Sysmon 15 has just been released and has received several bug fixes, one among them which could prevent a machine from booting while running a specific configuration and some more minor issues. Also, which is way more notable, a new event type! FileExecutableDetected. Also, Sysmon now runs as a PPL…

In the previous edition of this series I discussed the Timeline telemetry. Since that blog the number of action types in the Timeline telemetry has certainly grown. If you’re interested to work with this data, I’ve added exporting this data as a feature to the tool released below. This edition…

This blog has been in draft for quite some time and for no particular reason it was never published. A recent tweet rekindled my desire to share more details about our learnings in working with MDE at large scale for many clients. In previous blogs in this series I’ve spoken…

Credential dumping from Local Security Authority Subsystem Service As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS). Dumping credentials from the LSASS process can be done in various ways. The most straightforward way is using the Win32 API MiniDumpWriteDump. …

The Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82. Other than some fixes for several memory leaks that occurred in certain edge cases in the driver or between the driver and the service, there is a…

In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events to limit the amount of telemetry being uploaded to the cloud. …

In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling. This time, I want to focus on configuration and telemetry implications. As we also have established in the previous article…

TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method for detecting anomalous named pipes using Microsoft Defender for Endpoint. This same logic can be applied to Sysmon telemetry. TL;DR for red teams: Named pipes are and will…

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon. I still use and maintain my Sysmon-modular configuration project quite frequently. One of the questions we quite often get is whether one…