Published in Posts By SpecterOps Team Members·Nov 14Uncovering Window Security EventsPart 1: TelemetrySource — Data is the foundation by which defense is built upon. This data can come from various telemetry sources — native logging, Endpoint Detection and Response (EDR) tools, network logging, etc. The data from these sources give us insight into activity happening with a given machine — user’s logging in, processes…Windows6 min readWindows6 min read
Published in Posts By SpecterOps Team Members·Sep 12WMI Internals Part 3Beyond COM — In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as…Windows6 min readWindows6 min read
Aug 15WMI Internals Part 2Reversing a WMI Provider — In a previous post WMI Internals Part 1: Understanding the Basics I walked through some of the basic internal information behind WMI. …Windows6 min readWindows6 min read
Jul 26Better know a data source: Logon sessionsWritten by Jonathan Johnson and Brian Donohue Originally posted: https://redcanary.com/blog/logon-sessions/ Logon sessions can help defenders tell the whole story of everything that happens around, before, and after a suspicious process event. Process telemetry has dominated the detection space since the invention of endpoint detection and response (EDR) tooling. This makes…11 min read11 min read
Jul 5WMI Internals Part 1Understanding the Basics — Recently I have taken up an interest in WMI internals and thought I would write a blog series on some of my findings. This first release will cover the fundamentals of WMI and how to track back WMI activity to the WMI provider host process (WmiPrvse.exe), the executable responsible for…Wmi8 min readWmi8 min read
May 9Defending the Three Headed RelayA joint blog written by Andrew Schwartz, Charlie Clark, and Jonny Johnson Introduction For the past couple of weeks it has become apparent that Kerberos Relaying has set off to be one of the hottest topics of discussion for the InfoSec community. Although this attack isn’t new and was discovered months…Active Directory9 min readActive Directory9 min read
Apr 20Better know a data source: Access tokens (and why they’re hard to get)This blog was originally written by me and posted by Red Canary. Detection engineers are frequently beset with the challenge of detecting a technique for which optics are poor, non-existent, or difficult to collect at scale. …Windows12 min readWindows12 min read
Apr 5Bypassing Access Mask Auditing StrategiesIntroduction This past week I briefly talked about Process Access data within a talk that Olaf and I gave at ATT&CKCON 3.0 (YouTube link isn’t live yet). During this presentation I talked about the significance of this sub-data source and what it meant to defenders. My portion was heavily focused on…Detection Engineering6 min readDetection Engineering6 min read
Feb 16Exploring Token Members Part 2Introduction The Elastic Research team recently released work surrounding stripping the Windows Defender binary (MsMpEng.exe) of its privileges, making it effectively useless. Being that MsMpEng.exe …Windows Internals9 min readWindows Internals9 min read
Jan 4Exploring Token Members Part 1Introduction In an attempt to understand access tokens at a deeper level as of late, I have come across a couple of members within the TOKEN structure that have connected some dots for me. They are not novel findings, but I hope these findings help someone else, as they have me…Windows Internals6 min readWindows Internals6 min read
