Henri HambartsumyaninFalconForceFalconFriday — Detecting ADCS web services abuse — 0xFF20One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…Oct 14, 2022Oct 14, 2022
Henri HambartsumyaninFalconForceFalconFriday — Detecting UnPACing and shadowed credentials— 0xFF1EWhen playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in…Jun 17, 20221Jun 17, 20221
Henri HambartsumyaninFalconForceFalconFriday — Stealing and detecting Azure PRT cookies — 0xFF18TL;DR: This post outlines a way to bypass the default detection in MDE and how to detect this bypass.Oct 1, 2021Oct 1, 2021
Henri HambartsumyaninFalconForceFalconFriday — Detecting ASR Bypasses — 0xFF17TL;DR: Today’s blog is about detection of a bypass for the ASR rule “Block Office applications from creating executable content”…Sep 10, 2021Sep 10, 2021
Henri HambartsumyaninFalconForceFalconFriday — Detecting important data destruction by ransomware — 0xFF15Detection rules for attempts to delete important data such as backups.Aug 6, 20211Aug 6, 20211
Henri HambartsumyaninFalconForceFalconFriday — AzureAD Edition— 0xFF11After a few missed editions of FalconFriday, we are back! Today, we will cover some detections specifically for attacks related to AzureAD…Jun 11, 2021Jun 11, 2021
Henri HambartsumyaninFalconForceFalconFriday — Password Spraying with(out) MDI— 0xFF10In this FalconFriday, we have two queries that allow you to detect password spraying attacks. We provide one variant for Microsoft…Apr 23, 20211Apr 23, 20211
Henri HambartsumyaninFalconForceFalconFriday — Process Injection revisited — 0xFF0FIn this edition of FalconFriday, we are going to revisit process injection techniques. We’ve covered process injection in a previous blog…Apr 9, 2021Apr 9, 2021
Henri HambartsumyaninFalconForceFalconFriday — AV Manipulation — 0xFF0EToday’s blog is based on Olaf Hartong’s recent research on malware behavior at scale. In this edition, we’ll look at how malware tampers…Mar 12, 2021Mar 12, 2021
Henri HambartsumyaninFalconForceThe missing verclsid.exe documentationTL;DR: Command line parameters of verclsid.exe are documented in this blog. Expect more posts about verclsid.exe on how to abuse and…Jan 6, 2021Jan 6, 2021
