top of page
Search


Choking Defender With Native Windows QoS Policies (EDRChoker)
QoS policies are a legitimate bandwidth management feature. Point New-NetQosPolicy at a security tool and cap it to near zero, and the process keeps running, no tamper alert fires, but it can no longer reach the cloud. This is what EDRChoker does as a compiled tool, and Defender catches that binary now, yay! Now let me explain in my blog why that means absolutely nothing.

Damien van der Linden
Jun 98 min read


Device Code Phishing Meets ClickFix
Device Code Phishing has been going on for a while now, and it's making a comeback.

Damien van der Linden
Mar 1210 min read


Hunting for CVE-2025-59287: Detecting Vulnerable WSUS Servers
Summary Microsoft has released an urgent out-of-band security update to address CVE-2025-59287 (after a previous update in Patch Tuesday that didn't quite hit the nail on the head), a critical remote code execution vulnerability in Windows Server Update Services (WSUS) that is being actively exploited in the wild. This vulnerability allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting unsafe deserialization in WSUS's cookie handling

Damien van der Linden
Oct 27, 20254 min read


Detecting ManualFinder/PDF Editor Malware Campaign with KQL
A free PDF Editor turning itself into an infostealer overnight. Let's hunt it down with KQL!

Damien van der Linden
Aug 25, 20257 min read


Unmasking Phishing Hidden in Google Links With KQL
KQL your way into Google's Open Redirect 'feature' that's being abused for phishing.

Damien van der Linden
Dec 5, 20244 min read


Detecting B64 encoded UPNs in Clicked URLs with KQL
The first KQL query I share on here! Lets have a look at B64 encoded UPNs!

Damien van der Linden
Oct 14, 20242 min read
bottom of page