On June 17th Will and Lee over at SpecterOps have published their impressive and detailed research into Microsoft Active Directory Certificate Server (AD CS)(mis)configurations in a blog and whitepaper.

If you have not read the blog and whitepaper and you run an AD CS in your environment I strongly encourage you to spend some time understanding the possible issues you might have.

To a certain extent, not all of their mitigation suggestions might be an option for your organization to (immediately) implement. Do keep in mind that mitigating is always preferred over detecting and responding.

One great thing about the…

The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60.

To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create a pipeline that validates the functionality of the new binary and publishes its results to Sysmon works. The output of the latest build shows all events to be generated.


The new event type FileDeleteDetected gets the Event ID 26. This event is very similar to the FileDelete (23) event with…

In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information.

LOLBins, why you still should care

There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are. Let’s briefly recap what constitutes a LOLBin/Lib/Script. It must:

  • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
  • Have functionality that is useful to an APT or red team, or other malicious person.

The image below shows an overview of the most prevalent LOLBins used by…

This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds of tampering events. EventID 25 is specifically tailored towards attacks like process hollowing or the whimsically named process ‘herpaderping’.

The configuration schema has been bumped to 4.50 to provide for the new EventID.

To some extent replacing the initiated image is common behavior, for instance for some system processes. So…

In today’s edition, we’ll cover two techniques: Remote service creation over RPC and SharpRDP.

Remote service creation over RPC

Windows services can be used as a means of persistence in an environment, and can be created in multiple ways, one of which is remotely. Doing so often involves this service creation will be executed over RPC.

In this article Jonny Johnson explains the inner workings of RPC and points to some detection opportunities for this specific technique. One of them is for the situation where a registry key is created on the system through the Service Control Manager. …

In today’s edition, we’ll cover two techniques: suspicious parent-child process relationships and impersonation with the RunAs command.

Today’s content

  • Suspicious parent-child process relationships
  • Impersonation using ‘RunAs’

Suspicious parent-child relationships for operating system processes

As referenced in an article earlier this year by the cool folks from Elastic, current solutions for malware detection (AV & machine learning) have been more and more successful in detecting file-based attacks. This caused threat actors and red team operators alike to shift to “living off the land” techniques to bypass these solutions. …

Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

Event ID 24 generated after a copy to the clipboard in PowerShell.

The new event contains the following fields:


We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

  • Detecting suspicious code compilation.
  • Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.


Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is…

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two. Cheers!

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

  • Detecting suspicious or unknown browser extensions
  • Detecting binaries with questionable code signing certificates connecting to the internet

We love…

I’ve been maintaining my Sysmon repository for the past 2 years. Every time I made several additions I had to manually generate the attached merged configuration with the supplied script. Truth be told, I’m not the most structured person so in some cases I forgot to do this, leaving a gap that didn’t have to be there.

On top of that, despite the fact that I test most of the pushes I do, there is always a reason a typo can occur in one of the configuration files which breaks the configuration. Thanks to a pull request by Ján Trenčanský

Olaf Hartong

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store