Jonathan Johnson

Senior Consultant

Back to the list of Speakers and Sessions

Jonathan Johnson Senior Consultant, SpecterOps

Jonny is a security enthusiast who loves spending time with all things related to Windows Internals, reverse engineering, and data analysis. Jonny applies threat research and low-level knowledge to defensive capabilities, arming defenders with the information and tools needed to cover defensive gaps. Jonny loves to share his actionable findings in blogs ( and is committed to helping defenders be effective, independent, and efficient.

Workshop: Malware Morphology for Detection Engineers

Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.

As Defenders it is easy to view attacker behavior through a Technique lens, but this perspective often causes us to forget about the diversity of implementation, morphology, that exists within a Technique. This often leads to detection rules that are more narrowly focused on specific tools instead of on the underlying behavior(s) themselves. MITRE ATT&CK provides a schema for evaluating inter-technique differences between tools, such as the differences between Kerberoasting and DCSync, but we currently do not have an industry-wide model for evaluating intra-technique differences, such as the how two tools performing LSASS Dumping might differ in approach and thus lead to evasion opportunities.

In this workshop, attendees will be presented with various tools that implement the same Technique, but use different approaches, or Procedures, to do so. We will then walk participants through the process of analyzing these tools to understand exactly where and by how much they differ. Participants will then learn how to model different Procedures to evaluate their similarity and determine the optimal events or logs to serve as a foundation for building resilient detection rules.

Participants should prepare by:

Familiarity with Windows Internals basics, programming experience is helpful but not necessary

Participants must have the following equipment:

A Windows laptop preinstalled with IDA 8.2 Free.