Jonny Johnson
@JonnyJohnson_
Principal Windows Security Researcher @HuntressLabs | Windows Internals & Telemetry Research
Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months. This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk. Includes a detailed…
I don't know which update specifically, but in a recent update of 24H2 it looks like the Win32k system call table is protected by Kernel Data Protection (read-only SLAT entry)! I believe CI!g_CiOptions and msseccore's SecKdpSe PE section were the only things using it before.
New video out 😊 showing how you can take control of port 445 and perform those magical relay attacks toward AD CS when working from a C2 agent. Way easier than before thanks to some great research by @zyn3rgy youtube.com/watch?v=e4f3h5…
Enroll now for our 40-hour live workshop “EDR Internals: R&D,” co-taught with @MalFuzzer. Starts 23 Oct 2025. Dissect & build EDR drivers, master evasion techniques. Early-bird $1,450 ends 30 Sep. Details: trainsec.net/courses/edr-in… #EDR #WindowsInternals
Modern lateral movement techniques detection (mainly DCOM/DCE/RPC/RDP) with examples. Some assumptions worth mentioning: visibility into source IP/port/hostname, logon activity, remote process metadata. A blog post by @HuntressLabs team. Awesome read, guys!…
Phenomenal course and great instructors! Highly recommend.
Your detection stack has gaps; sophisticated adversaries know this. Our Tradecraft Analysis course teaches you to find and fix those blind spots by deconstructing Windows attack techniques at the telemetry level. Join us at #BHUSA: ghst.ly/bhusa25-ta
Happy to finally share a new blog with @exploitph on our work revisiting the Kerberos Diamond Ticket. ✅ /opsec for a more genuine flow ✅ /ldap to populate the PAC 🆕 Forge a diamond service ticket using an ST We finally gave it a proper cut 💎 huntress.com/blog/recutting…
excited bc today @HuntressLabs is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!! 🤠 we've observed 8 new pieces of macOS malware from implants to infostealers! and they're actually good (for once)! huntress.com/blog/inside-bl…
Excellent post by Johnathan Johnson (@JonnyJohnson_) on leveraging PLA (Performance Logs and Alerts) DCOM library to get to ETW telemetry remotely. We touched the same topic in our RTO: Evasion course, when TraceDataProvider interface was used to locate a "hidden" SysMon…
The @HuntressLabs EDR & DE teams are excited to share our latest collaboration diving deep into lateral movement detection - covering our telemetry collection methods and detection strategies. Check it out: huntress.com/blog/how-huntr…
Amazing time hanging with my buddy @_JohnHammond. Thank you for having me on!
Chatting with mah fwend and co-worker @JonnyJohnson_ to learn all about Event Tracing for Windows, and some super cool projects he has been working on: a lightweight and custom "toy EDR" JonMon and ETWInspector to help with Windows telemetry research! youtu.be/BNWAxJFL6uM
Excited to share that we've renamed our course from "SOC200" to "Alerts to Adversaries" - wanted to move away from the SOC branding since this isn't just for SOC analysts. This course is designed for anyone doing alert investigation and event correlation work. The 4-day…
We’re excited to share that SOC 200 has now been renamed “Alerts to Adversaries” to better reflect it being an advanced course for Engineers and Analysts. We're also going to reschedule it to Fall 2025 to better align with summer conferences and end-of‑term schedules for all.…
WMI Internals, by @JonnyJohnson_ Part 1 Understanding the Basics jsecurity101.medium.com/wmi-internals-… Part 2 Reversing a WMI Provider jsecurity101.medium.com/wmi-internals-… Part 3 Beyond COM jonny-johnson.medium.com/wmi-internals-…