Open in app

Sign In

Write

Sign In

Jonathan Johnson
Jonathan Johnson

518 Followers

Home

About

Published in Posts By SpecterOps Team Members

·Mar 15

Uncovering Windows Events

Threat Intelligence ETW — Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written…

Windows Internals

6 min read

Uncovering Windows Events
Uncovering Windows Events
Windows Internals

6 min read


Published in Posts By SpecterOps Team Members

·Feb 10

Telemetry Layering

Introduction Creating detections can be challenging. There often isn’t a “simple” way to detect something, and once we see an event that seems to correlate with the activity we are looking for, it is easy to become fixated. We create that detection and move on. However, what if other telemetry sources…

Detection Engineering

8 min read

Telemetry Layering
Telemetry Layering
Detection Engineering

8 min read


Published in Posts By SpecterOps Team Members

·Jan 18

The Defender’s Guide to Windows Services

It’s dangerous to find malicious services alone! Take this! — Authors: Luke Paine & Jonathan Johnson Introduction This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. Services are an important part of the Windows operating system, allowing the control and configuration of long-running processes essential…

Detection Engineering

10 min read

The Defender’s Guide to Windows Services
The Defender’s Guide to Windows Services
Detection Engineering

10 min read


Dec 14, 2022

Uncovering Windows Events

Part 2: The Methodology — In part 1 of this series, I touched on how data is the foundation for defensive capabilities and the importance for defenders to understand where and how telemetry is being generated. …

Windows

4 min read

Uncovering Windows Events
Uncovering Windows Events
Windows

4 min read


Published in Posts By SpecterOps Team Members

·Nov 14, 2022

Uncovering Windows Events

Part 1: TelemetrySource — Data is the foundation by which defense is built upon. This data can come from various telemetry sources — native logging, Endpoint Detection and Response (EDR) tools, network logging, etc. The data from these sources give us insight into activity happening with a given machine — user’s logging in, processes…

Windows

6 min read

Uncovering Windows Events
Uncovering Windows Events
Windows

6 min read


Published in Posts By SpecterOps Team Members

·Sep 12, 2022

WMI Internals Part 3

Beyond COM — In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. …

Windows

6 min read

WMI Internals Part 3
WMI Internals Part 3
Windows

6 min read


Aug 15, 2022

WMI Internals Part 2

Reversing a WMI Provider — In a previous post WMI Internals Part 1: Understanding the Basics I walked through some of the basic internal information behind WMI. …

Windows

6 min read

WMI Internals Part 2
WMI Internals Part 2
Windows

6 min read


Jul 26, 2022

Better know a data source: Logon sessions

Written by Jonathan Johnson and Brian Donohue Originally posted: https://redcanary.com/blog/logon-sessions/ Logon sessions can help defenders tell the whole story of everything that happens around, before, and after a suspicious process event. Process telemetry has dominated the detection space since the invention of endpoint detection and response (EDR) tooling. This makes…

11 min read

Better know a data source: Logon sessions
Better know a data source: Logon sessions

11 min read


Jul 5, 2022

WMI Internals Part 1

Understanding the Basics — Recently I have taken up an interest in WMI internals and thought I would write a blog series on some of my findings. This first release will cover the fundamentals of WMI and how to track back WMI activity to the WMI provider host process (WmiPrvse.exe), the executable responsible for…

Wmi

8 min read

WMI Internals Part 1
WMI Internals Part 1
Wmi

8 min read


May 9, 2022

Defending the Three Headed Relay

A joint blog written by Andrew Schwartz, Charlie Clark, and Jonny Johnson Introduction For the past couple of weeks it has become apparent that Kerberos Relaying has set off to be one of the hottest topics of discussion for the InfoSec community. Although this attack isn’t new and was discovered months…

Active Directory

9 min read

Defending the Three Headed Relay
Defending the Three Headed Relay
Active Directory

9 min read

Jonathan Johnson

Jonathan Johnson

518 Followers

Consultant @SpecterOps | Host @DCPThePodcast | Defensive Security Researcher

Following
  • Palantir

    Palantir

  • Gijs Hollestelle

    Gijs Hollestelle

  • Andy Robbins

    Andy Robbins

  • Olaf Hartong

    Olaf Hartong

  • Yarden Shafir

    Yarden Shafir

See all (29)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech