Open in app

Sign In

Write

Sign In

Olaf Hartong
Olaf Hartong

1.5K Followers

Home

About

Published in FalconForce

·Sep 16, 2022

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F

Credential dumping from Local Security Authority Subsystem Service As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS). Dumping credentials from the LSASS process can be done in various ways. The most straightforward way is using the Win32 API MiniDumpWriteDump. …

Falconfriday

7 min read

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
Falconfriday

7 min read


Aug 16, 2022

Sysmon 14.0 — FileBlockExecutable

The Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82. Other than some fixes for several memory leaks that occurred in certain edge cases in the driver or between the driver and the service, there is a…

Sysmon

3 min read

Sysmon 14.0 — FileBlockExecutable
Sysmon 14.0 — FileBlockExecutable
Sysmon

3 min read


Published in FalconForce

·Jul 8, 2022

Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation

In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events to limit the amount of telemetry being uploaded to the cloud. …

Wdac

8 min read

Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
Wdac

8 min read


Published in FalconForce

·Jul 1, 2022

Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry

In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling. This time, I want to focus on configuration and telemetry implications. As we also have established in the previous article…

Mde

8 min read

Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
Mde

8 min read


Published in FalconForce

·Jan 14, 2022

FalconFriday — Suspicious named pipe events — 0xFF1B

TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method for detecting anomalous named pipes using Microsoft Defender for Endpoint. This same logic can be applied to Sysmon telemetry. TL;DR for red teams: Named pipes are and will…

Falconfriday

6 min read

FalconFriday — Suspicious named pipe events — 0xFF1B
FalconFriday — Suspicious named pipe events — 0xFF1B
Falconfriday

6 min read


Published in FalconForce

·Oct 15, 2021

Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon. I still use and maintain my Sysmon-modular configuration project quite frequently. One of the questions we quite often get is whether one…

Defender For Endpoint

13 min read

Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01
Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01
Defender For Endpoint

13 min read


Oct 14, 2021

Sysmon for Linux

Today on the 25th birthday of Sysinternals Sysmon 1.0.0 for Linux has been released and it is open source software! This short blog is a quick overview of the capabilities to give you an idea of what you can expect from this initial release. Installing Sysmon for Linux Sysmon relies on their implementation of…

Sysmon

3 min read

Sysmon for Linux
Sysmon for Linux
Sysmon

3 min read


Published in FalconForce

·Jun 25, 2021

FalconFriday — Certified Pre-Owned— 0xFF12

On June 17th Will and Lee over at SpecterOps have published their impressive and detailed research into Microsoft Active Directory Certificate Server (AD CS)(mis)configurations in a blog and whitepaper. If you have not read the blog and whitepaper and you run an AD CS in your environment I strongly encourage…

Detection Engineering

5 min read

FalconFriday — Certified Pre-Owned— 0xFF12
FalconFriday — Certified Pre-Owned— 0xFF12
Detection Engineering

5 min read


Published in FalconForce

·Apr 21, 2021

Sysmon 13.10 — FileDeleteDetected

The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60. To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create…

Sysmon

3 min read

Sysmon 13.10 FileDeleteDetected
Sysmon 13.10 FileDeleteDetected
Sysmon

3 min read


Published in FalconForce

·Feb 12, 2021

FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C

In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information. LOLBins, why you still should care There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are…

Lolbin

4 min read

FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C
FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C
Lolbin

4 min read

Olaf Hartong

Olaf Hartong

1.5K Followers

FalconForce | Data Dweller | Microsoft MVP

Following
  • Jonathan Johnson

    Jonathan Johnson

  • EclecticIQ

    EclecticIQ

  • Andy Robbins

    Andy Robbins

  • Mauricio Velazco

    Mauricio Velazco

  • TomU

    TomU

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech