John U
@jdu2600.bsky.social
He/him. Security Research Engineer @ Prelude Research.
Pinned
John U
@jdu2600.bsky.social
· Feb 6
MITRE is simply a technique taxonomy - it doesn't have a risk overlay.
Too often the industry overfits on 100% coverage rather than cost-effective risk-informed defenses.
It's okay to assess a technique as low risk and to not have specific coverage.
MITRE's biases don't need to be your biases.
Too often the industry overfits on 100% coverage rather than cost-effective risk-informed defenses.
It's okay to assess a technique as low risk and to not have specific coverage.
MITRE's biases don't need to be your biases.
October 30, 2025 at 1:01 AM
Reposted by John U
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
September 26, 2025 at 5:12 PM
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
Reposted by John U
Win32_Process has been the go to WMI class for remote command execution for years.
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
More Fun With WMI - SpecterOps
TL;DR Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability From...
ghst.ly
September 18, 2025 at 4:36 PM
Win32_Process has been the go to WMI class for remote command execution for years.
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Hey @sysinternals.com @markrussinovich.bsky.social
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?
August 30, 2025 at 1:51 AM
Hey @sysinternals.com @markrussinovich.bsky.social
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?
How do I share information about a kernel bug that impacts Sysmon and Process Monitor?
July 31, 2025 at 11:00 AM
Reposted by John U
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
aff-wg.org/2025/03/13/t...
March 14, 2025 at 2:51 AM
The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation.
aff-wg.org/2025/03/13/t...
aff-wg.org/2025/03/13/t...
Reposted by John U
"Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too"
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...
Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too BSides Canberra 2025
With the introduction of Kernel Patch Protection, Microsoft created a shared responsibility model where security vendors are now limited to only the kernel visibility and extension points that Microso...
cfp.bsidescbr.com.au
July 22, 2025 at 4:50 AM
"Writing Windows Unit Tests: Telemetry bugs are security vulnerabilities too"
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...
John Uhlmann reveals how flaws in Windows kernel telemetry can hide security risks, and why unit tests help fix them.
Details: cfp.bsidescbr.com.au/bsides-canbe...
Reposted by John U
Beacon Object Files... Five Years On
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
Beacon Object Files – Five Years On…
When I was active in the red teaming space, one of my stated goals was to act on problems with solutions that would have utility 5-10 years from the time of their release. This long-term thinking w…
aff-wg.org
June 26, 2025 at 6:48 PM
Beacon Object Files... Five Years On
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
My final Elastic Security Labs blog -
www.elastic.co/security-lab...
www.elastic.co/security-lab...
Call Stacks: No More Free Passes For Malware — Elastic Security Labs
We explore the immense value that call stacks bring to malware detection and why Elastic considers them to be vital Windows endpoint telemetry despite the architectural limitations.
www.elastic.co
June 14, 2025 at 3:34 AM
My final Elastic Security Labs blog -
www.elastic.co/security-lab...
www.elastic.co/security-lab...
Reposted by John U
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
June 5, 2025 at 2:36 PM
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
Reposted by John U
We are removing default admin in Windows 11, get your apps ready now
blogs.windows.com/windowsdevel...
blogs.windows.com/windowsdevel...
Enhance your application security with administrator protection
Introduction
Administrator protection is a new Windows 11 platform security feature that aims to protect the admin users on the device while still allowing them to perform the necessary functions whic...
blogs.windows.com
May 19, 2025 at 6:11 PM
We are removing default admin in Windows 11, get your apps ready now
blogs.windows.com/windowsdevel...
blogs.windows.com/windowsdevel...
ATT&CK never felt quite right to me. I originally thought it was just that the taxonomy was incomplete.
Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.
So I explored the concept of Execution Modality -
www.elastic.co/security-lab...
Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.
So I explored the concept of Execution Modality -
www.elastic.co/security-lab...
Misbehaving Modalities: Detecting Tools, Not Techniques — Elastic Security Labs
We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.
www.elastic.co
May 14, 2025 at 12:44 PM
ATT&CK never felt quite right to me. I originally thought it was just that the taxonomy was incomplete.
Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.
So I explored the concept of Execution Modality -
www.elastic.co/security-lab...
Then Jared Atkinson at @specterops.io framed my misgivings as a missing dimension and it just clicked.
So I explored the concept of Execution Modality -
www.elastic.co/security-lab...
Reposted by John U
One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!
falconforce.nl/why-is-no-on...
falconforce.nl/why-is-no-on...
May 9, 2025 at 10:37 AM
One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!
falconforce.nl/why-is-no-on...
falconforce.nl/why-is-no-on...
Reposted by John U
I attended last week's Pall Mall Process conference in Paris.
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
April 7, 2025 at 10:21 PM
I attended last week's Pall Mall Process conference in Paris.
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
💯 "Just because we can write a detection for something, doesn’t mean we should."
infosecwriteups.com/what-makes-a...
infosecwriteups.com/what-makes-a...
What Makes a “Good” Detection?
Whether you’re a seasoned Detection Engineer or just starting to build out your SIEM, there comes a point where you need to ask yourself…
infosecwriteups.com
February 6, 2025 at 2:20 AM
💯 "Just because we can write a detection for something, doesn’t mean we should."
infosecwriteups.com/what-makes-a...
infosecwriteups.com/what-makes-a...
Reposted by John U
I wrote about how magic links (emailed one-time login links) frustrate me while explaining that they radically accept some fundamental truths. I argue that websites should layer passkeys on top of magic links to provide a seamless authentication experience for everyone. rmondello.com/2025/01/02/m...
Ricky Mondello » Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over
rmondello.com
January 2, 2025 at 2:44 PM
I wrote about how magic links (emailed one-time login links) frustrate me while explaining that they radically accept some fundamental truths. I argue that websites should layer passkeys on top of magic links to provide a seamless authentication experience for everyone. rmondello.com/2025/01/02/m...