2025·12·18
RAG, ICL, and Windows Events: Building a Human-Guided Security Analyst
Leveraging AI in the defensive/offensive space has taken off the past couple of years.
Tag
detection
/ 35 posts2025·09·29
Peeling Back the Mask: How the Threat Intelligence Provider is Protected
If you’re an offensive or defensive engineer, a Windows endpoint engineer, or a Windows researcher, chances are you’ve come across Microsoft’s Threat-Intelligence ETW provider and understand the immense value it offers for telemetry.
2025·06·06
No Agent, No Problem: Discovering Remote EDR
As the reader, I’m sure you’re thinking — “oh great, another EDR internals or bypass post”.
2025·03·17
The Truth About Telemetry: The Role of Primary and Secondary Telemetry Sources
Detection Engineers, Threat Hunters, and SOC Analysts all rely on one critical thing to do their jobs effectively — telemetry.
2024·12·04
Behind the Mask: Unpacking Impersonation Events
Microsoft continuously marches forward in providing us security events that uncovers activity that has long been used by attackers.
2024·10·31
Silencing the EDR Silencers
A walkthrough of how attackers use Windows Filtering Platform rules to silence EDR network traffic, and how products can protect themselves from this attack.
2024·06·12
Refining Detection: New Perspectives on ETW Patching Telemetry
Not long ago I wrote a blog called Understanding ETW Patching where I walked through how ETW patching is a hyper-focused version of a function patch.
2024·04·12
Understanding ETW Patching
As of late, I have gotten a lot of questions around Event Tracing for Windows (ETW) patching, specifically the following questions:
2024·04·04
What the Fork: Exploring Telemetry Gaps in Microsoft’s 4688 Event
A walk through process forking on Windows, how an adversary might leverage it, how you can identify this behavior, and where the 4688 event's metadata falls short.
2023·12·18
Uncovering Adversarial LDAP Tradecraft
A deep dive into adversarial LDAP tradecraft - exposing the telemetry available for LDAP activity and offering guidance on detecting malicious behavior, co-authored with the TrustedSec research team.
2023·10·11
The Client/Server Relationship — A Match Made In Heaven
A walk through the client/server relationship at the heart of RPC and COM activity, and why that context is critical for detection engineering and incident response.
2023·10·11
Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks
A deep dive into DLL hijacking - the basics, the different types of hijacks, and detection ideas for an attack that's historically been considered hard to spot.
2023·03·15
Uncovering Windows Events Part 3
Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s.
2023·02·10
Telemetry Layering
Creating detections can be challenging.
2023·01·18
The Defender’s Guide to Windows Services
Part 2 of the Defender's Guide series: how Windows services work under the hood, the metadata available for them, and how to spot service abuse in telemetry.
2022·12·14
Uncovering Windows Events Part 2
In part 1 of this series, I touched on how data is the foundation for defensive capabilities and the importance for defenders to understand where and how telemetry is being generated.
2022·11·14
Uncovering Windows Events Part 1
Data is the foundation by which defense is built upon.
2022·07·26
Better know a data source: Logon sessions
A walk through Windows logon sessions - what they are, how they're tied to tokens and processes, and how defenders can use that link to tell the full story around suspicious activity.
2022·05·09
Defending the Three Headed Relay
A look at the Kerberos Relaying attacks made popular by KrbRelayUp - what's actually being relayed, what defenders should be looking for, and where existing detections might be missing the mark.
2022·04·20
Better know a data source: Access tokens (and why they’re hard to get)
Detection engineers are frequently beset with the challenge of detecting a technique for which optics are poor, non-existent, or difficult to collect at scale.
2022·04·05
Bypassing Access Mask Auditing Strategies
This past week I briefly talked about Process Access data within a talk that Olaf and I gave at ATT&CKCON 3.0 (YouTube link isn’t live yet).
2021·12·13
Better know a data source: Process integrity levels
In this second installment of our Better know a data source series, we’re showcasing process integrity levels.
2021·11·22
The dark side of Microsoft Remote Procedure Call protocols
A look at how adversaries abuse Microsoft RPC (MSRPC) for privilege escalation - and where the detection opportunities sit, from PetitPotam to PrintNightmare.
2021·07·20
Dataset Prioritization
A common issue within the investigation process is alert fatigue.
2021·06·01
Evadere Classifications
The term evasion is derived from the Latin word “evadere” which means — “To escape, to get away.” The DOD defines evasion as — “The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control.”
2021·03·15
Abstracting Scheduled Tasks
Applying Capability Abstraction to scheduled tasks: walking the static and dynamic analysis used to map the behavior end-to-end and turn it into reliable detection.
2020·07·06
Utilizing RPC Telemetry
A few months ago, Jared Atkinson released a blog post that introduced a detection engineering methodology he referred to as Capability Abstraction.
2020·05·18
Engineering Process Injection Detections - Part 2: Data Modeling
During Part 1 of this blog series: Engineering Process Injection Detections — Part 1: Research, I covered how you can maximize your detection efforts by following a concept outlined by Jared Atkinson: Capability Abstraction.
2020·04·28
Did Someone Say Data Analytics?
One thing that the SpecterOps defensive team likes to pride ourselves in, is our ability to manipulate data in a way to best help our client’s needs.
2020·03·06
Engineering Process Injection Detections - Part 1: Research
Often within detection engineering, we come across an attack technique that we want to create a detection for but don’t know where to start the process to effectively do so.
2019·10·09
Uncovering The Unknowns
From a defensive perspective, one of the most dangerous things we apply to security is assumptions.
2019·09·16
You Can Run, But You Can’t Hide - Detecting Process Reimaging Behavior
Around 3 months ago, a new attack technique was introduced to the InfoSec community known as “Process Reimaging.” This technique was released by the McAfee Security team in a blog titled — “In NTDLL I Trust — Process Reimaging and Endpoint Security Solution Bypass.” A few days after this attack technique was released, a co-worker and friend of mine — Dwight Hohnstein — came out with proof of concept code demonstrating this technique, which can be found on his GitHub.
2019·04·14
Syncing Into the Shadows
As an adversary, one of the goals is to capture Domain Admin (DA) credentials, change/modify objects inside of Active Directory, and to be able to evade any detection systems that an environment may have in place.
2019·03·12
Injecting Into The Hunt
Process Injection is a very common Defense Evasion/Privilege Escalation technique.
2019·01·17
IOC differences between Kerberoasting and AS-REP Roasting
A walk through the IOC differences between Kerberoasting and AS-REP Roasting - two attack techniques that look similar at a glance but leave distinctly different traces.