Technical deep dives.
Kernel internals, detection engineering, and Windows security research from the ShadowStrike team. Every post is backed by real code in the Phantom repository.
How PhantomSensor Detects Process Injection in the Kernel
A deep walkthrough of how we intercept process injection attempts at kernel level — from WriteProcessMemory detection via handle callbacks to VAD tree manipulation tracking with VadTracker.
Catching Direct Syscalls: Why User-Space Hooks Are Not Enough
Modern malware bypasses EDR user-space hooks entirely by issuing NT syscalls directly. We examine the technique and how PhantomSensor's SyscallMonitor catches it at the kernel.
ELAM: Protecting the Boot Process Before Windows Fully Loads
Early Launch Anti-Malware is one of Windows' most overlooked security primitives. We explain how PhantomSensor's ELAM driver validates boot drivers before any third-party code runs.
Mapping Kernel Events to MITRE ATT&CK in Real Time
How BehaviorEngine correlates low-level kernel callbacks — file I/O, process creation, handle operations — into actionable MITRE ATT&CK technique IDs with threat scoring.
O(1) IOC Lookups: Bloom Filters in a Threat Intelligence Pipeline
With 1.2M+ IOC entries, lookup latency is critical. We explain how PhantomSensor combines a bloom filter with a sharded B-tree index to achieve O(1) negative lookups without false positives.
Honeypot Files and Canary Directories: Early Ransomware Detection
How PhantomSensor plants strategically named canary files across the filesystem and uses minifilter callbacks to detect rapid mass-encryption patterns before significant damage occurs.
Got a detection research topic you'd like to see covered? Open a discussion on GitHub or reach us at contact@shadowstrike.dev