In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information.

LOLBins, why you still should care

There has been an abundance of blogs detailing all kinds of uses for these tools. Not only APTs and red teams are utilizing them, also a lot of malware authors are. Let’s briefly recap what constitutes a LOLBin/Lib/Script. It must:

• Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
• Have functionality that is useful to an APT or red team, or other malicious person.

The image below shows an overview of the most prevalent LOLBins used by…

This new version of Sysmon adds a new detective capability to your detection arsenal. It introduces EventID 25, ProcessTampering. This event covers manipulating the initial image/process to be something different than the process it was launched with. However, it is not intended to be a catch-all event for all kinds of tampering events. EventID 25 is specifically tailored towards attacks like process hollowing or the whimsically named process ‘herpaderping’.

The configuration schema has been bumped to 4.50 to provide for the new EventID.

To some extent replacing the initiated image is common behavior, for instance for some system processes. So…

In today’s edition, we’ll cover two techniques: Remote service creation over RPC and SharpRDP.

Remote service creation over RPC

Windows services can be used as a means of persistence in an environment, and can be created in multiple ways, one of which is remotely. Doing so often involves this service creation will be executed over RPC.

In this article Jonny Johnson explains the inner workings of RPC and points to some detection opportunities for this specific technique. One of them is for the situation where a registry key is created on the system through the Service Control Manager. …

In today’s edition, we’ll cover two techniques: suspicious parent-child process relationships and impersonation with the RunAs command.

Today’s content

• Suspicious parent-child process relationships
• Impersonation using ‘RunAs’

Suspicious parent-child relationships for operating system processes

As referenced in an article earlier this year by the cool folks from Elastic, current solutions for malware detection (AV & machine learning) have been more and more successful in detecting file-based attacks. This caused threat actors and red team operators alike to shift to “living off the land” techniques to bypass these solutions. …

Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

The new event contains the following fields:

Image…

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Today’s content:

• Detecting suspicious code compilation.
• Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

‘Bring-your-own-code’

Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is…

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two. Cheers!

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

• Detecting suspicious or unknown browser extensions
• Detecting binaries with questionable code signing certificates connecting to the internet

We love…

I’ve been maintaining my Sysmon repository for the past 2 years. Every time I made several additions I had to manually generate the attached merged configuration with the supplied script. Truth be told, I’m not the most structured person so in some cases I forgot to do this, leaving a gap that didn’t have to be there.

On top of that, despite the fact that I test most of the pushes I do, there is always a reason a typo can occur in one of the configuration files which breaks the configuration. Thanks to a pull request by Ján Trenčanský…