The Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82. Other than some fixes for several memory leaks that occurred in certain edge cases in the driver or between the driver and the service, there is…

In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events to limit the amount of telemetry being uploaded to the cloud. If you have not read these two posts, please take some time to go through…

In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling. This time, I want to focus on configuration and telemetry implications. As we also have established in the previous article…

TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method for detecting anomalous named pipes using Microsoft Defender for Endpoint. This same logic can be applied to Sysmon telemetry. TL;DR for red teams: Named pipes are and will…

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon. I still use and maintain my Sysmon-modular configuration project quite frequently. One of the questions we quite often get is whether one…

Today on the 25th birthday of Sysinternals Sysmon 1.0.0 for Linux has been released and it is open source software! This short blog is a quick overview of the capabilities to give you an idea of what you can expect from this initial release. Installing Sysmon for Linux Sysmon relies on their implementation of…

On June 17th Will and Lee over at SpecterOps have published their impressive and detailed research into Microsoft Active Directory Certificate Server (AD CS)(mis)configurations in a blog and whitepaper. If you have not read the blog and whitepaper and you run an AD CS in your environment I strongly encourage…

The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60. To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create…

In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information. LOLBins, why you still should care There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are…