Research Archive

Let Moonlight guide the way.

Published Notes42
Categories5
Tracked Tags45

Curated Entry Points

Choose a category and go directly into related work.

Each category groups notes that share a technical thread, along with the tags and volume that define that part of the archive.

Archive Margins

Field Notes

Loose observations, compatibility oddities, and the durable fragments that don’t fit anywhere smaller.

Cross-cutting notes, defensive observations, and operational fragments that tie the archive together.

Notes21
Latest2026-03-25
appcompatshimpowershellcommand-execution
Open category

Trusted Surfaces

Living off the Land

Execution, abuse paths, and operator tradecraft hiding in trusted binaries.

LOLBIN studies, edge-case behaviors, and practical notes on abusable Windows binaries.

Notes14
Latest2026-04-17
lolbincommand-executiondetection-engineeringdfir
Open category

Execution Anatomy

Process Anatomy

Command surfaces, process behavior, and the practical seams inside native Windows tooling.

Process-oriented notes focused on built-ins, execution semantics, and the details most miss.

Notes2
Latest2024-07-01
windows-internalswindows-processesfilesystemwindows
Open category

Signal Reconstruction

Event Tracing

Telemetry, provider behavior, and system activity reconstructed from event streams.

ETW-centric notes that focus on providers, collection pivots, and the kinds of traces defenders can actually build around.

Notes3
Latest2025-04-08
etwtelemetrydetection-engineeringdfir
Open category

Provider Signals

TraceLogging

Provider-level telemetry notes.

Focused notes on TraceLogging providers and the smaller telemetry seams.

Notes2
Latest2024-01-28
telemetryterminaltrace-loggingwindows
Open category
Research Archive · Misc Research