Articles by John Uhlmann
Senior Security Research Engineer, Elastic
A taxonomy of endpoint security detection bypasses
This blog post breaks down a taxonomy for endpoint security products. It suggests using complementary feature set descriptions, each with strengths and weaknesses, rather than a generational definition with concentric features.
Effective Parenting - detecting LRPC-based parent PID spoofing
Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.
Get-InjectedThreadEx – Detecting Thread Creation Trampolines
In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx