At FalconForce, we like to understand the tools that we work with. One of the tools we use a lot on the blue side is MDE: Microsoft Defender for Endpoint, formerly Microsoft Defender ATP. …

On January 28th, Christophe Tafani-Dereeper released the open source Stratus Red team attack simulation tool. At FalconForce, we are very pleased to see attack simulation tools being published, especially when they simulate realistic cloud-based attacks like this one. Since Christophe released these attack simulations as open source we decided to…

TL;DR — At FalconForce we love purple teaming, meaning that we engage in both red teaming and blue teaming. For the red teaming we often have a need to run offensive tools on a target machine without dropping the tool on disk. One way to do that is to convert…

Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks originate from a regular user account running with low or medium integrity. Therefore one of the first things an attacker needs to do is bypass User Account Control (UAC) to…

Direct system calls are a popular technique used by attackers to bypass certain EDR solutions. In this blog we deep-dive into how direct system calls could be detected based on some example Cobalt Strike BOFs that make direct system calls. TL;DR for blue teams: Attackers might use direct system calls…

Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start without SYSTEM privileges, and spawn child processes that do have SYSTEM privileges. TL;DR for blue teams: Using the simple MDE query provided in this article, various Windows privilege…

In today’s edition, we’ll share a method of detecting beaconing C&C traffic from large data sets of proxy traffic. TL;DR for blue teams: By making certain assumptions, it is possible to find a beaconing needle in a very large haystack of web requests. TL;DR for red teams: Do not just…

Welcome to the first FalconFriday post of 2021, in this post we provide background information on detecting malicious scheduled tasks using Microsoft Defender for Endpoint, and provide a query that can be used to automatically detect certain malicious scheduled tasks. Malicious Scheduled Tasks Blue: Attackers can use scheduled tasks to leave behind a…