Articles by John Uhlmann

Senior Security Research Engineer, Elastic


A taxonomy of endpoint security detection bypasses

This blog post breaks down a taxonomy for endpoint security products. It suggests using complementary feature set descriptions, each with strengths and weaknesses, rather than a generational definition with concentric features.


Effective Parenting - detecting LRPC-based parent PID spoofing

Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.


Get-InjectedThreadEx – Detecting Thread Creation Trampolines

In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx