John U

We’re trying something new.

www.preludesecurity.com/runtime-memo...

The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.

aff-wg.org/2025/03/13/t...

Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too BSides Canberra 2025 With the introduction of Kernel Patch Protection, Microsoft created a shared responsibility model where security vendors are now limited to only the kernel visibility and extension points that Microso...

"Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too"
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...

Has this episode been published yet?

The Airlock Digital interviews are the best. 😃

Though software bugs are BAU.
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.

Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?

You should clarify that it was caused by a bug in their kernel driver that was triggered when they forcibly globally deployed a bad content update with buggy unit testing and no integration testing.

Beacon Object Files – Five Years On… When I was active in the red teaming space, one of my stated goals was to act on problems with solutions that would have utility 5-10 years from the time of their release. This long-term thinking w…

Beacon Object Files... Five Years On

aff-wg.org/2025/06/26/b...

I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.

Call Stacks: No More Free Passes For Malware — Elastic Security Labs We explore the immense value that call stacks bring to malware detection and why Elastic considers them to be vital Windows endpoint telemetry despite the architectural limitations.

My final Elastic Security Labs blog -
www.elastic.co/security-lab...

So, here's a little thread on my new open source project:

The Tradecraft Garden.

tradecraftgarden.org

It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.

And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.

This is absolute 🔥- and will significantly harden the path to domain admin against common initial access vectors.

Is it looking likely to be the default for existing installs after upgrade, or just for new installs?

Enhance your application security with administrator protection Introduction Administrator protection is a new Windows 11 platform security feature that aims to protect the admin users on the device while still allowing them to perform the necessary functions whic...

We are removing default admin in Windows 11, get your apps ready now

blogs.windows.com/windowsdevel...

Misbehaving Modalities: Detecting Tools, Not Techniques — Elastic Security Labs We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

ATT&CK never felt quite right to me. I originally thought it was just that the taxonomy was incomplete.

Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.

So I explored the concept of Execution Modality -
www.elastic.co/security-lab...

When are you speaking at AISA PerthSEC though?

One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!

falconforce.nl/why-is-no-on...

BSides Canberra - 25-27th September 2025! BSides Canberra 2025 - BSides Canberra is a technical community conference focussing on the deep understanding of cyber security topics.

www.bsidesau.com.au

I just uploaded slides from an old talk on Windows x64 Stack Walking.

github.com/jdu2600/conf...

I attended last week's Pall Mall Process conference in Paris.

I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).

Good luck.
The 1.11.0 update did not go well for me…

Thanks for the shoutout to my research and tool!

Just a heads up that Get-InjectedThreadEx.ps1 (2022) was superseded by Get-InjectedThreadEx.exe (2023).

It's faster - and more comprehensive.

amp.9news.com.au/article/d0bf...

MITRE is simply a technique taxonomy - it doesn't have a risk overlay.

Too often the industry overfits on 100% coverage rather than cost-effective risk-informed defenses.
It's okay to assess a technique as low risk and to not have specific coverage.

MITRE's biases don't need to be your biases.

What Makes a “Good” Detection? Whether you’re a seasoned Detection Engineer or just starting to build out your SIEM, there comes a point where you need to ask yourself…

💯 "Just because we can write a detection for something, doesn’t mean we should."

infosecwriteups.com/what-makes-a...

Half* of my family read everything in OpenDyslexia.

* No actual dyslexia, and not the half with AuDHD either.

www.cisa.gov/sites/defaul...

Isn’t this the audit logging component of secure by design?

BSides Canberra - 25-27th September 2025! BSides Canberra 2025 - BSides Canberra is a technical community conference focussing on the deep understanding of cyber security topics.

bsidescbr.com.au

Hey @malwaretech.com. I've been loving your recent advocacy on this, and also that from @boblord.bsky.social on what he calls hacklore.

I wonder if should create a Hacklore Wall of Shame to call out the organizations perpetuating these myths.

Only public facing services need to be on the public internet (aka shodan). For all other services the convenience of being internet facing needs to be weighed against the risk.

CISA gets this.
www.cisa.gov/news-events/...

So how do we push back on fraud more generally?

It feels like we need improvements in digital identity and signatures.

A few governments have built such ecosystems, but the alternative would be to incentivize industry (esp banks) to do so.

Should banks be liable for invoice fraud?

💯

Magic links are the most straight forward recovery mechanism.

Though, for individuals, the security benefits of passkeys are only marginal over browser-generated passwords - so the advice I still give is simply to use a password manager for most sites and use SMS 2FA for your email.