Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months. This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk. (Write-up and project link below)

I am happy to announce JonMon2.0 has been published. 2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions. Link: github.com/jsecurity101...

New EtwInspector kinda going hard 👀

The perfect loader library was updated this week to support changes made on Windows 11 24H2. A big thank you to Jarrod Davis (@tinybiggames.com) for reporting the issue and helping work on a solution! A full writeup on the issues and fixes can be found here: github.com/EvanMcBroom/...

Converted Matt Graeber's TraceLogging PS script into C# into the new EtwInspector. gist.github.com/mattifestati... Working quite well. New EtwInspector coming soon...

My goal by the end of the year was to finish JonMon 2.0 and I am happy to say that I have done that....Now just to clean up the code, fix the wiki, and write a blog. Stay tuned :)

JonMon with the AMSI logs 👀

Microsoft's Threat-Intelligence ETW provider now supports events to identify token impersonation attacks. I wrote a blog on these events and how Microsoft is surfacing them: jsecurity101.medium.com/behind-the-m...