My Profile Photo

Jonathan Johnson


Just another security guy trying not to get Fork Bombed


  1. Apache Guacamole Local and/or AWS Install

    Introduction: In this guide, Apache Guacamole was built on top of Chris Long’s Detection Lab. This guide will work locally, on AWS, as well if you have your own lab, depending on how your lab set up. I will discuss the direct differences between the Detection Lab, home lab, and AWS when it comes to the configurations. However this was built and centered around Detection Lab and AWS. …


  2. Syncing Into the Shadows

    Introduction: As an adversary, one of the goals is to capture Domain Admin (DA) credentials, change/modify objects inside of Active Directory, and to be able to evade any detection systems that an environment may have in place. One way you can capture DA credentials is through an attack technique called “DCSync”. DCSync is an attack technique that many security professionals, like Sean Metcalf and Will Schroeder have talked about. Once an adversary has DA privileges, they can then perform a defensive evasion technique attack, by injecting objects into the Active Directory Infrastructure. This attack technique is called “DCShadow”. There is a great presentation on DCShadow that was done by Benjamin Delpy and Vincent Le Toux which I highly suggest going to, to read and watch. DCSync and DCShadow sound very similar and could be confusing to understand the differences if not explained. I am going to talk about the differences in DCSync and DCShadow when it comes to their functionality as an attack technique, along with differences when it comes to Indicators of Compromise (IOC) and hunting/detecting these two techniques. When running these two attacks I wanted to have some fun with it, as I am a big Marvel fan, let me know if you catch any of the references and WHY some of the users were used. I will explain at the end ☺ …


  3. Injecting Into The Hunt

    Background: Process Injection is a very common Defense Evasion/Privilege Escalation technique. Typically this will include injecting custom code into another processes address space. There are many different routes one can go when it comes to the actual procedure of doing this attack. Really good article explaining the various process injection types: Endgame 10 Process Injection Techniques. …


  4. IOC differences between Kerberoasting and AS-REP Roasting

    Background: Hello everyone! Thank you for tuning in. I was running some Kerberoast and AS-REP Roasting attack techniques on my Detection Lab, and noticed some really cool IOC (Indicator of Compromise) differences between the two. Before we get started though I want to explain these two attacks. Although you could categorize these two attack as the same, they are two pretty different attacks. So lets break it down. …


  5. Password Spray Detection

    Background: Before we begin I want to explain what attack was done and how I performed it. Performing a Password Spray is a way that an advesary can attempt to gain access to a large number of accounts, while checking if those accounts have commonly used password associated with them. I used Kali Linux and Metasploit to perform this attack. This attack is different then kerberoasting, this attack is simply using a wordlist to see if those accounts can authenticate on the system. I will not be showing how to perform this attack, as I don’t think that is ethical, but I will be showing how I Detected this attack while I perfromed it. …


  6. Introduction

    Hello Lads, My name is Jonathan Johnson and I am currently studying Cybersecurity at Southeast Missouri State University. Cybersecurity is one of my greatest hobbies, so I thought I would make a blog, to show some of my projects that I do and the discoveries I make inside. Most of these projects will be Threat Hunting/Detection based, but I will be showing other projects from different verticals as well. For any questions, feel free to email me @ [email protected] Thank you for tuning in, Hope you enjoy! …