PinnedOlaf HartonginFalconForceFalconHound, attack path management for blue teamsRecently at Wild West Hackin Fest, I spoke about a powerful new tool we’ve been working hard on and now is available to the public…10 min read·Nov 10, 2023--1--1
PinnedOlaf HartongSysmon 15.0 — File executable detectedSysmon 15 has just been released and has received several bug fixes, one among them which could prevent a machine from booting while…7 min read·Jun 27, 2023----
Olaf HartonginFalconForceMicrosoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actionsIn the previous edition of this series I discussed the Timeline telemetry. Since that blog the amount of events has certainly grown. I’ve…12 min read·Oct 13, 2023----
Olaf HartonginFalconForceMicrosoft Defender for Endpoint Internals 0x04 — TimelineThe MDE timeline has information which is not available in the advanced hunting interface and vice versa. Don’t be blind sighted.9 min read·Feb 10, 2023--4--4
Olaf HartonginFalconForceFalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1FCredential dumping from Local Security Authority Subsystem Service (LSASS)7 min read·Sep 16, 2022----
Olaf HartongSysmon 14.0 — FileBlockExecutableThe Sysinternals team has released a new version of Sysmon. This brings the version number to 14.0 and raises the schema to 4.82.3 min read·Aug 16, 2022--1--1
Olaf HartonginFalconForceMicrosoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentationIn part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events…9 min read·Jul 8, 2022--1--1
Olaf HartonginFalconForceMicrosoft Defender for Endpoint Internals 0x02 — Audit Settings and TelemetryIn the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the…8 min read·Jul 1, 2022--1--1
Olaf HartonginFalconForceFalconFriday — Suspicious named pipe events — 0xFF1BTL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…6 min read·Jan 14, 2022----
Olaf HartonginFalconForceSysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and…13 min read·Oct 15, 2021----