John U's repositories
Windows10EtwEvents
Events from all manifest-based and mof-based ETW providers across Windows 10 versions
CFG-FindHiddenShellcode
Walks the CFG bitmap to find previously executable but currently hidden shellcode regions
EtwTi-FluctuationMonitor
Uses Threat-Intelligence ETW events to identify shellcode regions being hidden by fluctuating memory protections
Etw-SyscallMonitor
Monitors ETW for security relevant syscalls maintaining the set called by each unique process
Get-InjectedThreadEx
Fork of Get-InjectedThread - https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
API-To-ETW
Uses ghidra to find all ETW write metadata for each API in a PE file
EtwExplorer
View ETW Provider manifest
ETW-PPL-Tester
Consume Threat-Intelligence ETW using krabsetw and BYOVD
EDR-Telemetry
This project aims to compare and evaluate the telemetry of various EDR products.
conference_talks
Slide decks from various conference and meetup talks.
Detours
Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
sigma
Generic Signature Format for SIEM Systems