Origin

Windows Insider builds now have a native, OS-level broker for MCP servers. We reverse engineered Odr.exe to understand how it validates clients, manages consent, and controls access - uncovering undocumented COM interfaces and a full ETW audit trail. originhq.com/blog/msft-odr-…

New on the blog: Semantic delivery of traditional tradecraft. How are agents changing offensive operations? @depletionmode explores the gap between using AI to automate attacks vs. agents becoming the attack vector itself. Full write-up + video: originhq.com/blog/praxis-cr…

We built Brainworm: malware that lives entirely inside of an AI agent's context window. No binaries. No scripts. Once loaded, it registers with C2 and executes tasks using the agent's own tools. Welcome to the era of semantic malware. 🧠🪱 Blog: originhq.com/blog/brainworm

Understanding complex execution flows is essential for designing, exploring, and securing applications and operating systems. In our most recent post, @matterpreter introduces Marco, a new tool for inter-binary control flow graphing or large systems. originhq.com/blog/introduci…

New on the blog: @jdu2600 introduces Process Preluding: a timing gap in how TI ETW gets enabled. Create a process without a thread → no creation callback and limited TI ETW logging for that process. Technical write-up + PoC and defensive guidance 📃 originhq.com/blog/process-p…

Introducing Praxis, an adversarial framework for discovering, controlling, and orchestrating computer-use agents running on endpoints. Announcement → originhq.com/blog/praxis-an… Get Praxis → praxis.originhq.com

ICYMI: @33y0re dug into some undocumented ETW internals and found a way to consume from Secure ETW providers (e.g., Microsoft-Windows-Threat-Intelligence) without needing to be AM-PPL without patching kernel structures. originhq.com/blog/securityt…

Cooking up something exciting... @originhq

cua-kit is open source and available on GitHub github.com/preludeorg/cua…

Computer use agents like Claude Code are transforming endpoint interactions for humans - and potentially attackers too. Today, we're releasing cua-kit: a post-exploitation toolkit to explore their offensive security implications. originhq.com/blog/cua-kit-a…

@B_Shamshirsaz We believe that this applies beyond AV and includes both static and behavioral signatures, both precise and robust. Both are built on the assumption that we can predict what evil looks like and that we can distinguish it from benign instances.

@originhq Signature based detection was obsolete since many years ago but antivirus companies didn’t want to update their solutions.

Signature-based detection has failed as adversaries mutate indicators and adapt tradecraft faster than defenses. Computer use agents embedded in daily workflows push this over the edge as dual-use insiders, indistinguishable from normal activity. preludesecurity.com/blog/the-era-o…

We believe that: 1. The potential economic upsides of the productivity boosts that Computer Use Agents offer incentivize us to provide them with more access to our computers to increase the amount of context they can have. 2. They represent a new type of interpreter that dramatically closes the gap between intent and execution, is self-corrective, and yields nondeterministic outputs that create massive amounts of "noise" 3. Their ability to generate and execute new tools on the fly, combined with expanded access, challenges the very foundation of a signature-based model of detection As these systems become increasingly intertwined with how we use computers, we must consider what it means to detect their misuse through out-of-context interactions with the host. If you're interested in collaborating on tooling or joining our team, please contact research@preludesecurity.com

In this simple example, we show that Claude Code can read the iMessage database on the latest version of macOS, even with a leading EDR running on the system, illustrating the impact of an adversary who can remotely control the agent. We do this using Terminator, an internal research tool we built while studying the security implications of computer use agents. In this setup, the terminal application has previously been granted FDA, a subtle misconfiguration that effectively gives the agent access to unexpected context.

New on the blog: @michaelbarclay_ revives registry-based tradecraft using a telemetry gap in the hive restoration process. The blog also includes PoC code and detection guidance. 📃 preludesecurity.com/blog/rehabilit…

New research from @jdu2600: a clean loader-lock escape using the PEB's PostProcessInitRoutine. Read the analysis and PoC code 📃 preludesecurity.com/blog/escaping-…

In @33y0re's latest post on Windows ARM64 Pointer Authentication, he dissects how PAC fortifies stack integrity and thwarts exploits at the hardware level. Explore the mechanics of this critical security layer and its role in modern Windows defenses. preludesecurity.com/blog/windows-a…

This method demonstrates how hardware-level telemetry, coupled with contextual reasoning, can surface malicious activity that signature-based approaches will always miss as malware authors innovate in response. 📃Full write-up → preludesecurity.com/blog/unexpecte…

By tracing execution of private memory and reconstructing its provenance, our agent surfaced the broader chain: the encryptor escalated privileges, spawned a new instance of itself, and then created a third process that deleted the encryptor from disk. All three of these component parts utilized the same dynamic import technique, revealing a coherent attack sequence.

While testing our agent against malware observed in the wild, we detected a LockBit encryptor not via file signatures or static IOCs, but by observing out-of-context execution of private memory using hardware telemetry. 🧵