TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method for detecting anomalous named pipes using Microsoft Defender for Endpoint. This same logic can be applied to Sysmon telemetry. TL;DR for red teams: Named pipes are and will…

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon. I still use and maintain my Sysmon-modular configuration project quite frequently. One of the questions we quite often get is whether one…

Today on the 25th birthday of Sysinternals Sysmon 1.0.0 for Linux has been released and it is open source software! This short blog is a quick overview of the capabilities to give you an idea of what you can expect from this initial release. Installing Sysmon for Linux Sysmon relies on their implementation of…

On June 17th Will and Lee over at SpecterOps have published their impressive and detailed research into Microsoft Active Directory Certificate Server (AD CS)(mis)configurations in a blog and whitepaper. If you have not read the blog and whitepaper and you run an AD CS in your environment I strongly encourage…

The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60. To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create…

In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information. LOLBins, why you still should care There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are…

This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds…

In today’s edition, we’ll cover two techniques: Remote service creation over RPC and SharpRDP. Remote service creation over RPC Windows services can be used as a means of persistence in an environment, and can be created in multiple ways, one of which is remotely. …

In today’s edition, we’ll cover two techniques: suspicious parent-child process relationships and impersonation with the RunAs command. Today’s content Suspicious parent-child process relationships Impersonation using ‘RunAs’ Suspicious parent-child relationships for operating system processes As referenced in an article earlier this year by the cool folks from Elastic, current solutions for malware detection (AV & machine learning) have been more…