- JonMon (Author)
- Telemetry Source (Author)
- PowerParse (Author)
- MSFT_DriverBlockList (Author)
- The Defenders Guide (Co-Author)
- AtomicTestHarnesses (Contributor)
- SeatBelt (Contributor)
- MITRE ATT&CK - Access Token Manipulation (Contributor)
Most Noteable Blogs:
- Better know a data source: Process integrity levels
- Better know a data source: Access tokens (and why they’re hard to get)
- Exploring Token Members Part 2
- WMI Internals Series:
- Uncovering Window Events:
- The Defender’s Guide to Windows Services
- Exploring Impersonation through the Named Pipe Filesystem Driver
- Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks
- Understanding Telemetry: Kernel Callbacks
- ThreadSleeper: Suspending Threads via GMER64 Driver
- Understanding ETW Patching
- Mastering Windows Access Control: Understanding SeDebugPrivilege
- Silencing the EDR Silencers
- A Voyage to Uncovering RPC Telemetry – (SO-CON 2020)
- Understanding Technique Abstraction for Detection Engineers Workshop - (SO-CON 2020)
- MSRPC ATT&CK Mapping - EU MITRE 8th Workshop
- Insights into Highly Valued Data Sources - ATT&CKCON 3.0 2022
- Once Upon A Login: How Logon Sessions Help Defenders See the Bigger Picture 2022
- DEATHCon 2022 - Mapping Detection Coverage
- JonMon
- Empowering Research with Defensive Tooling