In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information.

LOLBins, why you still should care

There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are. Let’s briefly recap what constitutes a LOLBin/Lib/Script. It must:

The image below shows an overview of the most prevalent LOLBins used by…

This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds of tampering events. EventID 25 is specifically tailored towards attacks like process hollowing or the whimsically named process ‘herpaderping’.

The configuration schema has been bumped to 4.50 to provide for the new EventID.

To some extent replacing the initiated image is common behavior, for instance for some system processes. So…

In today’s edition, we’ll cover two techniques: Remote service creation over RPC and SharpRDP.

Remote service creation over RPC

Windows services can be used as a means of persistence in an environment, and can be created in multiple ways, one of which is remotely. Doing so often involves this service creation will be executed over RPC.

In this article Jonny Johnson explains the inner workings of RPC and points to some detection opportunities for this specific technique. One of them is for the situation where a registry key is created on the system through the Service Control Manager. …

In today’s edition, we’ll cover two techniques: suspicious parent-child process relationships and impersonation with the RunAs command.

Today’s content

Suspicious parent-child relationships for operating system processes

As referenced in an article earlier this year by the cool folks from Elastic, current solutions for malware detection (AV & machine learning) have been more and more successful in detecting file-based attacks. This caused threat actors and red team operators alike to shift to “living off the land” techniques to bypass these solutions. …

Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

Event ID 24 generated after a copy to the clipboard in PowerShell.

The new event contains the following fields:


We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.


Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is…

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two. Cheers!

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

We love…

I’ve been maintaining my Sysmon repository for the past 2 years. Every time I made several additions I had to manually generate the attached merged configuration with the supplied script. Truth be told, I’m not the most structured person so in some cases I forgot to do this, leaving a gap that didn’t have to be there.

On top of that, despite the fact that I test most of the pushes I do, there is always a reason a typo can occur in one of the configuration files which breaks the configuration. Thanks to a pull request by Ján Trenčanský

Sysmon 11.1 has been released, almost a month after the release of version 11.0

Unofficial release notes :

I’ve been using slides like the image below for some time now in presentations and I regularly get asked how I’ve created them, so I figured to dedicate a small blog post to it.

I honestly can’t take credit any for any of this though, it has all been created by some well respected friends. SadProcessor has created a couple of great PowerShell modules that amongst a lot of other features allows you to add the MITRE ATT&CK dataset to Neo4j, which in turn can then be visualised by Bloodhound.

Bloodhound is created and maintained by Andy Robbins and Rohan…

Olaf Hartong

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store