John U
@jdu2600.bsky.social
He/him. Security Research Engineer @ Prelude Research.
Paraphrasing the Windows Kernel team: Improving security-relevant kernel telemetry is not a priority for us.
There appears to be a disconnect between Microsoft’s public messaging on security and how it is incentivising its workforce.
There appears to be a disconnect between Microsoft’s public messaging on security and how it is incentivising its workforce.
November 30, 2025 at 2:47 AM
Paraphrasing the Windows Kernel team: Improving security-relevant kernel telemetry is not a priority for us.
There appears to be a disconnect between Microsoft’s public messaging on security and how it is incentivising its workforce.
There appears to be a disconnect between Microsoft’s public messaging on security and how it is incentivising its workforce.
Personally I’d love to see a new process security mitigation that blocks the creation of unnamed (aka non-exported) threads. Same for APCs.
November 30, 2025 at 2:34 AM
Personally I’d love to see a new process security mitigation that blocks the creation of unnamed (aka non-exported) threads. Same for APCs.
Possibly coupled with a new default compiler behaviour that identifies thread entrypoints and adds them to the export table.
Easier to change 10 compilers than 10000 apps…
Easier to change 10 compilers than 10000 apps…
November 30, 2025 at 2:31 AM
Possibly coupled with a new default compiler behaviour that identifies thread entrypoints and adds them to the export table.
Easier to change 10 compilers than 10000 apps…
Easier to change 10 compilers than 10000 apps…
Wouldn’t using the public symbol of the thread’s entrypoint cover the most common cases?
November 30, 2025 at 2:27 AM
Wouldn’t using the public symbol of the thread’s entrypoint cover the most common cases?
Variations of this pop up every few years. Mostly to avoid compound behavioural rules.
theevilbit.github.io/posts/divide...
theevilbit.github.io/posts/divide...
Divide and Conquer - A technique to bypass NextGen AV
TL;DR Link to heading This blog post describes a generic technique I called internally on our red team assessment “Divide and Conquer”, which can be used to bypass behavioral based NextGen AV detectio...
theevilbit.github.io
November 29, 2025 at 4:53 AM
Variations of this pop up every few years. Mostly to avoid compound behavioural rules.
theevilbit.github.io/posts/divide...
theevilbit.github.io/posts/divide...
Kernel bug details emailed.
September 11, 2025 at 5:15 AM
Kernel bug details emailed.
Has this episode been published yet?
The Airlock Digital interviews are the best. 😃
The Airlock Digital interviews are the best. 😃
July 9, 2025 at 2:54 AM
Has this episode been published yet?
The Airlock Digital interviews are the best. 😃
The Airlock Digital interviews are the best. 😃
Though software bugs are BAU.
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.
Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.
Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?
July 4, 2025 at 1:27 AM
Though software bugs are BAU.
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.
Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?
So I’m more interested in who thought it was a good idea to deploy IT EDR on business critical OT systems.
Was this pushed by overly aggressive sales? Or did the CISOs not understand risk?
You should clarify that it was caused by a bug in their kernel driver that was triggered when they forcibly globally deployed a bad content update with buggy unit testing and no integration testing.
July 4, 2025 at 1:21 AM
You should clarify that it was caused by a bug in their kernel driver that was triggered when they forcibly globally deployed a bad content update with buggy unit testing and no integration testing.
This is absolute 🔥- and will significantly harden the path to domain admin against common initial access vectors.
Is it looking likely to be the default for existing installs after upgrade, or just for new installs?
Is it looking likely to be the default for existing installs after upgrade, or just for new installs?
May 21, 2025 at 12:44 AM
This is absolute 🔥- and will significantly harden the path to domain admin against common initial access vectors.
Is it looking likely to be the default for existing installs after upgrade, or just for new installs?
Is it looking likely to be the default for existing installs after upgrade, or just for new installs?
When are you speaking at AISA PerthSEC though?
May 14, 2025 at 10:01 AM
When are you speaking at AISA PerthSEC though?
