Author here. I'm CTO at a company that's been working inside Windows kernel and LSASS for 17 years. The core issue: SamrSetInformationUser writes the NT hash directly to AD, bypassing all password validation. The write-up includes two PowerShell PoCs - one for the attack, one for a defense that hooks the function inside LSASS. The timing is interesting because of the NTLM deprecation excitement. Most people conflate the NTLM protocol (the auth mechanism Microsoft is killing) with the NT hash (the storage format). Kerberos uses the same hash. This attack vector survives the migration completely. The defense PoC uses EasyHook for injection and hooking. Not production-grade, but it demonstrates that you need to operate at the LSASS level to catch this - GPO policies and password filters are structurally unable to see direct hash writes. Happy to answer questions about the internals.