FalconForce
A team of highly specialized security professionals
dAWShund - framework to put a leash on naughty AWS permissions
dAWShund - framework to put a leash on naughty AWS permissions
TL;DR
Azure DevOops 1 — It’s not my machines, it’s your code!
Azure DevOops 1 — It’s not my machines, it’s your code!
written by Marat Nigmatullin, Rogier Boon and Theo Raedschelders
Automating the enumeration of missing reply URLs in Azure multitenant apps
Automating the enumeration of missing reply URLs in Azure multitenant apps
TL;DR In my previous blog post, I showed the impact that an unregistered reply URL can have in an Azure tenant and how to enumerate them…
FalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24
FalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24
Last week, Elastic Security Labs released a blog post detailing the “GrimResource” technique used by both red teams and malicious actors…
Arbitrary 1-click Azure tenant takeover via MS application
Arbitrary 1-click Azure tenant takeover via MS application
In this blog post I explain how reply URLs in Azure Applications can be used as a vector for phishing.
SOAPHound — tool to collect Active Directory data via ADWS
SOAPHound — tool to collect Active Directory data via ADWS
SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the …
FalconHound, attack path management for blue teams
FalconHound, attack path management for blue teams
Recently at Wild West Hackin Fest, I spoke about a powerful new tool we’ve been working hard on and now is available to the public…
Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions
Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions
In the previous edition of this series I discussed the Timeline telemetry. Since that blog the amount of events has certainly grown. I’ve…
Leg ups: helping hand or red team failure?
Leg ups: helping hand or red team failure?
Red teaming exercises are an excellent means to identify gaps in the security controls and test the detection and response capabilities of…
FalconFriday — Automating acquisition for incident response!
FalconFriday — Automating acquisition for incident response!
Releasing ParrotForce to help you fly high even when your systems are down
Deploying Detections at Scale — Part 0x01 use-case format and automated validation
Deploying Detections at Scale — Part 0x01 use-case format and automated validation
At FalconForce, we have built a large repository of over 350 detection queries. A question we get asked a lot is: “how do you manage and…
Microsoft Defender for Endpoint Internals 0x04 — Timeline
Microsoft Defender for Endpoint Internals 0x04 — Timeline
The MDE timeline has information which is not available in the advanced hunting interface and vice versa. Don’t be blind sighted.
FalconFriday — Using public intelligence feeds to improve detections — 0xFF22
FalconFriday — Using public intelligence feeds to improve detections — 0xFF22
Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules…
FalconFriday — Detecting Active Directory Data Collection — 0xFF21
FalconFriday — Detecting Active Directory Data Collection — 0xFF21
Active Directory data collection
FalconFriday — Detecting ADCS web services abuse — 0xFF20
FalconFriday — Detecting ADCS web services abuse — 0xFF20
One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…
FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F
Credential dumping from Local Security Authority Subsystem Service (LSASS)
Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events…
Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the…
FalconFriday — Detecting UnPACing and shadowed credentials— 0xFF1E
FalconFriday — Detecting UnPACing and shadowed credentials— 0xFF1E
When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in…
FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D
FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D
Recently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to…
Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint
Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint
At FalconForce, we like to understand the tools that we work with. One of the tools we use a lot on the blue side is MDE: Microsoft…
EzETW — Got To Catch Them All…
EzETW — Got To Catch Them All…
This post will present the EzETW tool and go over basic Windows events PowerShell cmdlet syntax.
FalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1C
FalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1C
On January 28th, Christophe Tafani-Dereeper released the open source Stratus Red team attack simulation tool. At FalconForce, we are very…