It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon. I still use and maintain my Sysmon-modular configuration project quite frequently.

One of the questions we quite often get is whether one…


Today on the 25th birthday of Sysinternals Sysmon 1.0.0 for Linux has been released and it is open source software!

This short blog is a quick overview of the capabilities to give you an idea of what you can expect from this initial release.

Installing Sysmon for Linux

Sysmon relies on their implementation of…


On June 17th Will and Lee over at SpecterOps have published their impressive and detailed research into Microsoft Active Directory Certificate Server (AD CS)(mis)configurations in a blog and whitepaper.

If you have not read the blog and whitepaper and you run an AD CS in your environment I strongly encourage…


The Sysinternals team has released a new version of Sysmon. This brings the version number to 13.10 and raises the schema to 4.60.

To make sure the release is actually generating all event types as expected, which in the past has not always been the case prompted me to create…


In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information.

LOLBins, why you still should care

There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are…


This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds…


In today’s edition, we’ll cover two techniques: Remote service creation over RPC and SharpRDP.

Remote service creation over RPC

Windows services can be used as a means of persistence in an environment, and can be created in multiple ways, one of which is remotely. …


In today’s edition, we’ll cover two techniques: suspicious parent-child process relationships and impersonation with the RunAs command.

Today’s content

  • Suspicious parent-child process relationships
  • Impersonation using ‘RunAs’

Suspicious parent-child relationships for operating system processes

As referenced in an article earlier this year by the cool folks from Elastic, current solutions for malware detection (AV & machine learning) have been more…


Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously…


We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

  • Detecting suspicious code compilation.
  • Detecting the malicious use of Certutil.

We love to hear back from you on the…

Olaf Hartong

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store