InFalconForcebyGijs HollestelleFalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24Last week, Elastic Security Labs released a blog post detailing the “GrimResource” technique used by both red teams and malicious actors…Jun 28
InFalconForcebyOlaf HartongSysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and…Oct 15, 2021
InFalconForcebyJos van der PeetFalconFriday — Using public intelligence feeds to improve detections — 0xFF22Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules…Dec 16, 2022Dec 16, 2022
InFalconForcebyOlaf HartongFalconFriday — Suspicious named pipe events — 0xFF1BTL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…Jan 14, 2022Jan 14, 2022
InFalconForcebyGijs HollestelleFalconFriday — Detecting Active Directory Data Collection — 0xFF21Active Directory data collectionNov 11, 2022Nov 11, 2022
InFalconForcebyGijs HollestelleFalconFriday — Detecting MMC abuse using “GrimResource” with MDE — 0xFF24Last week, Elastic Security Labs released a blog post detailing the “GrimResource” technique used by both red teams and malicious actors…Jun 28
InFalconForcebyOlaf HartongSysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and…Oct 15, 2021
InFalconForcebyJos van der PeetFalconFriday — Using public intelligence feeds to improve detections — 0xFF22Today, we will look at how to incorporate public datasets to improve our detections. We will create Sentinel watchlists, build rules…Dec 16, 2022
InFalconForcebyOlaf HartongFalconFriday — Suspicious named pipe events — 0xFF1BTL;DR for blue teams: Attackers use named pipes to conveniently move laterally and mostly bypass detection. This blog post shows a method…Jan 14, 2022
InFalconForcebyGijs HollestelleFalconFriday — Detecting Active Directory Data Collection — 0xFF21Active Directory data collectionNov 11, 2022
InFalconForcebyHenri HambartsumyanFalconFriday — Detecting UnPACing and shadowed credentials— 0xFF1EWhen playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in…Jun 17, 20221
InFalconForcebyHenri HambartsumyanFalconFriday — Detecting ADCS web services abuse — 0xFF20One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…Oct 14, 2022
InFalconForcebyGijs HollestelleFalconFriday — Detecting malicious modifications to Active Directory — 0xFF1DRecently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to…May 13, 2022
