Open in app

Sign in

Write

Sign in

Jonathan Johnson
Jonathan Johnson

680 Followers

Home

About

Oct 11

The Client/Server Relationship — A Match Made In Heaven

This blog was written by Jonny Johnson, Senior Researcher of Adversarial Techniques and Capabilities at Binary Defense, and co-authored with Charlie Clark and Andrew Schwartz from TrustedSec. Blog was originally released by TrustedSec and BinaryDefense. 1. Introduction One thing often forgotten is that detection engineering isn’t always centered around 1 action to…

8 min read

The Client/Server Relationship — A Match Made In Heaven
The Client/Server Relationship — A Match Made In Heaven

8 min read


Oct 11

Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks

This blog was originally written by me and posted by BinaryDefense. Introduction DLL Hijack-based attacks have been popular within the offensive community for several years. This technique has been used to achieve initial access, persistence, or privilege escalation in several environments. Due to the volume of DLL loads that happen in…

10 min read

Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks
Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks

10 min read


Jul 21

ThreadSleeper: Suspending Threads via GMER64 Driver

Originally posted: https://www.binarydefense.com/resources/blog/threadsleeper-suspending-threads-via-gmer64-driver/ Recently a friend of mine, Nick Powers, sent me the gmer.sys driver that was involved with the Blackout activity which exposed functionality to terminate any process you wanted from a medium integrity level context. This was being used against many EDR vendors, including Microsoft Defender for Endpoint…

Malware

8 min read

ThreadSleeper: Suspending Threads via GMER64 Driver
ThreadSleeper: Suspending Threads via GMER64 Driver
Malware

8 min read


Jun 12

Understanding Telemetry: Kernel Callbacks

Introduction I’ve published blogs around telemetry mechanisms like Event Tracing for Windows (ETW) in the Uncovering Windows Events series, but one mechanism I haven’t discussed yet are kernel callback functions. This was mentioned in one of the DCP Live episodes that Jared Atkinson and I host on Mondays so I figured…

Research

9 min read

Understanding Telemetry: Kernel Callbacks
Understanding Telemetry: Kernel Callbacks
Research

9 min read


May 3

Exploring Impersonation through the Named Pipe Filesystem Driver

Introduction Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. I had never really dug into how ImpersonateNamedPipeClient worked under the hood, so…

Windows

9 min read

Exploring Impersonation through the Named Pipe Filesystem Driver
Exploring Impersonation through the Named Pipe Filesystem Driver
Windows

9 min read


Mar 15

Uncovering Windows Events

Threat Intelligence ETW — Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written…

Windows Internals

6 min read

Uncovering Windows Events
Uncovering Windows Events
Windows Internals

6 min read


Published in

Posts By SpecterOps Team Members

·Feb 10

Telemetry Layering

Introduction Creating detections can be challenging. There often isn’t a “simple” way to detect something, and once we see an event that seems to correlate with the activity we are looking for, it is easy to become fixated. We create that detection and move on. However, what if other telemetry sources…

Detection Engineering

8 min read

Telemetry Layering
Telemetry Layering
Detection Engineering

8 min read


Published in

Posts By SpecterOps Team Members

·Jan 18

The Defender’s Guide to Windows Services

It’s dangerous to find malicious services alone! Take this! — Authors: Luke Paine & Jonathan Johnson Introduction This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. Services are an important part of the Windows operating system, allowing the control and configuration of long-running processes essential…

Detection Engineering

10 min read

The Defender’s Guide to Windows Services
The Defender’s Guide to Windows Services
Detection Engineering

10 min read


Dec 14, 2022

Uncovering Windows Events

Part 2: The Methodology — In part 1 of this series, I touched on how data is the foundation for defensive capabilities and the importance for defenders to understand where and how telemetry is being generated. …

Windows

4 min read

Uncovering Windows Events
Uncovering Windows Events
Windows

4 min read


Nov 14, 2022

Uncovering Windows Events

Part 1: TelemetrySource — Data is the foundation by which defense is built upon. This data can come from various telemetry sources — native logging, Endpoint Detection and Response (EDR) tools, network logging, etc. The data from these sources give us insight into activity happening with a given machine — user’s logging in, processes…

Windows

6 min read

Uncovering Windows Events
Uncovering Windows Events
Windows

6 min read

Jonathan Johnson

Jonathan Johnson

680 Followers

Sr Researcher @BinaryDefense | Windows Internals

Following
  • Palantir

    Palantir

  • Cody Thomas

    Cody Thomas

  • Jared Atkinson

    Jared Atkinson

  • Olaf Hartong

    Olaf Hartong

  • Yarden Shafir

    Yarden Shafir

See all (29)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams