2025-09-27 –, Main Track
With the introduction of Kernel Patch Protection, Microsoft created a shared responsibility model where security vendors are now limited to only the kernel visibility and extension points that Microsoft provides. This means that Microsoft is responsible for a) providing the necessary kernel telemetry, and b) servicing bugs in existing kernel telemetry.
So I wrote some Windows telemetry unit tests.
This talk will cover various bugs and other code smells in the security-relevant telemetry generated by Windows.
John Uhlmann (he/him) is a Security Research Engineer at Elastic where he is the R&D lead for the Elastic Endpoint (EDR) Windows agent. Prior to this he did similar work at the Australian Cyber Security Centre.