Open in app
Home
Notifications
Lists
Stories

Write
Jonathan Johnson
Jonathan Johnson

Home

Jul 26

Better know a data source: Logon sessions

Written by Jonathan Johnson and Brian Donohue Originally posted: https://redcanary.com/blog/logon-sessions/ Logon sessions can help defenders tell the whole story of everything that happens around, before, and after a suspicious process event. Process telemetry has dominated the detection space since the invention of endpoint detection and response (EDR) tooling. This makes…

11 min read

Better know a data source: Logon sessions
Better know a data source: Logon sessions

Jul 5

WMI Internals Part 1

Understanding the Basics — Recently I have taken up an interest in WMI internals and thought I would write a blog series on some of my findings. This first release will cover the fundamentals of WMI and how to track back WMI activity to the WMI provider host process (WmiPrvse.exe), the executable responsible for…

Wmi

8 min read

WMI Internals Part 1
WMI Internals Part 1

May 9

Defending the Three Headed Relay

A joint blog written by Andrew Schwartz, Charlie Clark, and Jonny Johnson Introduction For the past couple of weeks it has become apparent that Kerberos Relaying has set off to be one of the hottest topics of discussion for the InfoSec community. Although this attack isn’t new and was discovered months…

Active Directory

9 min read

Defending the Three Headed Relay
Defending the Three Headed Relay

Apr 20

Better know a data source: Access tokens (and why they’re hard to get)

This blog was originally written by me and posted by Red Canary. Detection engineers are frequently beset with the challenge of detecting a technique for which optics are poor, non-existent, or difficult to collect at scale. …

Windows

12 min read

Better know a data source: Access tokens (and why they’re hard to get)
Better know a data source: Access tokens (and why they’re hard to get)

Apr 5

Bypassing Access Mask Auditing Strategies

Introduction This past week I briefly talked about Process Access data within a talk that Olaf and I gave at ATT&CKCON 3.0 (YouTube link isn’t live yet). During this presentation I talked about the significance of this sub-data source and what it meant to defenders. My portion was heavily focused on…

Detection Engineering

6 min read

Bypassing Access Mask Auditing Strategies
Bypassing Access Mask Auditing Strategies

Feb 16

Exploring Token Members Part 2

Introduction The Elastic Research team recently released work surrounding stripping the Windows Defender binary (MsMpEng.exe) of its privileges, making it effectively useless. Being that MsMpEng.exe …

Windows Internals

9 min read


Jan 4

Exploring Token Members Part 1

Introduction In an attempt to understand access tokens at a deeper level as of late, I have come across a couple of members within the TOKEN structure that have connected some dots for me. They are not novel findings, but I hope these findings help someone else, as they have me…

Windows Internals

6 min read

Exploring Token Members Part 1
Exploring Token Members Part 1

Dec 13, 2021

Better know a data source: Process integrity levels

Impossible to spoof, process integrity levels dictate trust between securable objects, offering defenders great visibility into privilege escalation. — This blog was originally written by me and posted by Red Canary. In this second installment of our Better know a data source series, we’re showcasing process integrity levels. Integrity levels define the trust between process/thread and another object (files, processes, threads) and help control what that object can or…

Detection

10 min read

Better know a data source: Process integrity levels
Better know a data source: Process integrity levels

Nov 22, 2021

The dark side of Microsoft Remote Procedure Call protocols

Story was first released on the Red Canary Publication. MSRPC to ATT&CK is a one-stop shop for learning more about Remote Procedure Calls, how adversaries abuse them, and how you can detect related malicious activity. Microsoft Remote Procedure Call (MSRPC) is an interprocess communication protocol mechanism that adversaries can abuse…

Detection Engineering

6 min read

The dark side of Microsoft Remote Procedure Call protocols
The dark side of Microsoft Remote Procedure Call protocols

Jul 20, 2021

Dataset Prioritization

Introduction: A common issue within the investigation process is alert fatigue. Alert fatigue leads to the delay of incident handling and/or alerts being lost or passed over due to the high volume of events being funneled to analysts. To combat this issue, many organizations attempt to classify events within the detection…

Detection Engineering

9 min read

Dataset Prioritization
Dataset Prioritization
Jonathan Johnson

Jonathan Johnson

Sr. Threat Researcher @ RedCanary

Following
  • Jared Atkinson

    Jared Atkinson

  • Andy Robbins

    Andy Robbins

  • Palantir

    Palantir

  • Olaf Hartong

    Olaf Hartong

  • Matt Hand

    Matt Hand

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable