manual Volume 2: System Programming . https://docs.amd.com/v/u/en-US/24593_3.44_APM_Vol2
Return-oriented programming . https://en.wikipedia.org/wiki/Return-oriented_programming
Michael Howard — Address Space Layout Randomization in Windows Vista (2006). https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista
Hovav Shacham — The Geometry of Innocent Flesh on the Bone (PDF) (2007). https://hovav.net/ucsd/dist/geometry.pdf
Hovav Shacham — Return-Oriented Programming: Systems, Languages, and Applications (2008). https://hovav.net/ucsd/talks/blackhat08.html
Enhanced Mitigation Experience Toolkit . https://en.wikipedia.org/wiki/Enhanced_Mitigation_Experience_Toolkit
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, Jay Ligatti — Control-Flow Integrity (2005). https://www.microsoft.com/en-us/research/publication/control-flow-integrity/
Yunhai Zhang — Bypass Control Flow Guard Comprehensively (2015). https://github.com/tpn/pdfs/raw/master/Bypass%20Control%20Flow%20Guard%20Comprehensively%20-%20Slides%20(2015) .pdf
Control Flow Guard . https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
/guard (Enable Control Flow Guard) . https://learn.microsoft.com/en-us/cpp/build/reference/guard-enable-control-flow-guard?view=msvc-170
/GUARD (Enable Guard Checks) . https://learn.microsoft.com/en-us/cpp/build/reference/guard-enable-guard-checks?view=msvc-170
Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz — Counterfeit Object-oriented Programming (2015). https://www.ieee-security.org/TC/SP2015/papers-archived/6949a745.pdf
David Weston — Advancing Windows Security (2019). https://github.com/dwizzzle/Presentations/raw/master/Bluehat%20Shanghai%20-%20Advancing%20Windows%20Security.pdf
Connor McGarr — Examining Xtended Flow Guard (XFG) (2020). https://connormcgarr.github.io/examining-xfg/
Connor McGarr — Out Of Control: How KCFG and KCET Redefine Control Flow Integrity in the Windows Kernel (2025). https://i.blackhat.com/BH-USA-25/Presentations/USA-25-McGarr-Out-Of-Control-KCFG-And-KCET.pdf
Understanding Hardware-enforced Stack Protection (Wayback) (2020). https://web.archive.org/web/20241119023959/https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815
/CETCOMPAT linker option . https://learn.microsoft.com/en-us/cpp/build/reference/cetcompat?view=msvc-170
PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY . https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_user_shadow_stack_policy
Matt Miller — Mitigating arbitrary native code execution in Microsoft Edge (2017). https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY . https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_binary_signature_policy
CVE-2013-3900 -- WinVerifyTrust Signature Validation Vulnerability (2013). https://nvd.nist.gov/vuln/detail/CVE-2013-3900
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY . https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_dynamic_code_policy
James Forshaw, Ivan Fratric — Project Zero issue 42450607: Edge ACG OpenProcess race (2018). https://project-zero.issues.chromium.org/issues/42450607
Microsoft Edge Chakra - ACG OpenProcess Bypass (EDB 44467) (2018). https://www.exploit-db.com/exploits/44467
Ivan Fratric — Bypassing Mitigations by Attacking JIT Server in Microsoft Edge (2018). https://projectzero.google/2018/05/bypassing-mitigations-by-attacking-jit.html
Crispin Cowan — Strengthening the Microsoft Edge Sandbox (2017). https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
PROCESS_MITIGATION_IMAGE_LOAD_POLICY . https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process_mitigation_image_load_policy
James Forshaw — Windows 10 Symbolic Link Mitigations (2015). https://projectzero.google/2015/08/windows-10hh-symbolic-link-mitigations.html
RedirectionGuard: Mitigating unsafe junction traversal in Windows (2025). https://www.microsoft.com/en-us/msrc/blog/2025/06/redirectionguard-mitigating-unsafe-junction-traversal-in-windows/
Exploit protection reference (Microsoft Defender) . https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference
PACIA, PACIA1716, PACIASP, PACIAZ, PACIZA — Pointer Authentication Code for Instruction address, using key A . https://developer.arm.com/documentation/ddi0602/2025-12/Base-Instructions/PACIA--PACIA1716--PACIASP--PACIAZ--PACIZA--Pointer-Authentication-Code-for-Instruction-address--using-key-A-?lang=en
Apple Inc. — Hardened Runtime . https://developer.apple.com/documentation/security/hardened_runtime
Jonathan Corbet — Forward-edge control-flow integrity for the kernel (2022). https://lwn.net/Articles/898040/
Control Flow Integrity (Clang) . https://clang.llvm.org/docs/ControlFlowIntegrity.html
Samuel Gross — The V8 Sandbox (2024). https://v8.dev/blog/sandbox
Arm Ltd. — Memory safety: Arm Memory Tagging Extension . https://newsroom.arm.com/blog/memory-safety-arm-memory-tagging-extension
Chakra JIT CFG Bypass (2016). https://theori.io/blog/chakra-jit-cfg-bypass
Hong Hu, Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang — Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks (2016). https://huhong789.github.io/papers/hu:dop.pdf
Matt Miller — Trends, challenges, and shifts in software vulnerability mitigation (2019). https://github.com/microsoft/MSRC-Security-Research/raw/master/presentations/2019_02_BlueHatIL/2019_01%20-%20BlueHatIL%20-%20Trends%2C%20challenge%2C%20and%20shifts%20in%20software%20vulnerability%20mitigation.pdf
Catalin Cimpanu — Microsoft: 70 percent of all security bugs are memory safety issues (2019). https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/
Adam Burch — Using Rust in Windows (2019). https://msrc.microsoft.com/blog/2019/11/using-rust-in-windows/
Return Flow Guard . https://xlab.tencent.com/en/2016/11/02/return-flow-guard/
Nicolas Falliere, Liam O Murchu, Eric Chien. W32.Stuxnet Dossier (Version 1.4). 2011. https://archive.org/download/w32_stuxnet_dossier/w32_stuxnet_dossier.pdf
Nicolas Falliere, Liam O Murchu, Eric Chien — W32.Stuxnet Dossier, Version 1.4 , 2011. https://archive.org/details/w32_stuxnet_dossier
Microsoft Learn — Authenticode Digital Signatures (2024). https://learn.microsoft.com/en-us/windows-hardware/drivers/install/authenticode
App Control for Business. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/
Microsoft Defender SmartScreen overview. https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
Microsoft Edge support for Microsoft Defender SmartScreen. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen
Select Types of Rules to Create. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create
Windows Authenticode Portable Executable Signature Format. 2008. https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
Microsoft and VeriSign Provide First Technology for Secure Downloading of Software Over the Internet. 1996. https://news.microsoft.com/source/1996/08/07/microsoft-and-verisign-provide-first-technology-for-secure-downloading-of-software-over-the-internet/
Burt Kaliski. PKCS #7: Cryptographic Message Syntax Version 1.5 (RFC 2315). 1998. https://datatracker.ietf.org/doc/html/rfc2315
Russell Housley. Cryptographic Message Syntax (CMS) (RFC 5652). 2009. https://datatracker.ietf.org/doc/html/rfc5652
Ron Rivest, Adi Shamir, Leonard Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. 1978. https://people.csail.mit.edu/rivest/Rsapaper.pdf
Whitfield Diffie, Martin Hellman. New Directions in Cryptography. 1976. https://ee.stanford.edu/~hellman/publications/24.pdf
Microsoft Security Bulletin MS13-098. 2013. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098
Catalog Files and Digital Signatures. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files
Driver Signing. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/digital-signatures
Microsoft Security Advisory 2718704. 2012. https://docs.microsoft.com/en-us/security-updates/securityadvisories/2012/2718704
Marc Stevens. Counter-Cryptanalysis. 2013. https://link.springer.com/chapter/10.1007/978-3-642-40041-4_8
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger. MD5 considered harmful today: Creating a rogue CA certificate. 2008. https://www.win.tue.nl/hashclash/rogue-ca/
Program Requirements -- Microsoft Trusted Root Program. https://learn.microsoft.com/en-us/security/trusted-root/program-requirements
Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates. 2016. https://pkic.org/uploads/2016/09/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf
CA/Browser Forum Code Signing Documents. https://cabforum.org/working-groups/code-signing/documents/
CA/Browser Forum Code Signing Certificate Working Group. https://cabforum.org/working-groups/code-signing/
Attestation Signing a Kernel Driver for Public Release. https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release
Driver Signing Offerings. https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/driver-signing-offerings
Deprecation of Software Publisher Certificates and Commercial Release Certificates. https://learn.microsoft.com/en-us/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates
App Control for Business and AppLocker Overview , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview
Operation ShadowHammer. 2019. https://securelist.com/operation-shadowhammer/89992/
Bitwarden Statement on the Checkmarx Supply Chain Incident. 2026. https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127
Bitwarden CLI Compromised in Ongoing npm Supply-Chain Campaign. 2026. https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html
Bitwarden CLI Hijacked on npm: Bun-Staged Credential Stealer. 2026. https://www.stepsecurity.io/blog/bitwarden-cli-hijacked-on-npm-bun-staged-credential-stealer-targets-developers-github-actions-and-ai-tools
CryptCATAdminCalcHashFromFileHandle function. https://learn.microsoft.com/en-us/windows/win32/api/mscat/nf-mscat-cryptcatadmincalchashfromfilehandle
Deploy Catalog Files to Support App Control for Business. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-catalog-files-to-support-appcontrol
Carlisle Adams, Pat Cain, Denis Pinkas, Robert Zuccherato. Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) (RFC 3161). 2001. https://datatracker.ietf.org/doc/html/rfc3161
WinVerifyTrust function. https://learn.microsoft.com/en-us/windows/win32/api/wintrust/nf-wintrust-winverifytrust
App Control for Business Event ID Explanations. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Use Code Signing for Better Control and Protection. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/use-code-signing-for-better-control-and-protection
Protecting Against Malware in macOS. https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web
Linux Integrity Subsystem. https://sourceforge.net/p/linux-ima/wiki/Home/
APK Signature Scheme v3. https://source.android.com/docs/security/features/apksigning/v3
Sigstore Overview. https://docs.sigstore.dev/about/overview/
Signing Blobs with Cosign. https://docs.sigstore.dev/cosign/signing/signing_with_blobs/
sigstore/rekor (GitHub). https://github.com/sigstore/rekor
Doowon Kim, Bum Jun Kwon, Tudor Dumitraș. Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI. 2017. https://users.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf
David McGrew, Michael Curcio, Scott Fluhrer. Leighton-Micali Hash-Based Signatures (RFC 8554). 2019. https://datatracker.ietf.org/doc/html/rfc8554
Russ Housley. Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures in the Cryptographic Message Syntax (CMS) (RFC 8419). 2018. https://datatracker.ietf.org/doc/html/rfc8419
Internet Explorer 3. https://en.wikipedia.org/wiki/Internet_Explorer_3
Code signing. https://en.wikipedia.org/wiki/Code_signing
Stuxnet. https://en.wikipedia.org/wiki/Stuxnet
Flame (malware). https://en.wikipedia.org/wiki/Flame_(malware)
Wikipedia contributors. Windows Vista . https://en.wikipedia.org/wiki/Windows_Vista . Accessed 2026-05-10. Vista released to manufacturing November 8, 2006; general availability January 30, 2007; first release with UAC, MIC, and IE Protected Mode.
AppLocker Architecture and Components , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-architecture-and-components
Applications that can bypass App Control and how to block them , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol
Oddvar Moe — UltimateAppLockerByPassList , 2024. https://github.com/api0cradle/UltimateAppLockerByPassList
Jimmy Bayne — UltimateWDACBypassList , 2024. https://github.com/bohops/UltimateWDACBypassList
Microsoft Security Team — Introducing Windows Defender Application Control , 2017. https://www.microsoft.com/en-us/security/blog/2017/10/23/introducing-windows-defender-application-control/
CERT Advisory CA-2000-04 Love Letter Worm , 2000. https://web.archive.org/web/20140109062734/http://www.cert.org:80/advisories/CA-2000-04.html
CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL , 2001. https://web.archive.org/web/20131209034953/http://www.cert.org/advisories/CA-2001-19.html
CERT Advisory CA-2001-26 Nimda Worm , 2001. https://web.archive.org/web/20131105111012/http://www.cert.org/advisories/CA-2001-26.html
John Lambert — Software Restriction Policies in Windows XP , 2002. https://www.virusbulletin.com/uploads/pdf/conference/vb2002/johnlambert_vb2002.pdf
What Is AppLocker? (archived TechNet) , 2024. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee424367(v=ws.11)
Windows 7 Lifecycle , 2026. https://learn.microsoft.com/en-us/lifecycle/products/windows-7
Windows Server 2008 R2 Lifecycle , 2026. https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2008-r2
Working with AppLocker Rules , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/working-with-applocker-rules
App Control feature availability , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/feature-availability
Aaron Margosis — AaronLocker GitHub repository , 2024. https://github.com/microsoft/AaronLocker
Oddvar Moe — AppLocker Case Study: How insecure is it really? Part 1 , 2017. https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Oddvar Moe — AppLocker — Case study: How insecure is it really? -- Part 2 , 2017. https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Device protection in Windows Security , 2026. https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2
Windows 11 Enterprise and Education Lifecycle , 2026. https://learn.microsoft.com/en-us/lifecycle/products/windows-11-enterprise-and-education
Windows Server 2025 Lifecycle , 2026. https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2025
Issue 411: Naming change to App Control for Business , 2024. https://github.com/MicrosoftDocs/WDAC-Toolkit/issues/411
PsSetLoadImageNotifyRoutine kernel API , 2026. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetloadimagenotifyroutine
PsLookupProcessByProcessId kernel API , 2026. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-pslookupprocessbyprocessid
Aaron Margosis — AaronLocker Create-Policies.ps1 , 2024. https://raw.githubusercontent.com/microsoft/AaronLocker/main/AaronLocker/Create-Policies.ps1
Configure authorized apps deployed with a managed installer , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
Use App Control with the Intelligent Security Graph , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/use-appcontrol-with-intelligent-security-graph
App Control for Business policy wizard , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/appcontrol-wizard
April 9 2024 KB5036893 (OS Builds 22621.3447 and 22631.3447) , 2024. https://support.microsoft.com/en-us/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5-4a40-8d74-5f8af8ead5bb
April 9 2024 KB5036892 (OS Builds 19044.4291 and 19045.4291) , 2024. https://support.microsoft.com/en-us/topic/april-9-2024-kb5036892-os-builds-19044-4291-and-19045-4291-expired-cb5d2d42-6b10-48f7-829a-be7d416a811b
Deploy multiple App Control policies , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/deploy-multiple-appcontrol-policies
LOLBAS Project , 2026. https://lolbas-project.github.io/
Matt Graeber — WinDbg / CDB shellcode runner (Wayback preservation) , 2016. https://web.archive.org/web/2019/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
Casey Smith — Application Whitelisting Bypass: csi.exe (Wayback) , 2016. https://web.archive.org/web/20161008143428/http://subt0x10.blogspot.com/2016/09/application-whitelisting-bypass-csiexe.html
Matt Nelson — Bypassing Application Whitelisting by using dnx.exe , 2016. https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
James Forshaw — DG on Windows 10 S: Executing Arbitrary Code , 2017. https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html
Jimmy Bayne — DotNet Core: A Vector For AWL Bypass and Defense Evasion , 2019. https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
Peter Upfold — Word hangs on saving: App Control for Business and webclnt.dll , 2024. https://peter.upfold.org.uk/blog/2024/07/28/word-hangs-on-saving-app-control-for-business-and-webclnt-dll/
Smart App Control overview , 2026. https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview
Smart App Control: Frequently Asked Questions , 2026. https://support.microsoft.com/en-us/windows/smart-app-control-frequently-asked-questions-285ea03d-fa88-4d56-882e-6698afdb7003
App Control script enforcement , 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/script-enforcement
ApplicationControl CSP , 2026. https://learn.microsoft.com/en-us/windows/client-management/mdm/applicationcontrol-csp
App Control for Business policy in Intune , 2026. https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-app-control-policy
Announcing App Control for Business (aka WDAC) with OSConfig , 2024. https://techcommunity.microsoft.com/discussions/windowsserverinsiders/announcing-app-control-for-business-aka-wdac-with-osconfig/4268618
Microsoft Learn — Deprecated features for Windows client (NTLM row). https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features
October 8 2024 KB5044288 (OS Build 25398.1189) , 2024. https://support.microsoft.com/en-us/topic/october-8-2024-kb5044288-os-build-25398-1189-07468931-d90b-4566-9865-f435fe4c3ea8
Implementing application control (ACSC) , 2026. https://www.cyber.gov.au/business-government/protecting-devices-systems/hardening-systems-applications/system-hardening/implementing-application-control
Souppaya, Scarfone — NIST SP 800-167: Guide to Application Whitelisting , 2015. https://csrc.nist.gov/publications/detail/sp/800-167/final
Mark Russinovich — AccessChk Sysinternals , 2022. https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
Policy Configuration Agent in Microsoft Intune , 2026. https://learn.microsoft.com/en-us/intune/copilot/agents/policy-configuration-agent
Manage the Policy Configuration Agent in Microsoft Intune , 2026. https://learn.microsoft.com/en-us/intune/copilot/agents/manage-policy-configuration-agent
Security Copilot in Intune features overview , 2026. https://learn.microsoft.com/en-us/intune/copilot/
MicrosoftDocs WDAC-Toolkit , 2024. https://github.com/MicrosoftDocs/WDAC-Toolkit
PCI Security Standards Document Library , 2026. https://www.pcisecuritystandards.org/document_library
Deploy Code Integrity Policies (Wayback 2017) , 2017. https://web.archive.org/web/20170101000000/https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-code-integrity-policies-steps
What Is AppLocker (Microsoft Learn) , 2024. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker
Andy Greenberg — He Perfected a Password-Hacking Tool, then the Russians Came Calling (2017). https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/
Benjamin Delpy — mimikatz 1.0 vient de sortir en version alpha! (Wayback snapshot) , 2011. https://web.archive.org/web/20110910081729/http://blog.gentilkiwi.com/mimikatz
Microsoft — Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft (versions 1 and 2). https://www.microsoft.com/en-us/download/details.aspx?id=36036
Microsoft Trustworthy Computing Group — Mitigating Pass-the-Hash and Other Credential Theft, Version 2 , 2014. https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf
Credential Guard overview (Microsoft Learn) , 2024. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
Kim Zetter — Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon , 2014. ISBN 978-0770436179
Microsoft Security Bulletin MS10-046 — Critical (Windows Shell LNK RCE) , 2010. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-046
Benjamin Delpy — mimikatz/sekurlsa (Wayback snapshot) , 2011. https://web.archive.org/web/20110711232613/http://blog.gentilkiwi.com/mimikatz/sekurlsa
Pavel Yosifovich, Alex Ionescu, Mark Russinovich, David Solomon — Windows Internals, Part 1 (7th edition) (2017). https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals
Credentials Processes in Windows Authentication (Microsoft Learn) , 2025. https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication
Understand AppLocker policy design decisions (Microsoft Learn) , 2024. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/understand-applocker-policy-design-decisions
Joanna Rutkowska, Alex Tereshkin — Evil Maid Goes After TrueCrypt! (Invisible Things Lab, October 16, 2009; Wayback snapshot) , 2009. https://web.archive.org/web/20110114043427/http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html
DirectAccess Design Guide for Windows 7 / Server 2008 R2 (Microsoft Learn archive) , 2012. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee649191(v=ws.10)
Ralph Langner — To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve , 2013. https://archive.org/details/to-kill-a-centrifuge
Bruce Dang, Peter Ferrie — Adventures in Analyzing Stuxnet (27C3) , 2010. https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet
Microsoft Security Bulletin MS10-061 — Critical (Print Spooler RCE) , 2010. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-061
Microsoft Security Bulletin MS10-073 — Important (Windows Kernel-Mode Drivers LPE) , 2010. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-073
Microsoft Security Bulletin MS10-092 — Important (Task Scheduler LPE) , 2010. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-092
Microsoft Security Bulletin MS08-067 — Critical (Server Service RCE) , 2008. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
Brian Krebs — Adobe, Microsoft, WordPress Issue Security Fixes (February 2011 autorun re-release) , 2011. https://krebsonsecurity.com/2011/02/adobe-microsoft-wordpress-issue-security-fixes/
David Drummond — A New Approach to China (Operation Aurora disclosure) , 2010. https://googleblog.blogspot.com/2010/01/new-approach-to-china.html
David Drummond — A New Approach to China (Operation Aurora disclosure — Wayback snapshot 2010-01-13) , 2010. https://web.archive.org/web/20100113172117/http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
NVD CVE-2010-0249 (Operation Aurora IE use-after-free) , 2010. https://nvd.nist.gov/vuln/detail/CVE-2010-0249
Adobe Investigates Corporate Network Security Issue , 2010. https://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html
Operation Aurora (Wikipedia) , 2024. https://en.wikipedia.org/wiki/Operation_Aurora
Ariana Eunjung Cha, Ellen Nakashima — Google China cyberattack part of vast espionage campaign, experts say , 2010. https://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html
Dmitri Alperovitch — More Details on Operation 'Aurora' (McAfee Labs) , 2010. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/more-details-on-operation-aurora/
Microsoft Security Bulletin MS10-002 — Critical (Cumulative Security Update for Internet Explorer) , 2010. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-002
Skip Duckwall, Chris Campbell — Pass-the-Hash 2: The Admin's Revenge (Black Hat USA 2013) , 2013. https://media.blackhat.com/us-13/US-13-Duckwall-Pass-the-Hash-2-The-Admins-Revenge-Slides.pdf
MS-NLMP Section 3.3.2: NTLM v2 Authentication (Microsoft Open Specifications) , 2024. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/5e550938-91d4-459f-b67d-75d70009e3f3
Dell SecureWorks Counter Threat Unit — Skeleton Key Malware Analysis , 2015. https://www.secureworks.com/research/skeleton-key-malware-analysis
Andy Robbins, Will Schroeder, Rohan Vazarkar — Six Degrees of Domain Admin — Using Graph Theory to Accelerate Red Team Operations (DEF CON 24) , 2016. https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Robbins-Vazarkar-Schroeder-Six-Degrees-of-Domain-Admin.pdf
Benjamin Delpy, Skip Duckwall — Abusing Microsoft Kerberos: Sorry You Guys Don't Get It (Black Hat USA 2014) , 2014. https://www.blackhat.com/us-14/archives.html
Sean Metcalf — Kerberos Golden Ticket (ADSecurity.org) , 2015. https://adsecurity.org/?p=1640
Benjamin Delpy — mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c (per-Windows-build signature table) , 2024. https://raw.githubusercontent.com/gentilkiwi/mimikatz/master/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
Benjamin Delpy — gentilkiwi/mimikatz August 2014 commit listing (GitHub API) , 2014. https://api.github.com/repos/gentilkiwi/mimikatz/commits?since=2014-08-01T00:00:00Z&until=2014-08-31T23:59:59Z&per_page=100
Sean Metcalf — Mimikatz DCSync Usage, Exploitation, and Detection (ADSecurity.org) , 2015. https://adsecurity.org/?p=1729
Brian Krebs — Microsoft Releases Emergency Security Update (Schannel) , 2014. https://krebsonsecurity.com/2014/11/microsoft-releases-emergency-security-update/
NVD CVE-2014-6321 (Schannel WinShock) , 2014. https://nvd.nist.gov/vuln/detail/CVE-2014-6321
Microsoft Security Bulletin MS14-066 — Critical (Schannel RCE) , 2014. https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-066
Microsoft 365 network connectivity principles (Microsoft Learn) , 2026. https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles
D. E. Bell, L. J. LaPadula — Secure Computer System: Unified Exposition and Multics Interpretation , 1976. https://csrc.nist.gov/files/pubs/conference/1998/10/08/proceedings-of-the-21st-nissc-1998/final/docs/early-cs-papers/bell76.pdf
D. E. Bell, L. J. LaPadula — Secure Computer Systems: Mathematical Foundations , MITRE Technical Report 2547, Volume I, 1973. https://apps.dtic.mil/sti/citations/AD0770768
Butler W. Lampson — A Note on the Confinement Problem , Communications of the ACM 16(10), 1973. https://dl.acm.org/doi/10.1145/362375.362389
Alex Ionescu — Battle of SKM and IUM: How Windows 10 Rewrites the OS Architecture (Black Hat USA 2015) , 2015. http://publications.alex-ionescu.com/BlackHat/BlackHat%202015%20-%20Battle%20of%20SKM%20and%20IUM.pdf
Mark Russinovich, Thomas Garnier — Sysmon — Sysinternals (Microsoft Learn) , 2026. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
OS Credential Dumping: LSASS Memory (MITRE ATT&CK T1003.001) , 2024. https://attack.mitre.org/techniques/T1003/001/
Configure Credential Guard (Microsoft Learn) , 2026. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
Hernan Ochoa — Pass-The-Hash Toolkit (Core Security Corelabs; iam.exe / whosthere.exe, 2008; Wayback snapshot) , 2008. https://web.archive.org/web/20150910081824/http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit
Paul Ashton / Exploit-DB — Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client. https://www.exploit-db.com/raw/19197
ly4k/PassTheChallenge. https://github.com/ly4k/PassTheChallenge
LSA Authentication. https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication
Hernan Ochoa. Pass-The-Hash Toolkit . https://web.archive.org/web/20080817055631/http://oss.coresecurity.com/projects/pshtoolkit.htm
Microsoft Security Advisory: Update to improve credentials protection and management (May 13, 2014). https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
Battle of SKM and IUM: How Windows 10 Rewrites OS Architecture. https://github.com/tpn/pdfs/blob/master/Battle%20of%20SKM%20and%20IUM%20-%20How%20Windows%2010%20Rewrites%20OS%20Architecture%20-%20Alex%20Ionescu%20-%202015%20%28blackhat2015%29.pdf
Microsoft — Protected Users security group (2025). https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
Brandon LeBlanc. Windows 8.1 now available! . https://blogs.windows.com/windowsexperience/2013/10/17/windows-8-1-now-available/
Jeff Meisner. Save the date: Windows Server 2012 R2, Windows System Center 2012 R2 and Windows Intune update coming Oct. 18 . https://blogs.microsoft.com/blog/2013/08/14/save-the-date-windows-server-2012-r2-windows-system-center-2012-r2-and-windows-intune-update-coming-oct-18/
Microsoft Ignite: The day-one wrap-up (Wayback Machine snapshot, February 2025). https://web.archive.org/web/2025/https://www.itprotoday.com/unified-communications/microsoft-ignite-the-day-one-wrap-up
What's new in Windows Server 2016. https://learn.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2016
Pass-the-Challenge: Defeating Credential Guard (Wayback). https://web.archive.org/web/20240203005631/https://research.ifcr.dk/pass-the-challenge-defeating-credential-guard-31a892eee22
Microsoft Learn. Windows Server release information . https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info
SSP Packages Provided by Microsoft. https://learn.microsoft.com/en-us/windows/win32/secauthn/ssp-packages-provided-by-microsoft
Win32_DeviceGuard schema. https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
Credential Guard considerations and known issues. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
Microsoft Defender for Identity overview. https://learn.microsoft.com/en-us/defender-for-identity/
Microsoft — Microsoft Entra: What is a Primary Refresh Token (2025). https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token
sssd-kcm(8) -- SSSD Kerberos Cache Manager. https://man.archlinux.org/man/sssd-kcm.8.en
Protecting Cached User Data (ChromiumOS design doc). https://www.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data/
ly4k/Pypykatz (LSA Isolated Data fork). https://github.com/ly4k/Pypykatz
Microsoft Support. Upcoming changes to NTLMv1 in Windows 11, version 24H2 and Windows Server 2025 . https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e
Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades (Tim Medin, DerbyCon 4). https://www.irongeek.com/i.php?page=videos/derbycon4/t120-attacking-microsoft-kerberos-kicking-the-guard-dog-of-hades-tim-medin
MITRE ATT&CK T1558.003 -- Kerberoasting. https://attack.mitre.org/techniques/T1558/003/
MITRE ATT&CK T1558.004 -- AS-REP Roasting. https://attack.mitre.org/techniques/T1558/004/
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory (2019). https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Exploiting RBCD using a normal user. https://www.tiraniddo.dev/2022/05/exploiting-rbcd-using-normal-user.html
Dec0ne — KrbRelayUp. https://github.com/Dec0ne/KrbRelayUp
Microsoft Learn. Kerberos Constrained Delegation Overview in Windows Server . https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview#resource-based-constrained-delegation-across-domains
Microsoft Learn. ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute . https://learn.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity
Stephen Breen. Hot Potato . 2016. https://foxglovesecurity.com/2016/01/16/hot-potato/ . Accessed 2026-05-10. Hot Potato disclosure (January 16, 2016); references Project Zero issue 222 as prior art seed.
Stephen Breen, Chris Mallz. Rotten Potato — Privilege Escalation from Service Accounts to SYSTEM . 2016. https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ . Accessed 2026-05-10. Rotten Potato three-step attack flow; explicit attribution to James Forshaw Project Zero issue 325 and BlackHat talk.
Andrea Pierini, Giuseppe Trotta. ohpe/juicy-potato . 2018. https://github.com/ohpe/juicy-potato . Accessed 2026-05-10. Juicy Potato (2018); CLSID enumeration; configurable RPC port.
Clément Labro (itm4n). PrintSpoofer — Abusing Impersonation Privileges on Windows 10 and Server 2019 . 2020. https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ . Accessed 2026-05-10. PrintSpoofer technique blog; named-pipe path-validation bypass; the canonical decoder_it quote.
Antimalware Scan Interface Portal , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
Parag Mali — VBS Trustlets: What Actually Runs in the Secure Kernel , paragmali.com, 2026. https://paragmali.com/blog/vbs-trustlets-what-actually-runs-in-the-secure-kernel/
NTLMless: The Death of NTLM in Windows. https://paragmali.com/blog/ntlmless-the-death-of-ntlm-in-windows
protocol-defined string-to-key function. https://en.wikipedia.org/wiki/Kerberos_(protocol)
SMBRelay (Cult of the Dead Cow). https://www.cultdeadcow.com/tools/smbrelay.html
DigiNotar (Wikipedia). https://en.wikipedia.org/wiki/DigiNotar
hypervisor. https://paragmali.com/blog/above-ring-zero-how-the-windows-hypervisor-became-a-security/
Potato family. https://paragmali.com/blog/windows-access-control-25-years-of-attacks/
Remi Gascou — Coercer. https://github.com/p0dalirius/Coercer
SpecterOps — Certified Pre-Owned: Abusing Active Directory Certificate Services. https://posts.specterops.io/certified-pre-owned-d95910965cd2
Gilles Lionel (topotam77). topotam/PetitPotam . 2021. https://github.com/topotam/PetitPotam . Accessed 2026-05-10. PetitPotam coercion via MS-EFSRPC EfsRpcOpenFileRaw and other LSARPC-bound functions.
SpecterOps — Certified Pre-Owned: Abusing Active Directory Certificate Services (whitepaper). https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
Fortra — Impacket. https://github.com/fortra/impacket
Microsoft Support — KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS). https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
Microsoft Open Specifications — [MS-NLMP]: LMOWFv1(). https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/a724e8df-2b0a-4a36-aef4-2d2b56fd3db7
Microsoft Open Specifications — [MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
Microsoft Open Specifications — [MS-NLMP]: NTLM v1 Authentication. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/464551a8-9fc4-428e-b3d3-bc5bfb2e73a5
Microsoft Tech Community. The Evolution of Windows Authentication . 2023. https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848 . Accessed 2026-05-10. NTLM future-disablement announcement; local KDC / IAKerb for both local and domain accounts; future disablement of NTLM in Windows 11.
mariam_gewida, Microsoft Windows IT Pro Blog — Advancing Windows security: Disabling NTLM by default. https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526
Dan Cuomo, Microsoft Windows OS Platform Blog — Active Directory improvements in Windows Server 2025. https://techcommunity.microsoft.com/blog/windowsosplatform/active-directory-improvements-in-windows-server-2025/4202383
Microsoft Learn — NTLM Overview. https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
Microsoft Learn — Extended Protection for Authentication Overview. https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview
NIST NVD — CVE-2019-1040 — NTLM MIC bypass (Drop the MIC). https://nvd.nist.gov/vuln/detail/CVE-2019-1040
Cult of the Dead Cow — The SMB Man-In-the-Middle Attack / SMBRelay. https://cultdeadcow.com/tools/smbrelay.html
Microsoft Learn — Overview of Server Message Block signing. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
NIST NVD — CVE-2008-4037 — SMB Credential Reflection Vulnerability (MS08-068). https://nvd.nist.gov/vuln/detail/CVE-2008-4037
Lee Christensen — SpoolSample (PrinterBug). https://github.com/leechristensen/SpoolSample
CrowdStrike — From the Archives: Drop the MIC — CVE-2019-1040. https://www.crowdstrike.com/en-us/blog/from-the-archives-drop-the-mic-cve-2019-1040/
IETF kitten WG — Initial and Pass Through Authentication Using Kerberos V5 and the GSS-API (IAKERB). https://datatracker.ietf.org/doc/draft-ietf-kitten-iakerb/
Andreas Schneider — Local authentication hub. https://blog.cryptomilk.org/2025/02/09/local-authentication-hub/
Microsoft Open Specifications — [MS-NEGOEX]: SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-negoex/0ad7a003-ab56-4839-a204-b555ca6759a2
IETF — SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (Internet-Draft). https://datatracker.ietf.org/doc/html/draft-zhu-negoex
IETF — RFC 8143: Using Transport Layer Security (TLS) with NNTP. https://datatracker.ietf.org/doc/rfc8143/
Microsoft Support. Overview of NTLM auditing enhancements in Windows 11 24H2 and Windows Server 2025 . 2025. https://support.microsoft.com/en-us/topic/overview-of-ntlm-auditing-enhancements-in-windows-11-version-24h2-and-windows-server-2025-b7ead732-6fc5-46a3-a943-27a4571d9e7b . Accessed 2026-05-10. Original publish date July 11, 2025; KB5064479; new audit logs in Microsoft\Windows\NTLM\Operational; client / server / domain-controller NTLMv1 audit channels.
Microsoft Learn — Audit use of NTLMv1 on a Windows Server-based domain controller (KB 4090105). https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
The Hacker News — Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos. https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html
European Commission — NIS2 Directive: new rules on cybersecurity of network and information systems. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
Microsoft Learn — How to enable LDAP signing - Windows Server. https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server
Rubeus. https://github.com/GhostPack/Rubeus
Microsoft Learn — Kerberos authentication overview . https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Using Encryption for Authentication in Large Networks of Computers (1978). https://dl.acm.org/doi/10.1145/359657.359659
C. Neuman, T. Yu, S. Hartman, K. Raeburn — RFC 4120 -- The Kerberos Network Authentication Service (V5) (2005). https://datatracker.ietf.org/doc/html/rfc4120
Needham-Schroeder protocol. https://en.wikipedia.org/wiki/Needham%E2%80%93Schroeder_protocol
[MS-PAC]: Privilege Attribute Certificate Data Structure — 2024. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/
Project Athena Technical Plan, Section E.2.1: Kerberos Authentication and Authorization System (1989). https://web.mit.edu/Saltzer/www/publications/athenaplan/e.2.1.pdf
Designing an Authentication System: a Dialogue in Four Scenes (1988). https://web.mit.edu/kerberos/dialogue.html
Kerberos: An Authentication Service for Open Network Systems (1988). https://www.cerias.purdue.edu/apps/reports_and_papers/view/1760
Bill Bryant, Jennifer Steiner, John Kohl. Kerberos Installation Notes . https://raw.githubusercontent.com/jameshilliard/acs-GPL-3.3.0/5d2be5d30f3ccef7153906123c90405833b1bf13/tarbal/krb5-1.4/doc/old-V4-docs/installation.mss
RFC 1510: The Kerberos Network Authentication Service (V5) — J. Kohl, C. Neuman; 1993. https://datatracker.ietf.org/doc/html/rfc1510
L. Zhu, B. Tung — RFC 4556 -- Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) (2006). https://datatracker.ietf.org/doc/html/rfc4556
A Generalized Framework for Kerberos Pre-Authentication (2011). https://datatracker.ietf.org/doc/html/rfc6113
PKINIT Freshness Extension (2017). https://datatracker.ietf.org/doc/html/rfc8070
CVE-2020-17049: Kerberos KDC Security Feature Bypass (Bronze Bit) (2020). https://nvd.nist.gov/vuln/detail/CVE-2020-17049
CVE-2020-17049: Kerberos Bronze Bit Attack -- Theory (2020). https://www.netspi.com/blog/technical-blog/network-pentesting/cve-2020-17049-kerberos-bronze-bit-attack-theory/
[MS-PAC] Introduction. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962
CVE-2022-37967: Windows Kerberos Elevation of Privilege Vulnerability (KrbtgtFullPacSignature) (2022). https://nvd.nist.gov/vuln/detail/CVE-2022-37967
Microsoft — KB5021131: Manage the Kerberos protocol changes related to CVE-2022-37966 (2022). https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
Encryption and Checksum Specifications for Kerberos 5 (2005). https://datatracker.ietf.org/doc/html/rfc3961
[MS-KILE] §2.2.7 -- Supported Encryption Types Bit Flags. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/6cfc7b50-11ed-4b4d-846d-6f08f0812919
K. Jaganathan, L. Zhu, J. Brezak — RFC 4757 -- The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows (2006). https://datatracker.ietf.org/doc/html/rfc4757
Beyond RC4 for Windows authentication (2025). https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication/
Advanced Encryption Standard (AES) Encryption for Kerberos 5 (2005). https://datatracker.ietf.org/doc/html/rfc3962
AES Encryption with HMAC-SHA2 for Kerberos 5 (2016). https://datatracker.ietf.org/doc/html/rfc8009
Microsoft's guidance to help mitigate Kerberoasting (2024). https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
Group Managed Service Accounts Overview . https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
Delegated Managed Service Accounts Overview. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-overview
OWASP Password Storage Cheat Sheet (Wayback snapshot, June 2023). https://web.archive.org/web/20230621142207/https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Cracking Kerberos TGS Tickets Using Kerberoast -- Exploiting Kerberos to Compromise the Active Directory Domain. https://adsecurity.org/?p=2293
KB5008380 - Authentication updates (CVE-2021-42287). https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
NVD — CVE-2022-26923 -- Active Directory Domain Services Elevation of Privilege Vulnerability (2022). https://nvd.nist.gov/vuln/detail/CVE-2022-26923
Microsoft — KB5014754: Certificate-based authentication changes on Windows domain controllers (2025). https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
A Diamond Ticket in the Ruff — Charlie Clark, Andrew Schwartz; 2022. https://www.semperis.com/blog/a-diamond-ticket-in-the-ruff/
A Diamond (Ticket) in the Ruff — Andrew Schwartz, Charlie Clark; 2022. https://www.trustedsec.com/blog/a-diamond-in-the-ruff
Diamond and Sapphire Tickets. https://pgj11.com/posts/Diamond-And-Sapphire-Tickets/
Sapphire Ticket -- The Hacker Recipes. https://www.thehacker.recipes/a-d/movement/kerberos/forged-tickets/sapphire
Next-Gen Kerberos Attacks: Sapphire and Diamond Tickets (2022). https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
New Attack Paths? AS Requested STs (2022). https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
Microsoft. Protected Users Security Group . https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn466518(v=ws.11)
Microsoft. Authentication Policies and Authentication Policy Silos . https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos
Privileged access: Enterprise access model. https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model
Remote Credential Guard. https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard
Microsoft. Group Managed Service Accounts overview . https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview
localkdc -- A General Local Authentication Hub (2025). https://fosdem.org/2025/schedule/event/fosdem-2025-5618-localkdc-a-general-local-authentication-hub/
MIT krb5-1.9 README -- Major changes in 1.9 (2010). https://web.mit.edu/kerberos/krb5-1.9/README-1.9.txt
MIT krb5 Release 1.9 (2010). https://web.mit.edu/kerberos/krb5-1.9/
MIT krb5 Release 1.15. https://web.mit.edu/kerberos/krb5-1.15/
Microsoft. Microsoft Entra Kerberos FAQ . https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos-faq
MITRE — Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001) (2024). https://attack.mitre.org/techniques/T1558/001/
MITRE ATT&CK T1003.006 — OS Credential Dumping: DCSync. https://attack.mitre.org/techniques/T1003/006/
Microsoft — AD Forest Recovery - Resetting the krbtgt password (2024). https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
Domain of Thrones: Part II — Nico Shyne, Josh Prager; 2023. https://specterops.io/blog/2023/11/06/domain-of-thrones-part-ii/
Understand default user accounts in Active Directory. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts
Security identifiers in Active Directory. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
KRBTGT Account Password Reset Scripts now available for customers — Sean Metcalf. https://adsecurity.org/?p=483
[MS-KILE]: Kerberos Protocol Extensions — 2026. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 — 2023. https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
Looking back at Project Athena — MIT News; 2018. https://news.mit.edu/2018/mit-looking-back-project-athena-distributed-computing-for-students-1111
Athena history (1983-present) from A to Z — MIT Academic Computing Services. https://web.mit.edu/acs/athena.html
Microsoft Releases Windows 2000 to Manufacturing — Microsoft News Center; 1999. https://news.microsoft.com/source/1999/12/15/microsoft-releases-windows-2000-to-manufacturing/
Microsoft Security Bulletin MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) — 2014. https://learn.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068
NVD: CVE-2014-6324 — Kerberos Checksum Vulnerability — 2014. https://nvd.nist.gov/vuln/detail/CVE-2014-6324
Alva Duckwall, Benjamin Delpy — Abusing Microsoft Kerberos: Sorry You Guys Don't Get It (Black Hat USA 2014) (2014). https://infocondb.org/con/black-hat/black-hat-usa-2014/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it
Microsoft Defender for Identity — Classic alerts catalogue. https://learn.microsoft.com/en-us/defender-for-identity/alerts-mdi-classic
Microsoft Learn — Microsoft Defender for Identity credential access alerts (2024). https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts
MITRE ATT&CK T1558.002 — Silver Ticket. https://attack.mitre.org/techniques/T1558/002/
The Hacker Recipes — Sapphire ticket — Charlie Bromberg. https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/sapphire
ShutdownRepo/impacket — sapphire-tickets branch — Charlie Bromberg. https://github.com/ShutdownRepo/impacket/tree/sapphire-tickets
[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol — 2026. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
BloodHound Release Notes. https://bloodhound.specterops.io/resources/release-notes/
Impacket PR #1411: Sapphire ticket support in ticketer.py. https://github.com/fortra/impacket/pull/1411
Kerberos Service Ticket Request Using RC4 Encryption. https://research.splunk.com/endpoint/7d90f334-a482-11ec-908c-acde48001122/
microsoftarchive/New-KrbtgtKeys.ps1. https://github.com/microsoftarchive/New-KrbtgtKeys.ps1
Certified Pre-Owned: Abusing Active Directory Certificate Services — Will Schroeder, Lee Christensen; 2021. https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
Domain of Thrones: Part I — Nico Shyne, Josh Prager; 2023. https://specterops.io/blog/2023/10/24/domain-of-thrones-part-i/
Set-ADAccountPassword (ActiveDirectory PowerShell module). https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adaccountpassword
Microsoft Learn — Windows Hello for Business cloud Kerberos trust deployment guide . https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust
Project Athena (encyclopedia entry citing the MIT/IBM/DEC partnership and 1983—1991 timeline). https://en.wikipedia.org/wiki/Project_Athena
Windows 2000 (encyclopedia entry citing the December 15, 1999 RTM and February 17, 2000 general-availability dates). https://en.wikipedia.org/wiki/Windows_2000
Paul Ashton — NT pass-the-hash exploit code originally posted to NTBugtraq (April 1997); archived as Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - Pass the Hash exploit (1997). https://www.exploit-db.com/exploits/19197
Dirk-jan Mollema — Digging further into the Primary Refresh Token (2020). https://dirkjanm.io/digging-further-into-the-primary-refresh-token/
Dirk-jan Mollema — Abusing Azure AD SSO with the Primary Refresh Token (2020). https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/
Dirk-jan Mollema — ROADtools and roadtx (2025). https://github.com/dirkjanm/ROADtools
Wikipedia contributors — Pass the hash . https://en.wikipedia.org/wiki/Pass_the_hash
Alva Duckwall, Christopher Campbell — Still Passing the Hash 15 Years Later (2012). https://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_WP.pdf
Hernan Ochoa — Pass-the-Hash Toolkit (CoreLabs project page, Wayback) (2008). https://web.archive.org/web/20121025075348/http://oss.coresecurity.com/projects/pshtoolkit.htm
Microsoft — LsaCallAuthenticationPackage function (ntsecapi.h) (2025). https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsacallauthenticationpackage
Alva Duckwall, Benjamin Delpy — Abusing Microsoft Kerberos: Sorry You Guys Don't Get It (whitepaper) (2014). https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf
Sean Metcalf — Mimikatz and Active Directory Kerberos Attacks (2014). https://adsecurity.org/?p=556
Sean Metcalf — Red vs. Blue: Modern Active Directory Attacks, Detection, and Protection (2015). https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf
VASCO Data Security International, Inc. — Quarterly Report on Form 10-Q for the Quarter Ended September 30, 2011 (2011). https://www.sec.gov/Archives/edgar/data/1044777/000119312511297526/d246524d10q.htm
Fox-IT — Black Tulip: Report of the investigation into the DigiNotar Certificate Authority breach (2012). https://github.com/juliocesarfort/public-pentesting-reports/blob/master/Fox-IT/Fox-IT_-_DigiNotar.pdf
Microsoft — KB2871997: Microsoft Security Advisory -- Update to improve credentials protection and management (May 13, 2014) (2014). https://support.microsoft.com/help/2871997
SpecterOps — BloodHound CE/Enterprise: CanRDP edge (2025). https://bloodhound.specterops.io/resources/edges/can-rdp
Microsoft — Windows 10 Enterprise and Education -- Modern Lifecycle Policy (2025). https://learn.microsoft.com/en-us/lifecycle/products/windows-10-enterprise-and-education
Will Schroeder, Lee Christensen — Certified Pre-Owned: Abusing Active Directory Certificate Services (2021). https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
Yannick Méheut — AlmondOffSec/PassTheCert (2022). https://github.com/AlmondOffSec/PassTheCert
Yannick Méheut — Authenticating with certificates when PKINIT is not supported (2022). https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
Oliver Lyak — Certipy Wiki: Privilege Escalation (ESC1-ESC16) (2025). https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation
Semperis — AD Vulnerability CVE-2022-26923 (2022). https://www.semperis.com/blog/ad-vulnerability-cve-2022-26923/
Will Schroeder, Lee Christensen — Certificates and Pwnage and Patches, Oh My! (2022). https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d
Microsoft — Defender for Identity -- Certificates posture assessments (2025). https://learn.microsoft.com/en-us/defender-for-identity/security-posture-assessments/certificates
SpecterOps — Certify Wiki: Escalation Techniques (ESC1-ESC16) (2025). https://docs.specterops.io/ghostpack-docs/Certify.wik-mdx/4-escalation-techniques
Microsoft — Conditional Access: Token Protection (2025). https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection
Microsoft — Plan your Microsoft Entra hybrid join deployment (2025). https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-plan
SpecterOps — BloodHound CE/Enterprise: Edges reference (2025). https://bloodhound.specterops.io/resources/edges/
Dirk-jan Mollema — Phishing for Microsoft Entra Primary Refresh Tokens (2023). https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/
Dirk-jan Mollema — Obtaining Global Admin in every Entra ID tenant with Actor tokens (2025). https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
Dirk-jan Mollema — Persisting on Entra ID applications and User Managed Identities with Federated Credentials (2024). https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/
D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, D. Waite — RFC 9449 -- OAuth 2.0 Demonstrating Proof of Possession (DPoP) (2023). https://datatracker.ietf.org/doc/html/rfc9449
FIDO Alliance — How FIDO Works . https://fidoalliance.org/how-fido-works/
Wikipedia — Password: History . https://en.wikipedia.org/wiki/Password#History
Multicians — Corby Memorial . https://www.multicians.org/corby-memorial.html
Tom Van Vleck — Multics Security . https://www.multicians.org/security.html
Wikipedia — crypt (C) . https://en.wikipedia.org/wiki/Crypt_(C)
Electronic Frontier Foundation — DES Challenge III Broken in Record 22 Hours . https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19990119_deschallenge3.html
Microsoft Learn — Passwords technical overview . https://learn.microsoft.com/en-us/windows-server/security/kerberos/passwords-technical-overview
MITRE — Use Alternate Authentication Material: Pass the Hash (T1550.002) (2024). https://attack.mitre.org/techniques/T1550/002/
The Register — Gummi Bears Defeat Fingerprint Sensors . https://www.theregister.com/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
Microsoft Learn — Windows Biometric Framework API . https://learn.microsoft.com/en-us/windows/win32/secbiomet/biometric-service-api-portal
PR Newswire — Motorola Mobility and AT&T ATRIX 4G announcement. https://www.prnewswire.com/news-releases/motorola-mobility-and-att-announce-atrix-4g-the-future-of-mobile-computing-112974014.html
Apple — Apple Announces iPhone 5s . https://www.apple.com/newsroom/2013/09/10Apple-Announces-iPhone-5s-The-Most-Forward-Thinking-Smartphone-in-the-World/
FIDO Alliance Launch Announcement (PDF), 12 February 2013. FIDO Alliance; 2013. https://fidoalliance.org/assets/downloads/FIDO_Alliance_launch__FINAL__02_12_13docx.pdf
FIDO Alliance — specifications collection. https://fidoalliance.org/specifications/
FIDO Alliance — FIDO UAF Protocol Specification . https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-protocol-v1.2-ps-20201020.html
FIDO Alliance — Universal 2nd Factor (U2F) Overview . https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html
Web Authentication: An API for accessing Public Key Credentials -- Level 3 (W3C Candidate Recommendation). W3C. https://www.w3.org/TR/webauthn-3/
Microsoft Learn — Windows Hello biometric requirements . https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements
Apple Platform Security — Optic ID, Face ID, Touch ID, passcodes, and passwords . https://support.apple.com/en-ca/guide/security/sec9479035f1/web
Microsoft Tech Community — Windows Hello for Business Hybrid Cloud Kerberos Trust is now available! . https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-hello-for-business-hybrid-cloud-kerberos-trust-is-now-available/3651049
Microsoft Learn — Plan a Windows Hello for Business Deployment . https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/
FIDO Alliance — Android Now FIDO2 Certified . https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/
FIDO Alliance — Microsoft Achieves FIDO2 Certification for Windows Hello . https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/
NIST SP 800-63B — Authentication Assurance Levels . https://pages.nist.gov/800-63-4/sp800-63b/aal/
NIST SP 800-63B — Authenticator and Verifier Requirements . https://pages.nist.gov/800-63-4/sp800-63b/authenticators/
Omer Tsarfati / CyberArk — Bypassing Windows Hello Without Masks or Plastic Surgery . https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery
Bowen Hu, Kuo Wang, and Chip Hong Chang — near-infrared facial presentation-attack research page. https://www.usenix.org/conference/usenixsecurity25/presentation/hu-bowen
Hu, Wang, and Chang — PDF describing a near-infrared facial presentation attack. https://www.usenix.org/system/files/usenixsecurity25-hu-bowen.pdf
ERNW / Insinuator — Faceplant: Planting Biometric Templates . https://insinuator.net/2025/08/windows-hello-for-buiness-faceplant-planting-biometric-templates/
Black Hat USA 2025 — Windows Hell No for Business official conference video. https://www.youtube.com/watch?v=SkWZ5KcelD4
Passwordless authentication options for Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless
Apple Newsroom — Apple, Google, and Microsoft Commit to Expanded Support for FIDO Standard . https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/
Google Identity — Passkeys . https://developers.google.com/identity/passkeys
Apple Platform Security — Passkeys . https://support.apple.com/guide/security/passkeys-sec50554cb94/web
FIDO Alliance — credential exchange specifications announcement. https://fidoalliance.org/fido-alliance-publishes-new-specifications-to-promote-user-choice-and-enhanced-ux-for-passkeys/
Pushing passkeys forward: Microsoft's latest updates for simpler, safer sign-ins. Microsoft Security Blog; 2025. https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
Anil K. Jain, Arun Ross, and Salil Prabhakar — An Introduction to Biometric Recognition . https://ieeexplore.ieee.org/document/1262027
NVD — CVE-2025-26644 . https://nvd.nist.gov/vuln/detail/CVE-2025-26644
Wiz Vulnerability Database — CVE-2025-26644 . https://www.wiz.io/vulnerability-database/cve/cve-2025-26644
Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit. Sekoia.io; 2024. https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/
NIST SP 800-63-4: Digital Identity Guidelines (final, July 2025). Proud-Madruga, Choong, Galluzzo, Gupta, LaSalle, Lefkovitz, Regenscheid; NIST; 2025. https://pages.nist.gov/800-63-4/
NIST SP 800-63B-4: Authentication and Authenticator Management (HTML). NIST; 2025. https://pages.nist.gov/800-63-4/sp800-63b.html
FIDO Authenticator Certification Levels (L1, L1+, L2, L3, L3+). FIDO Alliance. https://fidoalliance.org/certification/authenticator-certification-levels/
RFC 5056: On the Use of Channel Bindings to Secure Channels. Nicolas Williams; IETF; 2007. https://auth.ietf.org/doc/html/rfc5056
RFC 9266: Channel Bindings for TLS 1.3. Sam Whited; IETF; 2022. https://auth.ietf.org/doc/html/rfc9266
New NIST Guidance on Passkeys: Key Takeaways for Enterprises. Yubico. https://www.yubico.com/blog/new-nist-guidance-on-passkeys-key-takeaways-for-enterprises/
Password Security: A Case History. Robert Morris, Ken Thompson; Communications of the ACM 22(11), 594-597; 1979. https://doi.org/10.1145/359168.359172
RFC 4226: HOTP -- An HMAC-Based One-Time Password Algorithm. M'Raihi, Bellare, Hoornaert, Naccache, Ranen; IETF; 2005. https://auth.ietf.org/doc/html/rfc4226
RFC 6238: TOTP -- Time-Based One-Time Password Algorithm. M'Raihi, Machani, Pei, Rydell; IETF; 2011. https://auth.ietf.org/doc/html/rfc6238
RFC 8471: The Token Binding Protocol Version 1.0. Popov, Nystroem, Balfanz, Hodges; IETF; 2018. https://auth.ietf.org/doc/html/rfc8471
RFC 8473: Token Binding over HTTP. Popov, Nystroem, Balfanz, Harper, Hodges; IETF; 2018. https://auth.ietf.org/doc/html/rfc8473
RFC 8471 datatracker history page. IETF. https://datatracker.ietf.org/doc/rfc8471/history/
RFC 8473 datatracker history page. IETF. https://datatracker.ietf.org/doc/rfc8473/history/
Chrome Platform Status: Token Binding. Chromium. https://chromestatus.com/api/v0/features/5097603234529280
Chrome Platform Status: Remove Token Binding. Chromium. https://chromestatus.com/feature/5044401232918528
Web Authentication: An API for accessing Scoped Credentials (W3C First Public Working Draft, 31 May 2016). W3C; 2016. https://www.w3.org/TR/2016/WD-webauthn-20160531/
Web Authentication Level 3 (Candidate Recommendation dated snapshot, 13 January 2026). W3C; 2026. https://www.w3.org/TR/2026/CR-webauthn-3-20260113/
DoD 5200.28-STD: Department of Defense Trusted Computer System Evaluation Criteria. Department of Defense; 1985. https://irp.fas.org/nsa/rainbow/std001.htm
NIST Special Publication 800-63 (first edition): Electronic Authentication Guideline. William E. Burr, Donna Dodson, W. Timothy Polk; NIST CSRC; 2004. https://csrc.nist.gov/pubs/sp/800/63/final
NIST SP 800-63 version 1.0.2 (PDF). NIST; 2004. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-63ver1.0.2.pdf
RSA SecurID (Wikipedia). Wikipedia. https://en.wikipedia.org/wiki/RSA_SecurID
NIST SP 800-63-3: Digital Identity Guidelines. NIST CSRC; 2017. https://csrc.nist.gov/pubs/sp/800/63/3/upd2/final
RFC 1760: The S/KEY One-Time Password System. Neil Haller; IETF; 1995. https://auth.ietf.org/doc/html/rfc1760
The Laws of Identity. Kim Cameron; identityblog.com; 2005. https://www.identityblog.com/?p=352
Persona Shutdown Guidelines for Reliers. Mozilla Wiki; 2016. https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
FIDO U2F Overview (specs archive). FIDO Alliance. https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html
Security Keys: Practical Cryptographic Second Factors for the Modern Web. Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, Sampath Srinivas; Financial Cryptography 2016; 2016. https://fc16.ifca.ai/preproceedings/25_Lang.pdf
W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins. W3C; 2019. https://www.w3.org/press-releases/2019/webauthn/
FIDO Client to Authenticator Protocol (CTAP) 2.0 Proposed Standard, 30 January 2019. FIDO Alliance; 2019. https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html
FIDO2 security key hardware vendors for Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-hardware-vendor
WebAuthn APIs for password-less authentication on Windows. Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthn-apis
CBOR Object Signing and Encryption (COSE) Algorithms (IANA registry). IANA. https://www.iana.org/assignments/cose/cose.xhtml
FIDO Client to Authenticator Protocol (CTAP) 2.1 Proposed Standard, 15 June 2021. FIDO Alliance; 2021. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html
FIDO CTAP 2.2 Proposed Standard, 14 July 2025. FIDO Alliance; 2025. https://fidoalliance.org/specs/fido-v2.2-ps-20250714/fido-client-to-authenticator-protocol-v2.2-ps-20250714.html
FIDO Alliance Specifications Download Page. FIDO Alliance. https://fidoalliance.org/specifications/download/
FIDO CTAP 2.2 Review Draft, 21 March 2023. FIDO Alliance; 2023. https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321.html
Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins. FIDO Alliance; 2022. https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/
OS X Mavericks Available Today Free from the Mac App Store. Apple Newsroom; 2013. https://www.apple.com/ci/newsroom/2013/10/23OS-X-Mavericks-Available-Today-Free-from-the-Mac-App-Store/
Microsoft Authenticator (Wikipedia). Wikipedia. https://en.wikipedia.org/wiki/Microsoft_Authenticator
Microsoft Introduces Passkeys for Consumer Accounts. Microsoft Security Blog; 2024. https://www.microsoft.com/en-us/security/blog/2024/05/02/microsoft-introduces-passkeys-for-consumer-accounts/
iCloud data security overview (Standard and Advanced Data Protection). Apple Support. https://support.apple.com/en-us/HT202303
NIST SP 800-63B Supplement 1: Incorporating Syncable Authenticators. Temoshok, LaSalle, Regenscheid; NIST CSRC; 2024. https://csrc.nist.gov/pubs/sp/800/63/b/sup/final
microsoft/webauthn: Win32 APIs and plugin header files. GitHub. https://github.com/microsoft/webauthn
webauthn.h Win32 API reference. Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/api/webauthn/
Passkeys (Windows identity protection). Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/identity-protection/passkeys/
YubiKey 5 Series Overview. Yubico. https://www.yubico.com/products/yubikey-5-overview/
Passkeys. Adam Langley; imperialviolet.org; 2022. https://www.imperialviolet.org/2022/09/22/passkeys.html
passkeys.dev (FIDO Alliance / WebKit / Chrome team passkey resource). FIDO Alliance. https://passkeys.dev/
Passkeys on Windows: authenticate seamlessly with passkey providers. Windows Developer Blog; 2024. https://blogs.windows.com/windowsdeveloper/2024/10/08/passkeys-on-windows-authenticate-seamlessly-with-passkey-providers/
ASCredentialIdentityStore -- AuthenticationServices. Apple Developer. https://developer.apple.com/documentation/authenticationservices/ascredentialidentitystore
Credential Manager (Android Developers). Android Developers. https://developer.android.com/identity/credential-manager
Contoso Passkey Manager (Windows-classic-samples). GitHub. https://github.com/microsoft/Windows-classic-samples/tree/main/Samples/PasskeyManager
Third-party passkey providers on Windows. Microsoft Learn. https://learn.microsoft.com/en-us/windows/apps/develop/security/third-party
WebAuthn Attestation Statement Format Identifiers (IANA registry). IANA. https://www.iana.org/assignments/webauthn/webauthn.xhtml
RFC 8809: Registries for Web Authentication (WebAuthn). Hodges, Mandyam, M.B. Jones; IETF; 2020. https://auth.ietf.org/doc/html/rfc8809
Web Authentication: An API for accessing Public Key Credentials -- Level 2 (W3C Recommendation, 8 April 2021). W3C; 2021. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
SafetyNet Attestation API deprecation timeline. Android Developers; 2024. https://developer.android.com/privacy-and-security/safetynet/attestation
Google vows to fix a glaring omission in Authenticator's cloud backup feature. Android Police; 2023. https://www.androidpolice.com/google-to-add-e2ee-to-authenticator/
FIDO Credential Exchange Protocol (CXP) v1.0 Working Draft, 3 October 2024. FIDO Alliance; 2024. https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20241003.html
Use a recovery key for your Apple Account. Apple Support. https://support.apple.com/en-us/109345
Configure Temporary Access Pass to register passwordless authentication methods. Microsoft Learn. https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass
Universal 2nd Factor (Wikipedia). Wikipedia. https://en.wikipedia.org/wiki/Universal_2nd_Factor
iCloud Keychain (Wikipedia). Wikipedia. https://en.wikipedia.org/wiki/ICloud_Keychain
Microsoft. Access Control . https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control . Accessed 2026-05-10. Index page for the Windows Win32 access-control surface; lists the C2-level, Access Control Model, SDDL, Privileges, Audit Generation, Securable Objects, and Low-level Access Control sub-pages.
Microsoft News Center. The engineer's engineer: Computer industry luminaries salute Dave Cutler's five-decade-long quest for quality . https://news.microsoft.com/features/the-engineers-engineer-computer-industry-luminaries-salute-dave-cutlers-five-decade-long-quest-for-quality/ . Accessed 2026-05-10. Cutler started at Microsoft on October 31, 1988; led VMS, VAXeln, Mica / Prism at DEC; Microsoft Senior Technical Fellow.
hFireF0x. hfiref0x/UACME . https://github.com/hfiref0x/UACME . Accessed 2026-05-10. Institutional catalogue of UAC AutoElevate-whitelist redirect bypasses; 70+ methods with structured metadata.
Microsoft. How DACLs Control Access to an Object . https://learn.microsoft.com/en-us/windows/win32/secauthz/how-dacls-control-access-to-an-object . Accessed 2026-05-10. Canonical SeAccessCheck DACL evaluation algorithm, deny-first sequencing, NULL DACL vs empty DACL distinction.
NIST National Vulnerability Database. CVE-2021-36934 (HiveNightmare / SeriousSAM) . 2021. https://nvd.nist.gov/vuln/detail/CVE-2021-36934 . Accessed 2026-05-10. Overly permissive ACLs on the SAM database; KB5005357 plus manual shadow-copy deletion.
NIST Computer Security Resource Center. DoD Rainbow Series . 1985. https://csrc.nist.gov/pubs/other/1985/12/26/dod-rainbow-series/final . Accessed 2026-05-10. Listing of DoD 5200.28-STD (Orange Book, December 26, 1985) and Rainbow Series companion volumes.
Norm Hardy. The Confused Deputy (Wayback mirror of cap-lore.com) . 1988. https://web.archive.org/web/2024/https://www.cap-lore.com/CapTheory/ConfusedDeputy.html . Accessed 2026-05-10. Verbatim text of the 1988 paper, mirrored on the Internet Archive Wayback Machine.
Norm Hardy. The Confused Deputy (or why capabilities might have been invented) . https://web.archive.org/web/20250105182012/http://www.cap-lore.com/CapTheory/ConfusedDeputy.html . Accessed 2026-05-10. Hardy 1988 framing; the ACL-vs-capability comparison and capability-system remedy.
National Computer Security Center. Final Evaluation Report: Digital Equipment Corporation VAX/VMS Version 4.3 . https://dn760002.eu.archive.org/0/items/DTIC_ADA208004/DTIC_ADA208004_djvu.txt . Accessed 2026-05-10. VAX/VMS Version 4.3 formal evaluation at TCSEC Class C2; UIC protection, ACLs, auditing, and kernel-mode security architecture.
G. Pascal Zachary. Showstopper!: The Breakneck Race to Create Windows NT . 1994. Cited for cultural / narrative context on Cutler and the NT team.
National Computer Security Center. Final Evaluation Report: Microsoft, Inc. Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3 . https://dn710806.ca.archive.org/0/items/NCSCFER95003/NCSC-FER-95-003_djvu.txt . Accessed 2026-05-10. Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3 formal evaluation against TCSEC C2 criteria.
Microsoft. Access Tokens . https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens . Accessed 2026-05-10. Token contents; primary-vs-impersonation distinction; OpenProcessToken / DuplicateTokenEx / AdjustTokenPrivileges API surface.
Microsoft. Mandatory Integrity Control . https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control . Accessed 2026-05-10. MIC four-level lattice, SYSTEM_MANDATORY_LABEL_ACE in SACL, AppContainer Low-IL exception.
Microsoft. ACE Strings . https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings . Accessed 2026-05-10. SDDL ACE type strings (XA, XD, XU, ZA conditional callbacks; ML mandatory label).
Microsoft. Order of ACEs in a DACL . https://learn.microsoft.com/en-us/windows/win32/secauthz/order-of-aces-in-a-dacl . Accessed 2026-05-10. The four-step preferred ACE order; caller responsibility note.
James Forshaw. Sharing a Logon Session a Little Too Much . 2020. https://www.tiraniddo.dev/2020/04/sharing-logon-session-little-too-much.html . Accessed 2026-05-10. LSASS token-cache primitive; "S-1-1-0 is NOT A SECURITY BOUNDARY" framing.
Microsoft. Security Identifiers . https://learn.microsoft.com/en-us/windows/win32/secauthz/security-identifiers . Accessed 2026-05-10. SID structure and uniqueness; SID API surface; well-known-SIDs cross-link.
Microsoft. Well-known SIDs . https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids . Accessed 2026-05-10. Mandatory integrity RID values (Low 0x1000, Medium 0x2000, High 0x3000, System 0x4000) used with the S-1-16 mandatory label authority.
James Forshaw. The Art of Becoming TrustedInstaller . 2017. https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html . Accessed 2026-05-10. Service SIDs are the SHA-1 of the uppercased service name; RtlCreateServiceSid.
Microsoft. Restricted Tokens . https://learn.microsoft.com/en-us/windows/win32/secauthz/restricted-tokens . Accessed 2026-05-10. Two-pass access check; deny-only / restricting SIDs / privilege removal; desktop-isolation requirement.
Microsoft. Privileges . https://learn.microsoft.com/en-us/windows/win32/secauthz/privileges . Accessed 2026-05-10. Privilege-vs-right distinction; default-disabled rule; AdjustTokenPrivileges to enable.
SentinelLabs. Vulnerabilities in Avast and AVG Put Millions at Risk . 2022. https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ . Accessed 2026-05-10. CVE-2022-26522 + CVE-2022-26523 in aswArPot.sys; reported December 2021; security-product driver as BYOVD precedent.
Microsoft. SYSTEM_MANDATORY_LABEL_ACE structure . https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_mandatory_label_ace . Accessed 2026-05-10. Mandatory-label ACE in the SACL; mask values SYSTEM_MANDATORY_LABEL_NO_WRITE_UP (0x1), NO_READ_UP (0x2), NO_EXECUTE_UP (0x4).
Microsoft. ACCESS_MASK . https://learn.microsoft.com/en-us/windows/win32/secauthz/access-mask . Accessed 2026-05-10. 32-bit ACCESS_MASK layout: specific bits 0-15, standard bits 16-23 (WRITE_DAC bit 18, WRITE_OWNER bit 19), ACCESS_SYSTEM_SECURITY bit 24, generic bits 28-31.
Microsoft. File Access Rights Constants . https://learn.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants . Accessed 2026-05-10. FILE_READ_DATA = 1, FILE_WRITE_DATA = 2, FILE_APPEND_DATA = 4 and the rest of the file-specific access mask constants.
Skywing (Ken Johnson). Getting Out of Jail: Escaping Internet Explorer Protected Mode . 2007. https://web.archive.org/web/20080926082628/http://uninformed.org/index.cgi?v=8&a=6 . Accessed 2026-05-10. Uninformed Volume 8 Article 6; first public reverse-engineering of MIC and the IE Protected Mode broker pattern.
Dean Hachamovitch, Microsoft Internet Explorer Team. Internet Explorer 7 for Windows XP Available Now . https://learn.microsoft.com/en-us/archive/blogs/ie/internet-explorer-7-for-windows-xp-available-now . Accessed 2026-05-10. IE7 for Windows XP final release on October 18, 2006; Vista release still pending.
Microsoft. How User Account Control Works . https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works . Accessed 2026-05-10. UAC split-token model; filtered Medium-IL token vs full High-IL token; explorer.exe as parent of all user processes.
Microsoft. The COM Elevation Moniker . https://learn.microsoft.com/en-us/windows/win32/com/the-com-elevation-moniker . Accessed 2026-05-10. COM elevation moniker syntax (Elevation:Administrator!new:{guid}, Elevation:Highest!new:{guid}); supported run levels Administrator and Highest; produces a High-IL admin caller, not SYSTEM.
Leo Davidson. Windows 7 UAC Whitelist: Code-Injection Issue, Anti-Competitive API, Security Theatre . 2009. https://www.pretentiousname.com/misc/win7_uac_whitelist2.html . Accessed 2026-05-10. The original 2009 sysprep / IFileOperation / cryptbase.dll UAC bypass writeup.
Matt Nelson (enigma0x3). Fileless UAC Bypass Using eventvwr.exe and Registry Hijacking . 2016. https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ . Accessed 2026-05-10. August 15, 2016; the canonical fileless-UAC-bypass template; mscfile HKCU registry redirect.
Mark Russinovich. Inside Windows Vista User Account Control . 2007. https://web.archive.org/web/20070715040322/http://technet.microsoft.com/en-us/magazine/cc138019.aspx . Accessed 2026-05-10. Mark Russinovich TechNet Magazine cover story (June 2007); canonical practitioner walkthrough of the split-token model.
itm4n (Clément Labro). CVE-2020-0668 — A Trivial Privilege Escalation Bug in Windows Service Tracing . 2020. https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/ . Accessed 2026-05-10. Original disclosure of CVE-2020-0668; exploitation via mountpoint to \RPC Control plus two object-manager symbolic links.
James Forshaw / Google Project Zero. googleprojectzero/symboliclink-testing-tools . https://github.com/googleprojectzero/symboliclink-testing-tools . Accessed 2026-05-10. Forshaw symbolic-link / hardlink / mount-point / object-directory testing tools (CreateSymlink, CreateHardlink, CreateMountPoint, BaitAndSwitch).
James Forshaw. Between a Rock and a Hard Link . 2015. https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html . Accessed 2026-05-10. Forshaw December 2015 post on the NTFS hard-link primitive for sandbox escape and LPE; CVE-2015-4481 Mozilla Maintenance Service hard-link to update-log file; MS15-115 sandboxed-context mitigation aftermath.
seL4 Foundation. Frequently Asked Questions . https://sel4.systems/About/FAQ.html . Accessed 2026-05-10. seL4 formal-verification overview; capabilities as unforgeable, delegatable access-right tokens.
James Forshaw, Google Project Zero. googleprojectzero/sandbox-attacksurface-analysis-tools . https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools . Accessed 2026-05-10. NtObjectManager PowerShell module; the modern empirical-enumeration platform for the Windows access-control surface.
Clément Labro (itm4n). itm4n/PrintSpoofer . 2020. https://github.com/itm4n/PrintSpoofer . Accessed 2026-05-10. PrintSpoofer source; LOCAL/NETWORK SERVICE to SYSTEM via SeImpersonatePrivilege.
Microsoft. Dynamic Access Control: Scenario Overview . https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/dynamic-access-control-overview . Accessed 2026-05-10. DAC architecture; user / device / resource claims; Central Access Rules and Policies; AD/Kerberos compound-ID dependency.
Microsoft. Dynamic Access Control: Scenario Overview . https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview . Accessed 2026-05-10. DAC scenarios: classification, central access policies, audit policies; Kerberos compound-ID claims dependency.
Microsoft Tech Community. Administrator Protection on Windows 11 . 2024. https://techcommunity.microsoft.com/blog/windows-itpro-blog/administrator-protection-on-windows-11/4303482 . Accessed 2026-05-10. Modified November 19, 2024; the Administrator Protection feature announcement; just-in-time admin privileges via Windows Hello.
Pluton: A TPM On Silicon Microsoft Can Patch . 2026. https://paragmali.com/blog/pluton-a-tpm-on-silicon-microsoft-can-patch/ . Accessed 2026-05-10. Sibling article on Pluton-rooted attestation; the in-die security processor.
bugch3ck. bugch3ck/SharpEfsPotato . 2021. https://github.com/bugch3ck/SharpEfsPotato . Accessed 2026-05-10. SharpEfsPotato; built atop SweetPotato (EthicalChaos) and SharpEfsTrigger (cube0x0). Replaces the original scope file pointer to ly4k/SharpEfsPotato (HTTP 404).
NIST National Vulnerability Database. CVE-2021-36942 (PetitPotam) . 2021. https://nvd.nist.gov/vuln/detail/CVE-2021-36942 . Accessed 2026-05-10. PetitPotam advisory; KB5005413; CISA KEV.
NIST National Vulnerability Database. CVE-2021-34527 (PrintNightmare) . 2021. https://nvd.nist.gov/vuln/detail/CVE-2021-34527 . Accessed 2026-05-10. Print Spooler RCE adjacent to PrintSpoofer; CISA KEV; KB5005010.
Andrea Pierini (decoder_it). No more JuicyPotato? Old story, welcome RoguePotato . 2020. https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ . Accessed 2026-05-10. Rogue Potato disclosure narrative; identification of the Windows 10 1809 / Server 2019 loopback-OXID mitigation.
Antonio Cocomazzi, Andrea Pierini. antonioCoco/RemotePotato0 . 2021. https://github.com/antonioCoco/RemotePotato0 . Accessed 2026-05-10. RemotePotato0 (2021); cross-session DCOM activation; cross-protocol RPC-to-LDAP relay; partial fix October 2022.
Microsoft Learn — How User Account Control works — 2026. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works
Mark Russinovich — Security: Inside Windows Vista User Account Control — 2007. https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc138019(v=msdn.10)
Mark Russinovich — PsExec, User Account Control and Security Boundaries — 2007. https://web.archive.org/web/20110518125531/http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx
Aaron Margosis — Aaron Margosis's Non-Admin and App-Compat WebLog (Archive) — 2026. https://learn.microsoft.com/en-us/archive/blogs/aaron_margosis/
Chris Paget — Exploiting design flaws in the Win32 API for privilege escalation (Shatter Attacks) — 2002. https://www.helpnetsecurity.com/2002/08/08/exploiting-design-flaws-in-the-win32-api-for-privilege-escalation-shatter-attacks-how-to-break-windows/
Microsoft News Center — Microsoft Launches Windows Vista and Microsoft Office 2007 to Consumers Worldwide — 2007. https://news.microsoft.com/source/2007/01/29/microsoft-launches-windows-vista-and-microsoft-office-2007-to-consumers-worldwide/
Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich, David A. Solomon — Windows Internals, 7th Edition, Part 1 — 2017
D. Elliott Bell and Leonard J. LaPadula — Secure Computer Systems: Mathematical Foundations — 1973. https://archive.org/details/DTIC_AD0770768
Kenneth J. Biba — Integrity Considerations for Secure Computer Systems — 1977. https://archive.org/details/DTIC_ADA039324
Microsoft Learn — CreateRestrictedToken function — 2024. https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken
Microsoft Learn — Software Restriction Policies (Windows Server 2003) — 2003. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779607(v=ws.10)
Microsoft Learn — Winsafer.h header reference — 2024. https://learn.microsoft.com/en-us/windows/win32/api/winsafer/
James Forshaw — Reading Your Way Around UAC (Part 1) — 2017. https://tyranidslair.blogspot.com/2017/05/reading-your-way-around-uac-part-1.html
Microsoft Learn — SendMessage function (winuser.h) — 2024. https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendmessage
Microsoft Learn — PostMessageA function (winuser.h) — 2025. https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-postmessagea
Microsoft Learn — SendInput function (winuser.h) — 2025. https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendinput
Microsoft Learn — GetWindowTextA function (winuser.h) — 2025. https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtexta
Microsoft Learn — ChangeWindowMessageFilterEx function — 2024. https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-changewindowmessagefilterex
Microsoft Learn — Security Considerations for Assistive Technologies — 2026. https://learn.microsoft.com/en-us/windows/win32/winauto/uiauto-securityoverview
James Forshaw — Bypassing Administrator Protection by Abusing UI Access — 2026. https://projectzero.google/2026/02/windows-administrator-protection.html
Microsoft Learn — TOKEN_ELEVATION_TYPE enumeration — 2024. https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type
Microsoft Learn — ShellExecuteExA function — 2024. https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-shellexecuteexa
Leo Davidson — Windows 7 UAC whitelist: Code injection issue (and more) — 2009. https://pretentiousname.com/misc/win7_uac_whitelist2.html
Microsoft Learn — IFileOperation interface — 2024. https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-ifileoperation
Microsoft Learn — Application Manifests — 2025. https://learn.microsoft.com/en-us/windows/win32/sbscs/application-manifests
MITRE ATT&CK — Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) — 2026. https://attack.mitre.org/techniques/T1548/002/
Matt Nelson — Bypassing UAC Using App Paths — 2017. https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Matt Nelson — Fileless' UAC Bypass Using sdclt.exe — 2017. https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
The Register — Windows 7 UAC flaw silently elevates malware access — 2009. https://www.theregister.com/software/2009/02/04/windows-7-uac-flaw-silently-elevates-malware-access/790560
Dorothy E. Denning — A lattice model of secure information flow — 1976. https://doi.org/10.1145/360051.360056
Chromium Project — Sandbox - Chromium Design Documents — 2025. https://chromium.googlesource.com/chromium/src/+/main/docs/design/sandbox.md
Michael A. Harrison, Walter L. Ruzzo, Jeffrey D. Ullman — Protection in Operating Systems — 1976. https://doi.org/10.1145/360303.360333
Microsoft Windows Developer Blog — Enhance your application security with Administrator protection — 2025. https://blogs.windows.com/windowsdeveloper/2025/05/19/enhance-your-application-security-with-administrator-protection/
The Register — Google researcher sits on UAC bypass for ages, only for it to become valid with new security feature — 2026. https://www.theregister.com/security/2026/01/28/old-windows-quirks-help-punch-through-new-admin-defenses/4440743
Impersonate a client after authentication - Windows security policy setting . https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication
LocalService Account . https://learn.microsoft.com/en-us/windows/win32/services/localservice-account
NetworkService Account . https://learn.microsoft.com/en-us/windows/win32/services/networkservice-account
Privilege Constants (Win32 SecAuthZ) . https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
Token Kidnapping (MSRC blog, April 14, 2009) (2009). https://www.microsoft.com/en-us/msrc/blog/2009/04/token-kidnapping/
Cesar Cerrudo — Token Kidnapping (2008). https://dl.packetstormsecurity.net/papers/presentations/TokenKidnapping.pdf — HITB Dubai 2008 disclosure of service-account-to-SYSTEM via SeImpersonatePrivilege + leaked handles.
Stephen Breen — Hot Potato (2016). https://www.foxglovesecurity.com/2016/01/16/hot-potato/
Norm Hardy — The Confused Deputy (or why capabilities might have been invented) (1988). http://cap-lore.com/CapTheory/ConfusedDeputy.html — Tymshare FORTRAN compiler / (SYSX)BILL anecdote; structural argument for capabilities.
Butler Lampson — Protection (1971). http://bwlampson.site/08-Protection/WebPage.html — Access-matrix model; the formal substrate Windows tokens instantiate.
Timeline of computer viruses and worms . https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
Microsoft. Microsoft Security Bulletin MS03-026 - Critical . https://learn.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026
ImpersonateLoggedOnUser function (securitybaseapi.h) . https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
SetThreadToken function (processthreadsapi.h) . https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadtoken
DuplicateTokenEx function (securitybaseapi.h) . https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
CreateProcessWithTokenW function (winbase.h) . https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
ImpersonateNamedPipeClient function (namedpipeapi.h) . https://learn.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient
James Forshaw — Windows Exploitation Tricks: Relaying DCOM Authentication (2021). https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html
Microsoft. CreateProcessAsUserW function (processthreadsapi.h) . https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasuserw
Cesar Cerrudo — Token Kidnapping's Revenge (2010). https://defcon.org/images/defcon-18/dc-18-presentations/Cerrudo/DEFCON-18-Cerrudo-Token-Kidnapping-Revenge.pdf
Cesar Cerrudo — Chimichurri.zip (Argeniss PoC for MS09-012; Wayback Machine snapshot) (2009). https://web.archive.org/web/20120108215145/http://www.argeniss.com/research/Chimichurri.zip
James Forshaw — Empirically Assessing Windows Service Hardening (2020). https://www.tiraniddo.dev/2020/01/empirically-assessing-windows-service.html
CVE-2015-2370 (DCOM activation; Forshaw Issue 325) . https://nvd.nist.gov/vuln/detail/CVE-2015-2370
CoercedPotato . https://github.com/Prepouce/CoercedPotato
BeichenDream — GodPotato (2022). https://github.com/BeichenDream/GodPotato
CVE-2021-26414 (DCOM three-phase hardening) . https://nvd.nist.gov/vuln/detail/CVE-2021-26414
Antonio Cocomazzi, Andrea Pierini — LocalPotato: When Swapping the Context Leads You to SYSTEM (2023). https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/
CVE-2023-21746 (LocalPotato fix) . https://nvd.nist.gov/vuln/detail/CVE-2023-21746
Andrea Pierini — Hello, I'm your Domain Admin and I want to authenticate against you (SilverPotato) (2024). https://decoder.cloud/2024/04/24/hello-im-your-domain-admin-and-i-want-to-authenticate-against-you/
CVE-2024-38061 (SilverPotato / DCOM permissions, July 2024 Patch Tuesday) . https://nvd.nist.gov/vuln/detail/CVE-2024-38061
CVE-2024-38100 (FakePotato / ShellWindows AppID activation) . https://nvd.nist.gov/vuln/detail/CVE-2024-38100
Andrea Pierini — The Fake Potato (2024). https://decoder.cloud/2024/08/02/the-fake-potato/
Andrea Pierini, Antonio Cocomazzi — 10 Years of Windows Privilege Escalation with Potatoes (2024). https://www.troopers.de/troopers24/talks/cyzbj3/
Service Security and Access Rights . https://learn.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
Antonio Cocomazzi — JuicyPotatoNG . https://github.com/antonioCoco/JuicyPotatoNG
Clement Labro — PrivescCheck . https://github.com/itm4n/PrivescCheck
Elastic. Privilege Escalation via Rogue Named Pipe Impersonation detection rule (commit 66f03fba0a6f8645b8b2a53f72ebe40b9a04c2b8) . https://raw.githubusercontent.com/elastic/detection-rules/66f03fba0a6f8645b8b2a53f72ebe40b9a04c2b8/rules/windows/privilege_escalation_via_rogue_named_pipe.toml
SigmaHQ. HackTool - LocalPotato Execution detection rule (commit 36957d791d00bda02d332f44b684d5f65c187c56) . https://raw.githubusercontent.com/SigmaHQ/sigma/36957d791d00bda02d332f44b684d5f65c187c56/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml
SigmaHQ LocalPotato detection rule . https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml
Elastic detection rule: Privilege Escalation via Rogue Named Pipe . https://raw.githubusercontent.com/elastic/detection-rules/main/rules/windows/privilege_escalation_via_rogue_named_pipe.toml
RET - Intel x86/x64 Instruction Reference . https://www.felixcloutier.com/x86/ret
Adam Chester — Hiding your.NET - ETW , 2020. https://blog.xpnsec.com/hiding-your-dotnet-etw/
Event Tracing for Windows: Threat Intelligence Rust Consumer , fluxsec.red. https://fluxsec.red/event-tracing-for-windows-threat-intelligence-rust-consumer
Insung Park, Ricky Buch — Event Tracing: Improve Debugging And Performance Tuning With ETW , MSDN Magazine, 2007. https://learn.microsoft.com/en-us/archive/msdn-magazine/2007/april/event-tracing-improve-debugging-and-performance-tuning-with-etw
EVENT_TRACE_PROPERTIES structure , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/api/evntrace/ns-evntrace-event_trace_properties
Event Tracing for Windows (ETW) , Microsoft Learn (Windows Driver Kit). https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw
Event Tracing Sessions , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-sessions
Configuring and Starting an Event Tracing Session , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-event-tracing-session
NT Kernel Logger Constants , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/etw/nt-kernel-logger-constants
Configuring and Starting a SystemTraceProvider Session , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-a-systemtraceprovider-session
Ruben Boonen — SilkETW: Because Free Telemetry is # FreeTelemetry , 2019. https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html
EventRegister function , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/api/evntprov/nf-evntprov-eventregister
About Event Tracing , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing
EnableTraceEx2 function , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/api/evntrace/nf-evntrace-enabletraceex2
WPP Software Tracing , Microsoft Learn. https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing
pathtofile — Sealighter: ETW and WPP-based Threat Hunting Tool , GitHub. https://github.com/pathtofile/Sealighter
About TraceLogging , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/tracelogging/trace-logging-about
TraceLogging , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/tracelogging/trace-logging-portal
Matt Graeber — Tampering with Windows Event Tracing: Background, Offense, and Defense , 2018. https://web.archive.org/web/2023/https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
krabsetw - Microsoft , GitHub. https://github.com/microsoft/krabsetw
PerfView TraceEvent source (Microsoft.Diagnostics.Tracing.TraceEvent) , GitHub / microsoft/perfview. https://github.com/microsoft/perfview/tree/main/src/TraceEvent
Event Tracing , Microsoft Learn. https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
Ruben Boonen (FuzzySec) — SilkETW & SilkService - Mandiant , GitHub. https://github.com/mandiant/SilkETW
Windows 10 ETW Events , GitHub. https://github.com/jdu2600/Windows10EtwEvents
ETW Providers Documentation , GitHub. https://github.com/repnz/etw-providers-docs
Microsoft — 4688 (process create with command line) , 2026. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
4624(S): An account was successfully logged on , Microsoft Learn. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
about_Logging_Windows (Windows PowerShell 5.1) , Microsoft Learn. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-5.1
Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks , Elastic Security Labs. https://www.elastic.co/security-labs/doubling-down-etw-callstacks
Yarden Shafir — ETW internals for security research and forensics , 2023. https://blog.trailofbits.com/2023/11/22/etw-internals-for-security-research-and-forensics/
Advanced security audit policy settings , Microsoft Learn. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings
PsSetCreateProcessNotifyRoutineEx , Microsoft Learn. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutineex
PsSetCreateThreadNotifyRoutine , Microsoft Learn. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine
David Weston — Helping our customers through the CrowdStrike outage , Microsoft Blog, 2024. https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/
Falcon Update for Windows Hosts -- Technical Details , CrowdStrike Blog, 2024. https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/
Matt Graeber — Palantir ExploitGuard , GitHub. https://github.com/palantir/exploitguard
ETW Patching in Rust , fluxsec.red. https://fluxsec.red/etw-patching-rust
Design issues of modern EDRs: bypassing ETW-based solutions , Binarly, 2021. https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html
Defender , 2026. https://paragmali.com/blog/the-defenders-dilemma-microsoft-antivirus/
credential dump , 2026. https://paragmali.com/blog/the-empty-hash-credential-guard-the-lsaiso-trustlet-and-the-/
Early Launch Antimalware , 2026. https://paragmali.com/blog/secure-boot-in-windows-the-chain-from-sector-zero-to-userini/
BYOVD , 2026. https://paragmali.com/blog/wdac--hvci-code-integrity-at-every-layer-in-windows/
John Kindervag — No More Chewy Centers: Introducing the Zero Trust Model of Information Security (2010). https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
Rory Ward, Betsy Beyer — BeyondCorp: A New Approach to Enterprise Security (2014). https://www.usenix.org/publications/login/dec14/ward
Scott Rose, Oliver Borchert, Stu Mitchell, Sean Connelly — NIST Special Publication 800-207: Zero Trust Architecture (2020). https://csrc.nist.gov/pubs/sp/800/207/final
Microsoft Learn — Zero Trust security model overview (2024). https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview
Microsoft Learn — What is Conditional Access in Microsoft Entra ID? (2024). https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
Microsoft Learn — Troubleshoot devices by using the dsregcmd command (2024). https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-device-dsregcmd
Microsoft Graph — deviceDetail resource type (2024). https://learn.microsoft.com/en-us/graph/api/resources/devicedetail?view=graph-rest-1.0
Mandiant Threat Intelligence — Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor (2020). https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
SolarWinds Corp. — Form 8-K Filings (2020). https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001739942&type=8-K
U.S. Senate Select Committee on Intelligence — Open Hearing on the Hack of U.S. Networks by a Foreign Adversary (2021). https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary
Ken Thompson — Reflections on Trusting Trust (1984). https://dl.acm.org/doi/10.1145/358198.358210
Ken Thompson — Reflections on Trusting Trust (reading copy) (1984). https://nakamotoinstitute.org/library/reflections-on-trusting-trust/
Microsoft Learn — Manage Credential Guard (2024). https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
SpecterOps — BloodHound Documentation (2024). https://bloodhound.specterops.io/
Microsoft Threat Intelligence — Microsoft Digital Defense Report 2021 (2021). https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2021
Kim Lewandowski, Mark Lodder — Introducing SLSA, an End-to-End Framework for Supply Chain Integrity (2021). https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
SLSA Specification v1.0: Levels (2023). https://slsa.dev/spec/v1.0/levels
CycloneDX Bill of Materials Standard (2024). https://cyclonedx.org/
SPDX (System Package Data Exchange) (2024). https://spdx.dev/
in-toto: Software Supply Chain Integrity Framework (2024). https://in-toto.io/
The White House — Executive Order 14028 on Improving the Nation's Cybersecurity (2021). https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
CISA, FBI — Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack (2021). https://www.ic3.gov/CSA/2021/210706.pdf
CISA, FBI, NSA, USSS — Conti Ransomware (Joint Cybersecurity Advisory AA21-265A, archived snapshot) (2022). https://web.archive.org/web/2022/https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
CISA — FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware (2022). https://www.cisa.gov/news-events/alerts/2022/04/22/fbi-releases-iocs-associated-blackcatalphv-ransomware
CISA, FBI, NSA, ACSC, NCSC-UK — 2021 Trends Show Increased Globalized Threat of Ransomware (Joint Cybersecurity Advisory AA22-040A) (2022). https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-040a
Microsoft — Microsoft Digital Defense Report 2022 (2022). https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022
Kevin Mandia — Unauthorized Access of FireEye Red Team Tools (2020). https://www.mandiant.com/resources/blog/unauthorized-access-of-fireeye-red-team-tools
CISA — Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise (2020). https://www.cisa.gov/news-events/directives/ed-21-01-mitigate-solarwinds-orion-code-compromise
Sudhakar Ramakrishna — New Findings from Our Investigation of SUNBURST (2021). https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst
Symantec Threat Hunter Team, Broadcom — Raindrop: New Malware Discovered in SolarWinds Investigation (2021). https://www.security.com/threat-intelligence/solarwinds-raindrop-malware
CrowdStrike Intelligence Team — SUNSPOT: An Implant in the Build Process (2021). https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
Shaked Reiner — Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps (2017). https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
CyberArk — shimit -- Golden SAML proof-of-concept tool (2017). https://github.com/cyberark/shimit
The White House — Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government (2021). https://bidenwhitehouse.archives.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
Mandiant — UNC2452 Merged into APT29 (2022). https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29
John Lambert, Microsoft Threat Intelligence — Microsoft shifts to a new threat actor naming taxonomy (2023). https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/
FireEye Mandiant SunBurst Countermeasures (2020). https://github.com/mandiant/sunburst_countermeasures
CISA — AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (2021). https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-008a
Steven Adair, Thomas Lancaster, Josh Grunzweig, Matthew Meltzer, Sean Koessel — Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities (2021). https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
Cheng-Da Tsai — ProxyLogon: A New Attack Surface on MS Exchange - Part 1 (2021). https://blog.orange.tw/posts/2021-08-proxylogon-a-new-attack-surface-on-ms-exchange-part-1/
Microsoft Threat Intelligence Center — HAFNIUM targeting Exchange Servers with 0-day exploits (2021). https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
NVD - CVE-2021-26855 (2021). https://nvd.nist.gov/vuln/detail/CVE-2021-26855
Tenable Research — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065: Four Microsoft Exchange Server Zero-Day Vulnerabilities (2021). https://www.tenable.com/blog/cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-27065-four-microsoft-exchange-server-zero-day-vulnerabilities
Brian Krebs — At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft's Email Software (2021). https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
William Turton, Kartikay Mehrotra — Hackers Breach Thousands of Microsoft Customers Around the World (2021). https://web.archive.org/web/20210307165519/https://www.bloomberg.com/news/articles/2021-03-07/hackers-breach-thousands-of-microsoft-customers-around-the-world
Matthieu Faou, Mathieu Tartare, Thomas Dupuy — Exchange servers under siege from at least 10 APT groups (2021). https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
U.S. Department of Justice — Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities (2021). https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft-exchange
Hunton Andrews Kurth — Court Authorizes FBI to Remove Web Shells from Compromised Microsoft Exchange Servers (2021). https://www.hunton.com/privacy-and-cybersecurity-law-blog/court-authorizes-fbi-to-remove-web-shells-from-compromised-microsoft-exchange-servers
Microsoft Security Response Center — CVE-2021-1675 Update Guide (2021). https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
cube0x0/CVE-2021-1675 (PrintNightmare PoC) (2021). https://github.com/cube0x0/CVE-2021-1675
Will Dormann — VU#383432: Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx() (2021). https://kb.cert.org/vuls/id/383432
Microsoft Security Response Center — CVE-2021-34527 Update Guide (2021). https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
CISA — Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability (2021). https://www.cisa.gov/news-events/directives/ed-21-04-mitigate-windows-print-spooler-service-vulnerability
Microsoft — KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates (2021). https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
GitHub — About forks (2024). https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks
Alex Ionescu, Yarden Shafir — PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048) (2020). https://windows-internals.com/printdemon-cve-2020-1048/
Sean Lyngaas — Old vulnerabilities die hard: researchers uncover 20-year-old code in Windows print spooler (2020). https://cyberscoop.com/windows-print-spooler-safebreach-black-hat/
Apache Software Foundation — Apache Log4j Security Vulnerabilities (2021). https://logging.apache.org/log4j/2.x/security.html
Free Wortley, Chris Thompson, Forrest Allison — Log4Shell: RCE 0-day exploit found in log4j (2021). https://github.com/lunasec-io/lunasec/blob/master/docs/blog/2021-12-09-log4j-zero-day.mdx
NVD - CVE-2021-44228 (2021). https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Jen Easterly — Statement from CISA Director Easterly on Log4j Vulnerability (2021). https://www.cisa.gov/news-events/news/statement-cisa-director-easterly-log4j-vulnerability
Tim Starks — CISA chief: Log4j among the most serious flaws in her career (2021). https://cyberscoop.com/log4j-cisa-easterly-most-serious/
Microsoft Threat Intelligence — Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation (2021). https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
CISA — AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities (2021). https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a
Barclay Osborn, Justin McWilliams, Betsy Beyer, Max Saltonstall — BeyondCorp: Design to Deployment at Google (2016). https://www.usenix.org/publications/login/spring2016/osborn
Luca Cittadini, Batz Spear, Betsy Beyer, Max Saltonstall — BeyondCorp Part III: The Access Proxy (2016). https://www.usenix.org/publications/login/winter2016/cittadini
Jeff Peck, Betsy Beyer, Colin Beske, Max Saltonstall — Migrating to BeyondCorp: Maintaining Productivity While Improving Security (2017). https://www.usenix.org/publications/login/summer2017/peck
Victor Escobedo, Betsy Beyer, Max Saltonstall, Filip Żyźniewski — BeyondCorp: The User Experience (2017). https://www.usenix.org/publications/login/fall2017/escobedo
Microsoft — Update release cycle for Windows clients (2024). https://learn.microsoft.com/en-us/windows/deployment/update/release-cycle
ISC2 — 15 Years of Zero Trust (2025). https://www.isc2.org/Insights/2025/10/15-Years-of-Zero-Trust
John Kindervag — No More Chewy Centers: Reflecting on 15 Years of Zero Trust (2025). https://hub.illumio.com/briefs/no-more-chewy-centers-reflecting-on-15-years-of-zero-trust
Office of Management and Budget — M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (2022). https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
Lenovo — ThinkPad Z Series Ushers in a New Look and Recycled Materials for the Iconic Brand (2022). https://web.archive.org/web/2022/https://news.lenovo.com/pressroom/press-releases/thinkpad-z-series-new-look-recycled-materials
David Weston — CES 2022: Chip to cloud security: Pluton-powered Windows 11 PCs are coming (2022). https://blogs.windows.com/windowsexperience/2022/01/04/ces-2022-chip-to-cloud-security-pluton-powered-windows-11-pcs-are-coming/
Microsoft — Windows 11 specifications (2021). https://www.microsoft.com/en-us/windows/windows-11-specifications
OpenID Foundation — OpenID Continuous Access Evaluation Profile (CAEP) (2024). https://openid.net/specs/openid-caep-specification-1_0-01.html
Vasu Jakkal — Secure access for a connected world--meet Microsoft Entra (2022). https://www.microsoft.com/en-us/security/blog/2022/05/31/secure-access-for-a-connected-worldmeet-microsoft-entra/
Microsoft — Azure AD is Becoming Microsoft Entra ID (2023). https://techcommunity.microsoft.com/blog/microsoft-entra-blog/azure-ad-is-becoming-microsoft-entra-id/2520436
Microsoft Learn — Microsoft Entra ID Protection risk detections (2024). https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
Microsoft Graph — signIn resource type (2024). https://learn.microsoft.com/en-us/graph/api/resources/signin?view=graph-rest-1.0
Microsoft Graph — appliedConditionalAccessPolicy resource type (2024). https://learn.microsoft.com/en-us/graph/api/resources/appliedconditionalaccesspolicy?view=graph-rest-1.0
Microsoft Learn — Windows 11 Security Book -- Advanced credential protection (LSA Protection) (2024). https://learn.microsoft.com/en-us/windows/security/book/identity-protection-advanced-credential-protection
Microsoft Learn — Microsoft recommended driver block rules (2024). https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
Microsoft Learn — Get behavioral analytics and anomaly detection in Defender for Cloud Apps (2024). https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
Microsoft 365 Defender Team — Web shell attacks continue to rise (2021). https://www.microsoft.com/en-us/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/
Microsoft Learn — Zero Trust deployment guide (2024). https://learn.microsoft.com/en-us/security/zero-trust/
Microsoft Inside Track — Implementing a Zero Trust security model at Microsoft (2024). https://www.microsoft.com/insidetrack/blog/implementing-a-zero-trust-security-model-at-microsoft/
Okta — Okta Customer Stories (2024). https://www.okta.com/customers/
CISA — Zero Trust Maturity Model Version 2.0 (2023). https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf
U.S. Department of Homeland Security — CISA Zero Trust Architecture Implementation (2025). https://www.dhs.gov/sites/default/files/2025-04/2025_0129_cisa_zero_trust_architecture_implementation.pdf
U.S. Government Accountability Office — Cybersecurity: Implementation of Executive Order Requirements Is Essential to Address Key Actions (2024). https://www.gao.gov/products/gao-24-106343
U.S. Securities and Exchange Commission Office of Inspector General — Final Management Letter: Readiness Review -- The SEC's Progress Toward Implementing Zero Trust Cybersecurity Principles (2023). https://www.sec.gov/files/fnl-mgmt-ltr-readiness-rvw-secs-prog-twd-implmntng-zero-trust-cyber-prncpls.pdf
Microsoft Security Response Center — Microsoft Internal Solorigate Investigation - Final Update (2021). https://www.microsoft.com/en-us/msrc/blog/2021/02/microsoft-internal-solorigate-investigation-final-update/
Fred Cohen — Computer Viruses: Theory and Experiments (1984). https://all.net/books/virus/index.html
Microsoft Security Response Center — Results of Major Technical Investigations for Storm-0558 Key Acquisition (2023). https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/
Mandiant Consulting — 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise (2023). https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
CISA, FBI — #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (2023). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
UnitedHealth Group — Form 8-K: Material Cybersecurity Incident (Change Healthcare) (2024). https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm
Christian Vasquez, CyberScoop — U.S. car dealers are feeling the pain of CDK cyberattack (2024). https://www.cyberscoop.com/cdk-ransomware-car-dealers/
OpenSSF SLSA Project — SLSA v1.0 Specification: Producing Artifacts Requirements (2023). https://slsa.dev/spec/v1.0/requirements
GitHub — About security hardening with OpenID Connect (2024). https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect
Zachary Newman, John Speed Meyers, Santiago Torres-Arias — Sigstore: Software Signing for Everybody (2022). https://dl.acm.org/doi/10.1145/3548606.3560596
Sigstore Project — Cosign: Signing Overview (2024). https://docs.sigstore.dev/cosign/signing/overview/
Sigstore Project — Rekor: Logging Overview (2024). https://docs.sigstore.dev/logging/overview/
OpenSSF SLSA Project — slsa-framework/slsa-github-generator (2024). https://github.com/slsa-framework/slsa-github-generator
Anchore — anchore/syft (2024). https://github.com/anchore/syft
Aqua Security — aquasecurity/trivy (2024). https://github.com/aquasecurity/trivy
Merill Fernando, Thomas Naunheim — maester365/maester (2024). https://github.com/maester365/maester
Maester Project — Maester: Test Automation for Microsoft 365 Security (2024). https://maester.dev/
Maester Project — Conditional Access What-If Tests (2024). https://maester.dev/docs/ca-what-if/
Joosua Santasalo — jsa2/caOptics: Azure AD Conditional Access Gap Analyzer (2024). https://github.com/jsa2/caOptics
SpecterOps — SpecterOps/AzureHound: BloodHound data collector for Microsoft Azure (2024). https://github.com/SpecterOps/AzureHound
SpecterOps — BloodHound CE: AzureHound CE Collection Documentation (2024). https://bloodhound.specterops.io/collect-data/ce-collection/azurehound
RFC 6749: The OAuth 2.0 Authorization Framework. https://datatracker.ietf.org/doc/html/rfc6749
How to use Continuous Access Evaluation enabled APIs in your applications. https://learn.microsoft.com/en-us/entra/identity-platform/app-resilience-continuous-access-evaluation
Three Shared Signals Final Specifications Approved. https://openid.net/three-shared-signals-final-specifications-approved/
Microsoft Entra expands into security service edge and Azure AD becomes Microsoft Entra ID. https://www.microsoft.com/en-us/security/blog/2023/07/11/microsoft-entra-expands-into-security-service-edge-and-azure-ad-becomes-microsoft-entra-id/
BeyondCorp: A New Approach to Enterprise Security. https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf
Re-thinking federated identity with the Continuous Access Evaluation Protocol. https://cloud.google.com/blog/products/identity-security/re-thinking-federated-identity-with-the-continuous-access-evaluation-protocol
Securing Cloud Access with Continuous Access Evaluation Protocol. https://www.idsalliance.org/blog/securing-cloud-access-with-continuous-access-evaluation-protocol/
RFC 7009: OAuth 2.0 Token Revocation. https://datatracker.ietf.org/doc/html/rfc7009
RFC 7662: OAuth 2.0 Token Introspection. https://datatracker.ietf.org/doc/html/rfc7662
Moving towards real time policy and security enforcement. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/moving-towards-real-time-policy-and-security-enforcement/1276933
Moving towards real time policy and security enforcement (Japanese translation). https://github.com/jpazureid/blog-1/blob/main/articles/azure-active-directory/moving-towards-real-time-policy-and-security-enforcement.md
Continuous Access Evaluation in Azure AD is now in public preview. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/continuous-access-evaluation-in-azure-ad-is-now-in-public-preview/1751704
Continuous Access Evaluation in Azure AD is now generally available. https://thewindowsupdate.com/2022/01/10/continuous-access-evaluation-in-azure-ad-is-now-generally-available/
RFC 8417: Security Event Token (SET). https://datatracker.ietf.org/doc/html/rfc8417
RFC 8935: Push-Based Security Event Token (SET) Delivery Using HTTP. https://datatracker.ietf.org/doc/html/rfc8935
Strictly enforce location policies using continuous access evaluation. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation-strict-enforcement
OpenID Shared Signals Framework 1.0 (Final). https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html
OpenID Continuous Access Evaluation Profile 1.0. https://openid.net/specs/openid-caep-1_0-final.html
Shared Signals Interop Event at Authenticate 2025 - Call for Participation. https://openid.net/shared-signals-interop-event-at-authenticate-2025-call-for-participation/
SGNL Demonstrates Standards-Based Interoperability with Okta, Cisco, SailPoint, and Helisoft. https://sgnl.ai/2024/04/sgnl-demonstrates-standards-based-interoperability-with-okta-cisco-sailpoint-and-helisoft/
Okta Leads the Way Driving Real-Time Security with Shared Signals. https://www.okta.com/blog/product-innovation/okta-leads-the-way-driving-real-time-security-with-shared-signals/
CAEP and SSF: Your Questions Answered. https://sgnl.ai/2023/08/caep-and-ssf-your-questions-answered/
OpenID Shared Signals Working Group. https://openid.net/wg/sharedsignals/
RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. https://datatracker.ietf.org/doc/html/rfc8705
CAEP and Shared Signals Explained. https://www.tigeridentity.com/blog/caep-shared-signals-explained/
Google Workspace Shared Signals Framework API. https://developers.google.com/workspace/shared-signals/api/ssf-api
Conditional Access for Agent Identities in Microsoft Entra. https://learn.microsoft.com/en-us/entra/identity/conditional-access/agent-id
AspNetCoreMeIDCAE reference implementation. https://github.com/damienbod/AspNetCoreMeIDCAE
Implement Microsoft Entra ID Continuous Access in an ASP.NET Core Razor Page app using a Web API. https://damienbod.com/2022/04/20/implement-azure-ad-continuous-access-evaluation-in-an-asp-net-core-razor-page-app-using-a-web-api/
RFC 8936: Poll-Based Security Event Token (SET) Delivery Using HTTP. https://datatracker.ietf.org/doc/html/rfc8936
Azure AD Continuous Access Evaluation (CAE) - A First Look. https://www.vansurksum.com/2020/10/10/azure-ad-continuous-access-evaluation-cae-a-first-look/
Microsoft — Azure Confidential Computing: products overview (2024). https://learn.microsoft.com/en-us/azure/confidential-computing/overview-azure-products
OpenHCL: the new, open source paravisor (Microsoft Tech Community) , 2024. https://techcommunity.microsoft.com/blog/windowsosplatform/openhcl-the-new-open-source-paravisor/4273172
Confidential Computing Consortium — About . https://confidentialcomputing.io/about/
Microsoft Learn: Azure confidential VM overview . https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview
H. Birkholz, D. Thaler, M. Richardson, N. Smith, W. Pan, RFC 9334: Remote ATtestation procedureS (RATS) Architecture , 2023. https://datatracker.ietf.org/doc/rfc9334/
David Kaplan, AMD x86 Memory Encryption Technologies , 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/kaplan
Victor Costan, Srinivas Devadas, Intel SGX Explained , 2016. https://eprint.iacr.org/2016/086
Stephan van Schaik, Andrew Kwong, Daniel Genkin, Yuval Yarom, SGAxe: How SGX Fails in Practice , 2020. https://cacheoutattack.com/files/SGAxe.pdf
Mark Russinovich, Introducing Azure confidential computing , 2017. https://azure.microsoft.com/en-us/blog/introducing-azure-confidential-computing/
Mark Russinovich, Microsoft partners with the Linux Foundation to announce the Confidential Computing Consortium , 2019. https://opensource.microsoft.com/blog/2019/08/21/microsoft-partners-linux-foundation-announce-confidential-computing-consortium/
Linux Foundation press release: CCC formation (Oct 17 2019) . https://www.linuxfoundation.org/press/press-release/confidential-computing-consortium-establishes-formation-with-founding-members-and-open-governance-structure-2
David Kaplan, Jeremy Powell, Tom Woller, AMD Memory Encryption , 2016. https://kib.kiev.ua/x86docs/AMD/SEV/memory-encryption-white-paper-Oct-2021.pdf
David Kaplan, Protecting VM Register State with SEV-ES , 2017. https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/Protecting-VM-Register-State-with-SEV-ES.pdf
David Kaplan, AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More , 2020. https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf
Intel Corporation, Architecture Specification: Intel Trust Domain Extensions Module (doc 344425-001) , 2020. https://kib.kiev.ua/x86docs/Intel/TDX/344425-001.pdf
AMD EPYC Datacenter Processor Launches with Record-Setting Performance, Optimized Platforms, and Global Server Ecosystem Support . https://ir.amd.com/news-events/press-releases/detail/773/amd-epyc-datacenter-processor-launches-with-record-setting-performance-optimized-platforms-and-global-server-ecosystem-support
Mathias Morbitzer, Manuel Huber, Julian Horsch, Sascha Wessel, SEVered: Subverting AMD's Virtual Machine Encryption , 2018. https://arxiv.org/abs/1805.09604
Robert Buhren, Christian Werling, Jean-Pierre Seifert, Insecure Until Proven Updated: Analyzing AMD SEV's Remote Attestation , 2019. https://arxiv.org/abs/1908.11680
Luca Wilke, Jan Wichelmann, Mathias Morbitzer, Thomas Eisenbarth, SEVurity: No Security Without Integrity (project page) , 2020. https://uzl-its.github.io/SEVurity/
Robert Buhren, Hans Niklas Jacob, Thilo Krachenfels, Jean-Pierre Seifert, One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization , 2021. https://arxiv.org/abs/2108.04575
PSPReverse / amd-sp-glitch (One Glitch artefact) . https://github.com/PSPReverse/amd-sp-glitch
Intel Corporation, Intel Architecture Memory Encryption Technologies Specification (doc 336907) , 2017. https://kib.kiev.ua/x86docs/Intel/MemEncryption/336907-001.pdf
LWN-archived RFC: Multi-Key Total Memory Encryption API (MKTME) , 2018. https://lwn.net/Articles/764480/
Intel Corporation, Intel TDX Module 1.5 Base Architecture Specification (doc 348549, rev 002) , 2024. https://cdrdv2-public.intel.com/733575/intel-tdx-module-1.5-base-spec-348549002.pdf
Intel Corporation, Intel TDX Enabling Guide: Infrastructure Setup — Intel TDX Remote Attestation . https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/02/infrastructure_setup/
Microsoft Learn: Azure Attestation policy version 1.2 . https://learn.microsoft.com/en-us/azure/attestation/policy-version-1-2
Microsoft Azure expands confidential VM offerings (The Register) , 2022. https://www.theregister.com/2022/07/20/microsoft_confidential_vms/
Lenovo Press: Enabling AMD SEV-SNP on ThinkSystem servers (LP1893) . https://lenovopress.lenovo.com/lp1893-enabling-amd-sev-snp-on-thinksystem-servers
Intel Adds TDX to Confidential Computing Portfolio with 4th Gen Xeon launch (SecurityWeek) , 2023. https://www.securityweek.com/intel-adds-tdx-confidential-computing-portfolio-launch-4th-gen-xeon-processors/
microsoft/openvmm (GitHub) . https://github.com/microsoft/openvmm
OpenVMM Guide . https://openvmm.dev/guide/
AMD-SEV linux-svsm reference Secure VM Service Module . https://github.com/AMDESE/linux-svsm
COCONUT-SVSM: an open-source Secure VM Service Module . https://github.com/coconut-svsm/svsm
Microsoft Learn: Confidential containers on Azure Container Instances . https://learn.microsoft.com/en-us/azure/container-instances/container-instances-confidential-overview
Microsoft Learn: Confidential containers on AKS (preview / sunset notice) . https://learn.microsoft.com/en-us/azure/aks/confidential-containers-overview
Microsoft Learn: AKS confidential VM node pools . https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-node-pool-aks
CNCF Confidential Containers project page . https://www.cncf.io/projects/confidential-containers/
Confidential Containers documentation . https://confidentialcontainers.org/docs/
Edgeless Contrast: workload-level confidential containers (Constellation successor) . https://github.com/edgelesssys/contrast
Edgeless Constellation: confidential Kubernetes distribution (archived; succeeded by Contrast) . https://github.com/edgelesssys/constellation
AWS Nitro Enclaves user guide . https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
Google Cloud: Confidential VM overview . https://cloud.google.com/confidential-computing/confidential-vm/docs/about-cvm
Google Cloud: Confidential Computing product hub . https://cloud.google.com/confidential-computing
Google Cloud: Confidential VM supported configurations . https://docs.cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations?hl=en
ETH Zurich ZISC news: Ahoi attacks disrupting TEEs with malicious notifications , 2024. https://zisc.ethz.ch/2024/05/02/ahoi-attacks-disrupting-tees-with-malicious-notifications/
Ahoi Attacks: WeSee project page . https://ahoi-attacks.github.io/wesee/
Benedict Schlueter, Supraja Sridhara, Mark Kuhne, Andrin Bertschi, Shweta Shinde, Heckler — USENIX Security 2024 , 2024. https://www.usenix.org/conference/usenixsecurity24/presentation/schl%C3%BCter
Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng Lü, Andreas Kogler, Michael Schwarz, CacheWarp: Software-based Fault Injection using Selective State Reset , 2024. https://www.usenix.org/conference/usenixsecurity24/presentation/zhang-ruiyi
Erdem Aktas, Cfir Cohen, Josh Eads, James Forshaw, Felix Wilhelm, Intel Trust Domain Extensions (TDX) Security Review , 2023. https://services.google.com/fh/files/misc/intel_tdx_-_full_report_041423.pdf
NVD record for CVE-2023-20592 (CacheWarp / INVD) . https://nvd.nist.gov/vuln/detail/CVE-2023-20592
CacheWarp project page . https://cachewarpattack.com/
AMD Security Bulletin AMD-SB-3005 (CacheWarp / CVE-2023-20592) . https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3005.html
Benedict Schlueter, Supraja Sridhara, Andrin Bertschi, Shweta Shinde, WeSee: Using Malicious #VC Interrupts to Break AMD SEV-SNP , 2024. https://arxiv.org/abs/2404.03526
Ahoi Attacks: Heckler project page . https://ahoi-attacks.github.io/heckler/
Benedict Schlueter, Supraja Sridhara, Mark Kuhne, Andrin Bertschi, Shweta Shinde, Heckler: Breaking Confidential VMs with Malicious Interrupts , 2024. https://arxiv.org/abs/2404.03387
Ahoi Attacks family page . https://ahoi-attacks.github.io/
Intel Corporation, Intel TDX Module 1.5 TD Partitioning Architecture Specification (doc 354807, rev 003) , 2024. https://cdrdv2-public.intel.com/817876/intel-tdx-module-1.5-td-partitioning-spec-354807003.pdf
Wikipedia: Trust Domain Extensions . https://en.wikipedia.org/wiki/Trust_Domain_Extensions
Cyber Safety Review Board — Review of the Summer 2023 Microsoft Exchange Online Intrusion (2024). https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewOfTheSummer2023MEOIntrusion508.pdf
Microsoft Security Response Center — Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email (2023). https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
Microsoft Threat Intelligence — Analysis of Storm-0558 techniques for unauthorized email access (2023). https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
Microsoft — Microsoft threat actor naming (2024). https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming
Microsoft Security Response Center — Microsoft Internal Solorigate Investigation -- Final Update (2021). https://msrc.microsoft.com/blog/2021/02/microsoft-internal-solorigate-investigation-final-update/
CISA — Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (AA20-352A) (2020). https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
Wiz Research — Storm-0558: Compromised Microsoft Key Enables Authentication of Countless Microsoft Applications (2023). https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr
Microsoft — Microsoft identity platform OpenID Connect v2.0 discovery document (consumers tenant) (2026). https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration
Y. Sheffer, D. Hardt, M. Jones — RFC 8725: JSON Web Token Best Current Practices (2020). https://datatracker.ietf.org/doc/html/rfc8725
CISA, FBI — Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (AA23-193A) (2023). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
Microsoft — Expanding cloud logging to give customers deeper security visibility (2023). https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/
CISA — CISA and Microsoft Partnership Expands Access to Logging Capabilities Broadly (2023). https://www.cisa.gov/news-events/news/cisa-and-microsoft-partnership-expands-access-logging-capabilities-broadly
Office of Senator Ron Wyden — Wyden Requests Federal Agencies Investigate Lax Cybersecurity Practices by Microsoft that Reportedly Enabled Chinese Espionage (2023). https://www.wyden.senate.gov/news/press-releases/wyden-requests-federal-agencies-investigate-lax-cybersecurity-practices-by-microsoft-that-reportedly-enabled-chinese-espionage
Office of Senator Ron Wyden — Wyden Statement on Cyber Safety Review Board Investigation of Recent Microsoft Exchange Online Intrusion (2023). https://www.wyden.senate.gov/news/press-releases/wyden-statement-on-cyber-safety-review-board-investigation-of-recent-microsoft-exchange-online-intrusion
The White House — Executive Order 14028: Improving the Nation's Cybersecurity (2021). https://www.gsa.gov/technology/government-it-initiatives/cybersecurity/executive-order-14028
CISA — Cyber Safety Review Board (CSRB) (2024). https://www.cisa.gov/resources-tools/groups/cyber-safety-review-board-csrb
U.S. Department of Homeland Security — Department of Homeland Security's Cyber Safety Review Board to Conduct Review on Cloud Security (archive) (2023). https://www.dhs.gov/archive/news/2023/08/11/department-homeland-securitys-cyber-safety-review-board-conduct-review-cloud
U.S. Department of Homeland Security — Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 (2024). https://www.dhs.gov/news/2024/04/02/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer
Brad Smith — Microsoft's work to strengthen cybersecurity protection (2024). https://blogs.microsoft.com/on-the-issues/2024/06/13/microsofts-work-to-strengthen-cybersecurity-protection/
U.S. House Committee on Homeland Security — A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security (2024). https://homeland.house.gov/hearing/a-cascade-of-security-failures-assessing-microsoft-corporations-cybersecurity-shortfalls-and-the-implications-for-homeland-security/
Microsoft Security Response Center — Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (archive) (2024). https://web.archive.org/web/2024/https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard
Microsoft Security Response Center — Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (archive) (2024). https://web.archive.org/web/2024/https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard
Brad Smith — A new world of security: Microsoft's Secure Future Initiative (2023). https://blogs.microsoft.com/on-the-issues/2023/11/02/secure-future-initiative-sfi-cybersecurity-cyberattacks/
Charlie Bell — Security above all else -- expanding Microsoft's Secure Future Initiative (2024). https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/
Microsoft — Securing our future: September 2024 progress update on Microsoft's Secure Future Initiative (2024). https://www.microsoft.com/en-us/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/
Microsoft — Azure Key Vault Managed HSM Overview (2024). https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
Microsoft — Azure Integrated HSM Overview (2024). https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-integrated-hardware-security-module-overview
Microsoft — Securing our future: April 2025 progress report on Microsoft's Secure Future Initiative (2025). https://www.microsoft.com/en-us/security/blog/2025/04/21/securing-our-future-april-2025-progress-report-on-microsofts-secure-future-initiative/
The Hacker News — Microsoft Secures MSA Signing with Azure Confidential VMs After Storm-0558 Breach (2025). https://thehackernews.com/2025/04/microsoft-secures-msa-signing-with.html
Google Cloud — Cloud HSM (2024). https://cloud.google.com/kms/docs/hsm
Amazon Web Services — Rotating AWS KMS keys (2024). https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
Google Workspace — Maintain SAML certificates (2024). https://knowledge.workspace.google.com/admin/apps/maintain-saml-certificates
Google — Tink cryptographic library (2024). https://developers.google.com/tink
Amazon Web Services — AWS Security Bulletins (2024). https://aws.amazon.com/security/security-bulletins/
Google Cloud — Google Cloud Security Bulletins (2024). https://cloud.google.com/support/bulletins
Cloudflare — How Cloudflare mitigated yet another Okta compromise (2023). https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
Shafi Goldwasser, Silvio Micali, Ronald L. Rivest — A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks (1988). DOI: 10.1137/0217017. https://people.csail.mit.edu/silvio/Selected%20Scientific%20Papers/Digital%20Signatures/A_Digital_Signature_Scheme_Secure_Against_Adaptive_Chosen-Message_Attack.pdf
Dan Boneh, Victor Shoup — A Graduate Course in Applied Cryptography (Chapter 13: Digital Signatures, EUF-CMA security definition) (2023). https://toc.cryptobook.us/
Chelsea Komlo, Ian Goldberg — FROST: Flexible Round-Optimized Schnorr Threshold Signatures (Selected Areas in Cryptography, SAC 2020, LNCS 12804) (2021). https://link.springer.com/chapter/10.1007/978-3-030-81652-0_2
D. Connolly, C. Komlo, I. Goldberg, C. A. Wood — RFC 9591: The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol for Two-Round Schnorr Signatures (2024). https://datatracker.ietf.org/doc/rfc9591/
Yehuda Lindell, Ariel Nof — Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody (ACM CCS 2018) (2018). https://cris.technion.ac.il/en/publications/fast-secure-multiparty-ecdsa-with-practical-distributed-key-gener/
Jack Doerner, Yashvanth Kondi, Eysa Lee, abhi shelat — DKLs: Threshold ECDSA Signing Schemes (project landing page, including DKLs23 Threshold ECDSA in Three Rounds) (2023). https://dkls.info/
B. Laurie, A. Langley, E. Kasper — RFC 6962: Certificate Transparency (2013). https://www.rfc-editor.org/rfc/rfc6962.html
Nat Sakimura, John Bradley, Michael B. Jones, Edmund Jay — OpenID Connect Discovery 1.0 (final, errata set 2) (2023). https://openid.net/specs/openid-connect-discovery-1_0.html
MITRE — Forge Web Credentials (T1606) (2024). https://attack.mitre.org/techniques/T1606/
MITRE — Forge Web Credentials: SAML Tokens (T1606.002) (2024). https://attack.mitre.org/techniques/T1606/002/
Benjamin Delpy — mimikatz: Kerberos module wiki (2014). https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
CrowdStrike — Golden Ticket Attack (2024). https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/golden-ticket-attack/
CyberArk — Golden SAML Revisited: The Solorigate Connection (2020). https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection
Microsoft Security Response Center — Results of Major Technical Investigations for Storm-0558 Key Acquisition (archived) (2024). https://web.archive.org/web/2024/https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition
Y. Sheffer, D. Hardt, M. Jones — RFC 8725: JSON Web Token Best Current Practices (canonical HTML rendering) (2020). https://www.rfc-editor.org/rfc/rfc8725.html
CISA, FBI — AA23-193A Joint Cybersecurity Advisory (PDF) (2023). https://www.cisa.gov/sites/default/files/2023-07/aa23-193a_joint_csa_enhanced_monitoring_to_detect_apt_activity_targeting_outlook_online_2.pdf
Ron Wyden — Wyden letter to CISA, DOJ, FTC re: 2023 Microsoft Breach (PDF) (2023). https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_cisa_doj_ftc_re_2023_microsoft_breach.pdf
Brad Smith — Written Testimony of Brad Smith, House Committee on Homeland Security (PDF) (2024). https://homeland.house.gov/wp-content/uploads/2024/06/2024-06-13-HRG-Testimony-Smith.pdf
NIST — FIPS 140-3: Security Requirements for Cryptographic Modules (2019). https://csrc.nist.gov/pubs/fips/140-3/final
Amazon Web Services — AWS CloudHSM (2024). https://aws.amazon.com/cloudhsm/
Amazon Web Services — Security in AWS IAM Identity Center (2024). https://docs.aws.amazon.com/singlesignon/latest/userguide/security.html
Amazon Web Services — AWS Nitro Enclaves: concepts (2024). https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-concepts.html
Amazon Web Services — The Security Design of the AWS Nitro System (2024). https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/security-design-of-aws-nitro-system.html
Amazon Web Services — aws-jwt-verify (Node library) (2024). https://github.com/awslabs/aws-jwt-verify
Amazon Web Services — Verifying a JSON Web Token (Amazon Cognito) (2024). https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
Okta Security — Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation (2023). https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause
Okta Security — October Security Incident: Recommended Actions (2023). https://sec.okta.com/october-security-incident-recommended-actions
Cloud Security Alliance — Cloud Controls Matrix and CAIQ (2024). https://cloudsecurityalliance.org/research/cloud-controls-matrix/
FedRAMP — FedRAMP Marketplace (2024). https://www.fedramp.gov/