This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds of tampering events. EventID 25 is specifically tailored towards attacks like process hollowing or the whimsically named process ‘herpaderping’.

The configuration schema has been bumped to 4.50 to provide for the new EventID.

To some extent replacing the initiated image is common behavior, for instance for some system processes. So building a proper baseline will be key here to filter some known noise but not cause blind spots for yourself. …

In today’s edition, we’ll cover two techniques: Remote service creation over RPC and SharpRDP.

Image for post
Image for post

Remote service creation over RPC

Windows services can be used as a means of persistence in an environment, and can be created in multiple ways, one of which is remotely. Doing so often involves this service creation will be executed over RPC.

In this article Jonny Johnson explains the inner workings of RPC and points to some detection opportunities for this specific technique. One of them is for the situation where a registry key is created on the system through the Service Control Manager. …

In today’s edition, we’ll cover two techniques: suspicious parent-child process relationships and impersonation with the RunAs command.

Today’s content

  • Suspicious parent-child process relationships
  • Impersonation using ‘RunAs’
Image for post
Image for post

Suspicious parent-child relationships for operating system processes

As referenced in an article earlier this year by the cool folks from Elastic, current solutions for malware detection (AV & machine learning) have been more and more successful in detecting file-based attacks. This caused threat actors and red team operators alike to shift to “living off the land” techniques to bypass these solutions. …

Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

Image for post
Image for post
Event ID 24 generated after a copy to the clipboard in PowerShell.

The new event contains the following fields:

Image: The process that recorded to the clipboard.
Session where the process writing to the clipboard is running. This can be system(0) interactive or remote, etc.
ClientInfo: this will contain the session username, and in case of a remote session the originating hostname, and the IP address when available.
Hashes: This determines the file name, same as the FileDelete event.
Archived: Status whether is was stored in the configured Archive directory. …

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Image for post
Image for post

Today’s content:

  • Detecting suspicious code compilation.
  • Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.


Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is highly-likely flagged by existing security controls. …

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two. Cheers!

Image for post
Image for post

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

  • Detecting suspicious or unknown browser extensions
  • Detecting binaries with questionable code signing certificates connecting to the internet

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests (PR) if you have improvements which can benefit the community. We will make sure to cover your PRs in the blog following your PR. …

I’ve been maintaining my Sysmon repository for the past 2 years. Every time I made several additions I had to manually generate the attached merged configuration with the supplied script. Truth be told, I’m not the most structured person so in some cases I forgot to do this, leaving a gap that didn’t have to be there.

On top of that, despite the fact that I test most of the pushes I do, there is always a reason a typo can occur in one of the configuration files which breaks the configuration. Thanks to a pull request by Ján Trenčanský that utilised GitHub Actions and generated a downloadable config as an artefact. This sparked the idea to take this a step further by making sure Sysmon actually likes the new configuration as well. Getting this to run on GitHub seemed not the most straightforward task so I started looking for a more convenient solution. …

Sysmon 11.1 has been released, almost a month after the release of version 11.0

Unofficial release notes :

  • On some Windows builds the ProcessCreation events (EventID 1) were not created, this has been resolved
  • Updated file stream hash event to capture the contents of text streams < 1KB, with the goal of capturing Mark Of The Web i(MOTW) streams.
  • To accommodate this new field, the schema has been updated to 4.31, check it out here
  • The -a command-line option has been removed. …

I’ve been using slides like the image below for some time now in presentations and I regularly get asked how I’ve created them, so I figured to dedicate a small blog post to it.

Image for post
Image for post

I honestly can’t take credit any for any of this though, it has all been created by some well respected friends. SadProcessor has created a couple of great PowerShell modules that amongst a lot of other features allows you to add the MITRE ATT&CK dataset to Neo4j, which in turn can then be visualised by Bloodhound.

Bloodhound is created and maintained by Andy Robbins and Rohan Vazarkar. It is an amazing asset for defenders and attackers to visualise attack paths in Active Directory. If you’ve never used it set apart some time to do so. It really is a powerful tool to understand and improve your defensive posture. …

The latest release of Sysmon brings a bunch of improvements and introduces EventID 23. Great thanks to Mark for allowing me access to the beta builds.

Please have a look at his video talking about this new release. A great new way of Mark to talk about all new Sysinternals features


An overview of all improvements;

  • Empty strings are replaced with “-“ to work around a WEF bug
  • Adds DnsLookup configuration entry to support disabling of reverse DNS lookups
  • Adds copy-on-delete support to preserve files specified by SID of deleting account, file extension, executables, or specific processes, including logic to preserve files that are shredded (overwritten before…


Olaf Hartong

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store