FalconForce

FalconFriday — Detecting ADCS web services abuse — 0xFF20

By Henri Hambartsumyan
at October 14, 2022

One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints.

FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F

By Olaf Hartong
at September 16, 2022

As you know, there are various ways of dumping credentials. On the endpoint, in most cases, credentials are gathered from the Local Security Authority Subsystem Service (LSASS).

Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation

By Olaf Hartong
at July 8, 2022

In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events to limit the amount of telemetry being uploaded to the cloud.

Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry

By Olaf Hartong
at July 1, 2022

In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling.

FalconFriday — Detecting UnPACing and shadowed credentials — 0xFF1E

By Henri Hambartsumyan
at June 17, 2022

When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole.

FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D

By Gijs Hollestelle
at May 13, 2022

Recently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to add or modify data in Active Directory.

Our blog