See the latest by Jonathan Johnson
Understanding Telemetry: Kernel Callbacks
Introduction I’ve published blogs around telemetry mechanisms like Event Tracing for Windows (ETW) in the Uncovering...
By: Jonathan Johnson
Jun 12, 2023 • 12 min read
Read Post
Exploring Impersonation through the Named Pipe Filesystem Driver
Introduction Impersonation happens often natively in Windows, however, adversaries also use it to run code in...
By: Jonathan Johnson
May 3, 2023 • 10 min read
Read Post
Threat Intelligence ETW Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through...
By: Jonathan Johnson
Mar 15, 2023 • 7 min read
Read Post
Introduction Creating detections can be challenging. There often isn’t a “simple” way to detect something, and...
By: Jonathan Johnson
Feb 10, 2023 • 10 min read
Read Post
The Defender’s Guide to Windows Services
It’s dangerous to find malicious services alone! Take this! Authors: Luke Paine & Jonathan Johnson Introduction This is...
By: Jonathan Johnson
Jan 18, 2023 • 11 min read
Read Post
Uncovering Window Security Events
Part 1: TelemetrySource Data is the foundation by which defense is built upon. This data can...
By: Jonathan Johnson
Nov 14, 2022 • 7 min read
Read Post
Beyond COM In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider...