PinnedPublished inFalconForceFalconHound, attack path management for blue teamsRecently at Wild West Hackin Fest, I spoke about a powerful new tool we’ve been working hard on and now is available to the public…Nov 10, 20231Nov 10, 20231
PinnedSysmon 15.0 — File executable detectedSysmon 15 has just been released and has received several bug fixes, one among them which could prevent a machine from booting while…Jun 27, 2023Jun 27, 2023
Published inFalconForceDetection engineering rabbit holes — parsing ASN.1 packets in KQLTL;DR: Detection engineering is sometimes hard. Your efforts may seem to have failed, but perseverance can pay off. Or you can still fail…Dec 16, 2024Dec 16, 2024
Published inFalconForceMicrosoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actionsIn the previous edition of this series I discussed the Timeline telemetry. Since that blog the amount of events has certainly grown. I’ve…Oct 13, 2023Oct 13, 2023
Published inFalconForceMicrosoft Defender for Endpoint Internals 0x04 — TimelineThe MDE timeline has information which is not available in the advanced hunting interface and vice versa. Don’t be blind sighted.Feb 10, 20234Feb 10, 20234
Published inFalconForceFalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1FCredential dumping from Local Security Authority Subsystem Service (LSASS)Sep 16, 2022Sep 16, 2022
Sysmon 14.0 — FileBlockExecutableThe Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82.Aug 16, 20221Aug 16, 20221
Published inFalconForceMicrosoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentationIn part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events…Jul 8, 20221Jul 8, 20221
Published inFalconForceMicrosoft Defender for Endpoint Internals 0x02 — Audit Settings and TelemetryIn the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the…Jul 1, 20221Jul 1, 20221
Published inFalconForceFalconFriday — Suspicious named pipe events — 0xFF1BTL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…Jan 14, 2022Jan 14, 2022
