TL;DR — At FalconForce we love purple teaming, meaning that we engage in both red teaming and blue teaming.

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and Sysinternals Sysmon.

TL;DR: There is a lot of great research available on how to obtain an Azure Primary Refresh Token (PRT) cookie, post-exploitation.

Today’s blog is about detection of a bypass for the ASR rule “Block Office applications from creating executable content”.

Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities.

Organisations store heaps of important data, which is important to their business processes or can be considered intellectual property.