Holzwege

Security research, MTG, and other things.

Welcome Mar 2026 Your Agent's Hidden Supply Chain May 2026 MTG Posting: Reviewing ML Approaches to Magic: The Gathering Mar 2026 Rehabilitating Registry Tradecraft with RegRestoreKey Mar 2025 · origin hq Unexpectedly Out of Context: Detecting a LockBit Sample Jan 2025 · origin hq The Ritualization of InfoSec Jun 2024 · prelude Closing the Execution Gap Jan 2024 · prelude Reactive Progress and Tradecraft Innovation Sep 2023 · specterops Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications Nov 2021 · specterops

Cartographer tooling · threat-intel · network Runtime Memory Protection memory · detection · evasion Regstoration rust · windows · tradecraft

About bio · links

Runtime Memory Protection

memory detection evasion

At Prelude Security, we explored ways to generically identify the execution of private memory. We released a whitepaper, built a Windows endpoint agent (and corresponding backend) to detect private memory execution at scale. I was part of the small research team that pitched and built this product from the ground up. The whitepaper discusses how to configure and collect hardware telemetry from ETW and the ways we can use that data to detect any execution of private memory. We received a patent for this work in 2025.