John U

Windows Loader Lock got you down? This might help.

www.preludesecurity.com/blog/escapin...

Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

More Fun With WMI - SpecterOps TL;DR Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability From...

Win32_Process has been the go to WMI class for remote command execution for years.

Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr

Kernel bug details emailed.

Hey @sysinternals.com @markrussinovich.bsky.social
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?

We’re trying something new.

www.preludesecurity.com/runtime-memo...

The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.

aff-wg.org/2025/03/13/t...

Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too BSides Canberra 2025 With the introduction of Kernel Patch Protection, Microsoft created a shared responsibility model where security vendors are now limited to only the kernel visibility and extension points that Microso...

"Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too"
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...

Has this episode been published yet?

The Airlock Digital interviews are the best. 😃

Though software bugs are BAU.
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.

Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?

You should clarify that it was caused by a bug in their kernel driver that was triggered when they forcibly globally deployed a bad content update with buggy unit testing and no integration testing.

Beacon Object Files – Five Years On… When I was active in the red teaming space, one of my stated goals was to act on problems with solutions that would have utility 5-10 years from the time of their release. This long-term thinking w…

Beacon Object Files... Five Years On

aff-wg.org/2025/06/26/b...

I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.

Call Stacks: No More Free Passes For Malware — Elastic Security Labs We explore the immense value that call stacks bring to malware detection and why Elastic considers them to be vital Windows endpoint telemetry despite the architectural limitations.

My final Elastic Security Labs blog -
www.elastic.co/security-lab...

So, here's a little thread on my new open source project:

The Tradecraft Garden.

tradecraftgarden.org

It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.

And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.

This is absolute 🔥- and will significantly harden the path to domain admin against common initial access vectors.

Is it looking likely to be the default for existing installs after upgrade, or just for new installs?

Enhance your application security with administrator protection Introduction Administrator protection is a new Windows 11 platform security feature that aims to protect the admin users on the device while still allowing them to perform the necessary functions whic...

We are removing default admin in Windows 11, get your apps ready now

blogs.windows.com/windowsdevel...

Misbehaving Modalities: Detecting Tools, Not Techniques — Elastic Security Labs We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

ATT&CK never felt quite right to me. I originally thought it was just that the taxonomy was incomplete.

Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.

So I explored the concept of Execution Modality -
www.elastic.co/security-lab...

When are you speaking at AISA PerthSEC though?

One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!

falconforce.nl/why-is-no-on...

BSides Canberra - 25-27th September 2025! BSides Canberra 2025 - BSides Canberra is a technical community conference focussing on the deep understanding of cyber security topics.

www.bsidesau.com.au

I just uploaded slides from an old talk on Windows x64 Stack Walking.

github.com/jdu2600/conf...

I attended last week's Pall Mall Process conference in Paris.

I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).

Good luck.
The 1.11.0 update did not go well for me…

Thanks for the shoutout to my research and tool!

Just a heads up that Get-InjectedThreadEx.ps1 (2022) was superseded by Get-InjectedThreadEx.exe (2023).

It's faster - and more comprehensive.

amp.9news.com.au/article/d0bf...

MITRE is simply a technique taxonomy - it doesn't have a risk overlay.

Too often the industry overfits on 100% coverage rather than cost-effective risk-informed defenses.
It's okay to assess a technique as low risk and to not have specific coverage.

MITRE's biases don't need to be your biases.

What Makes a “Good” Detection? Whether you’re a seasoned Detection Engineer or just starting to build out your SIEM, there comes a point where you need to ask yourself…

💯 "Just because we can write a detection for something, doesn’t mean we should."

infosecwriteups.com/what-makes-a...

Half* of my family read everything in OpenDyslexia.

* No actual dyslexia, and not the half with AuDHD either.

www.cisa.gov/sites/defaul...

Isn’t this the audit logging component of secure by design?