Jonny Johnson
@jonny-johnson.bsky.social
Principal Windows Security Researcher @HuntressLabs | Windows Internals & Telemetry Research
Pinned
Jonny Johnson
@jonny-johnson.bsky.social
· Jan 28
I am happy to announce JonMon2.0 has been published.
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: github.com/jsecurity101...
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: github.com/jsecurity101...
Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months.
This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk.
(Write-up and project link below)
This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk.
(Write-up and project link below)
No Agent, No Problem: Discovering Remote EDR
As the reader, I’m sure you’re thinking — “oh great, another EDR internals or bypass post”. I can fully understand that sentiment, as…
jonny-johnson.medium.com
June 6, 2025 at 1:01 PM
Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months.
This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk.
(Write-up and project link below)
This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk.
(Write-up and project link below)
I am happy to announce JonMon2.0 has been published.
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: github.com/jsecurity101...
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: github.com/jsecurity101...
January 28, 2025 at 1:53 PM
I am happy to announce JonMon2.0 has been published.
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: github.com/jsecurity101...
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: github.com/jsecurity101...
New EtwInspector kinda going hard 👀
January 16, 2025 at 2:07 PM
New EtwInspector kinda going hard 👀
Reposted by Jonny Johnson
The perfect loader library was updated this week to support changes made on Windows 11 24H2. A big thank you to Jarrod Davis (@tinybiggames.com) for reporting the issue and helping work on a solution!
A full writeup on the issues and fixes can be found here:
github.com/EvanMcBroom/...
A full writeup on the issues and fixes can be found here:
github.com/EvanMcBroom/...
Windows 11 24H2 · Issue #1 · EvanMcBroom/perfect-loader
Hi, will this work in windows 24H2?
github.com
January 8, 2025 at 7:08 PM
The perfect loader library was updated this week to support changes made on Windows 11 24H2. A big thank you to Jarrod Davis (@tinybiggames.com) for reporting the issue and helping work on a solution!
A full writeup on the issues and fixes can be found here:
github.com/EvanMcBroom/...
A full writeup on the issues and fixes can be found here:
github.com/EvanMcBroom/...
Converted Matt Graeber's TraceLogging PS script into C# into the new EtwInspector.
gist.github.com/mattifestati...
Working quite well.
New EtwInspector coming soon...
gist.github.com/mattifestati...
Working quite well.
New EtwInspector coming soon...
January 7, 2025 at 1:16 AM
Converted Matt Graeber's TraceLogging PS script into C# into the new EtwInspector.
gist.github.com/mattifestati...
Working quite well.
New EtwInspector coming soon...
gist.github.com/mattifestati...
Working quite well.
New EtwInspector coming soon...
My goal by the end of the year was to finish JonMon 2.0 and I am happy to say that I have done that....Now just to clean up the code, fix the wiki, and write a blog. Stay tuned :)
December 28, 2024 at 10:54 PM
My goal by the end of the year was to finish JonMon 2.0 and I am happy to say that I have done that....Now just to clean up the code, fix the wiki, and write a blog. Stay tuned :)
JonMon with the AMSI logs 👀
December 20, 2024 at 3:59 AM
JonMon with the AMSI logs 👀
Microsoft's Threat-Intelligence ETW provider now supports events to identify token impersonation attacks. I wrote a blog on these events and how Microsoft is surfacing them:
jsecurity101.medium.com/behind-the-m...
jsecurity101.medium.com/behind-the-m...
Behind the Mask: Unpacking Impersonation Events
Introduction
jsecurity101.medium.com
December 4, 2024 at 1:36 PM
Microsoft's Threat-Intelligence ETW provider now supports events to identify token impersonation attacks. I wrote a blog on these events and how Microsoft is surfacing them:
jsecurity101.medium.com/behind-the-m...
jsecurity101.medium.com/behind-the-m...