Open in app

Sign in

Write

Sign in

Olaf Hartong
Olaf Hartong

1.91K Followers

Home

About

Published in

FalconForce

·Pinned

FalconHound, attack path management for blue teams

Recently at Wild West Hackin Fest, I spoke about a powerful new tool we’ve been working hard on and now is available to the public: FalconHound. The primary goal of FalconHound is to enrich BloodHound data in near-realtime based on various events and updates sourced from your environment. Ever since…

Bloodhound

10 min read

FalconHound, attack path management for blue teams
FalconHound, attack path management for blue teams
Bloodhound

10 min read


Pinned

Sysmon 15.0 — File executable detected and PPL protection

Sysmon 15 has just been released and has received several bug fixes, one among them which could prevent a machine from booting while running a specific configuration and some more minor issues. Also, which is way more notable, a new event type! FileExecutableDetected. Also, Sysmon now runs as a PPL…

Sysmon

7 min read

Sysmon 15.0 — File executable detected
Sysmon 15.0 — File executable detected
Sysmon

7 min read


Published in

FalconForce

·Oct 13

Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions

In the previous edition of this series I discussed the Timeline telemetry. Since that blog the number of action types in the Timeline telemetry has certainly grown. If you’re interested to work with this data, I’ve added exporting this data as a feature to the tool released below. This edition…

Detection Engineering

12 min read

Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions
Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions
Detection Engineering

12 min read


Published in

FalconForce

·Feb 10

Microsoft Defender for Endpoint Internals 0x04 — Timeline telemetry

This blog has been in draft for quite some time and for no particular reason it was never published. A recent tweet rekindled my desire to share more details about our learnings in working with MDE at large scale for many clients. In previous blogs in this series I’ve spoken…

Defender For Endpoint

9 min read

Microsoft Defender for Endpoint Internals 0x04 — Timeline
Microsoft Defender for Endpoint Internals 0x04 — Timeline
Defender For Endpoint

9 min read


Published in

FalconForce

·Sep 16, 2022

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F

Credential dumping from Local Security Authority Subsystem Service As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS). Dumping credentials from the LSASS process can be done in various ways. The most straightforward way is using the Win32 API MiniDumpWriteDump. …

Falconfriday

7 min read

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
Falconfriday

7 min read


Aug 16, 2022

Sysmon 14.0 — FileBlockExecutable

The Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82. Other than some fixes for several memory leaks that occurred in certain edge cases in the driver or between the driver and the service, there is a…

Sysmon

3 min read

Sysmon 14.0 — FileBlockExecutable
Sysmon 14.0 — FileBlockExecutable
Sysmon

3 min read


Published in

FalconForce

·Jul 8, 2022

Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation

In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events to limit the amount of telemetry being uploaded to the cloud. …

Wdac

9 min read

Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
Wdac

9 min read


Published in

FalconForce

·Jul 1, 2022

Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry

In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling. This time, I want to focus on configuration and telemetry implications. As we also have established in the previous article…

Mde

8 min read

Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
Mde

8 min read


Published in

FalconForce

·Jan 14, 2022

FalconFriday — Suspicious named pipe events — 0xFF1B

TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method for detecting anomalous named pipes using Microsoft Defender for Endpoint. This same logic can be applied to Sysmon telemetry. TL;DR for red teams: Named pipes are and will…

Falconfriday

6 min read

FalconFriday — Suspicious named pipe events — 0xFF1B
FalconFriday — Suspicious named pipe events — 0xFF1B
Falconfriday

6 min read


Published in

FalconForce

·Oct 15, 2021

Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon. I still use and maintain my Sysmon-modular configuration project quite frequently. One of the questions we quite often get is whether one…

Defender For Endpoint

13 min read

Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01
Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01
Defender For Endpoint

13 min read

Olaf Hartong

Olaf Hartong

1.91K Followers

FalconForce | Data Dweller | Microsoft MVP

Following
  • Jonathan Johnson

    Jonathan Johnson

  • Mauricio Velazco

    Mauricio Velazco

  • Andy Robbins

    Andy Robbins

  • Jurriaan Kamer

    Jurriaan Kamer

  • TomU

    TomU

See all (41)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams