FalconForce

TL;DR In my previous blog post, I showed the impact that an unregistered reply URL can have in an Azure tenant and how to enumerate them…

Last week, Elastic Security Labs released a blog post detailing the “GrimResource” technique used by both red teams and malicious actors…

In this blog post I explain how reply URLs in Azure Applications can be used as a vector for phishing.

SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the …

Recently at Wild West Hackin Fest, I spoke about a powerful new tool we’ve been working hard on and now is available to the public…

In the previous edition of this series I discussed the Timeline telemetry. Since that blog the amount of events has certainly grown. I’ve…

Red teaming exercises are an excellent means to identify gaps in the security controls and test the detection and response capabilities of…

Releasing ParrotForce to help you fly high even when your systems are down

At FalconForce, we have built a large repository of over 350 detection queries. A question we get asked a lot is: “how do you manage and…

The MDE timeline has information which is not available in the advanced hunting interface and vice versa. Don’t be blind sighted.

Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules…

Active Directory data collection

One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…

Credential dumping from Local Security Authority Subsystem Service (LSASS)

In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events…

When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in…

Recently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to…

This post will present the EzETW tool and go over basic Windows events PowerShell cmdlet syntax.

On January 28th, Christophe Tafani-Dereeper released the open source Stratus Red team attack simulation tool. At FalconForce, we are very…

TL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…

In this blog we will explore the possibilities to use Microsoft Sentinel to monitor a windows environment for the creation of public…

In this blog we will discuss how you can detect abuse of these code execution features of Microsoft and Oracle databases…

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and…

TL;DR: This post outlines a way to bypass the default detection in MDE and how to detect this bypass.