DCP Live - Session 8

Understanding Telemetry: Kernel Callbacks

| | research
IntroductionI’ve published blogs around telemetry mechanisms like Event Tracing for Windows (ETW) in the Uncovering Windows Events series, but one mechanism I haven’t discussed yet are kernel callback functions. This was mentioned in one of the DCP Live episodes that Jared Atkinson and I host on Mondays so I figured ... Read More
Exploring Impersonation through the Named Pipe Filesystem Driver

Exploring Impersonation through the Named Pipe Filesystem Driver

IntroductionImpersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. I had never really dug into how ImpersonateNamedPipeClient worked under the hood, so ... Read More
Uncovering Windows Events

Uncovering Windows Events

Threat Intelligence ETWNot all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are ... Read More
Telemetry Layering

Telemetry Layering

IntroductionCreating detections can be challenging. There often isn’t a “simple” way to detect something, and once we see an event that seems to correlate with the activity we are looking for, it is easy to become fixated. We create that detection and move on. However, what if other telemetry sources ... Read More
The Defender’s Guide to Windows Services

The Defender’s Guide to Windows Services

It’s dangerous to find malicious services alone! Take this!Authors: Luke Paine & Jonathan JohnsonIntroductionThis is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. Services are an important part of the Windows ... Read More
Uncovering Window Security Events

Uncovering Window Security Events

| | Cybersecurity, Windows
Part 1: TelemetrySourceData is the foundation by which defense is built upon. This data can come from various telemetry sources — native logging, Endpoint Detection and Response (EDR) tools, network logging, etc. The data from these sources give us insight into activity happening with a given machine — user’s logging in, processes being created, ... Read More
SyScan'14 Singapore: All About The Rpc, Lrpc, Alpc, And Lpc In Your Pc By Alex Ionescu

WMI Internals Part 3

| | Windows, windows-internals
Beyond COMIn a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an ... Read More