Gijs HollestelleinFalconForceFalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24Last week, Elastic Security Labs released a blog post detailing the “GrimResource” technique used by both red teams and malicious actors…Jun 28Jun 28
Gijs HollestelleinFalconForceDeploying Detections at Scale — Part 0x01 use-case format and automated validationAt FalconForce, we have built a large repository of over 350 detection queries. A question we get asked a lot is: “how do you manage and…Mar 13, 20231Mar 13, 20231
Gijs HollestelleinFalconForceFalconFriday — Detecting Active Directory Data Collection — 0xFF21Active Directory data collectionNov 11, 2022Nov 11, 2022
Gijs HollestelleinFalconForceFalconFriday — Detecting malicious modifications to Active Directory — 0xFF1DRecently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to…May 13, 2022May 13, 2022
Gijs HollestelleinFalconForceDebugging the undebuggable and finding a CVE in Microsoft Defender for EndpointAt FalconForce, we like to understand the tools that we work with. One of the tools we use a lot on the blue side is MDE: Microsoft…Apr 1, 2022Apr 1, 2022
Gijs HollestelleinFalconForceFalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1COn January 28th, Christophe Tafani-Dereeper released the open source Stratus Red team attack simulation tool. At FalconForce, we are very…Feb 11, 2022Feb 11, 2022
Gijs HollestelleinFalconForceBOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcodeTL;DR — At FalconForce we love purple teaming, meaning that we engage in both red teaming and blue teaming. For the red teaming we often…Nov 5, 2021Nov 5, 2021
Gijs HollestelleinFalconForceFalconFriday — Detecting UAC Bypasses — 0xFF16Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks…Aug 20, 2021Aug 20, 2021
Gijs HollestelleinFalconForceFalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14Direct system calls are a popular technique used by attackers to bypass certain EDR solutions. In this blog we deep-dive into how direct…Jul 23, 2021Jul 23, 2021
Gijs HollestelleinFalconForceFalconFriday — Privilege Escalations to SYSTEM — 0xFF13Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start…Jul 9, 20211Jul 9, 20211
