It's has been 5 years already! Together with 15 Falcons, we celebrated the 5-year anniversary of FalconForce in style. We teamed up in Greece and went on an amazing trip to sunny Santorini. A trip to remember π¬π· βοΈ π¦
06.06.2025 07:17 β π 2 π 1 π¬ 0 π 0
We are proud to introduce #dAWShund to the world: a framework for putting a leash on naughty AWS permissions. dAWShund helps blue and red teams find resources in #AWS, evaluate their access levels and visualize the relationships between them.
falconforce.nl/dawshund-fra...
#blueteaming #redteaming
11.04.2025 11:54 β π 11 π 3 π¬ 1 π 0
Upcoming new FalconForce Sentry Respond webinar! Register now: events.teams.microsoft.com/event/0447b5...
Join us on Tuesday 1 July 2025, 16:00h CEST, to get actionable insights on on how we support #SOCs enhancing their efficiency. Facilitated by FalconForce specialists @olafhartong.nl and Henri.
21.03.2025 14:26 β π 1 π 3 π¬ 0 π 2
A PowerShell script for installing Sysmon and enabling best-practice audit logs.
A PowerShell script for installing Sysmon and enabling best-practice audit logs. - better_event_logging.ps1
I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs.
So I made one! Feel free to inspect it and repurpose.
gist.github.com/ecapuano/42f...
01.03.2025 20:12 β π 72 π 19 π¬ 4 π 2
Looking forward to it. Iβve reported that issue to Microsoft almost 3y ago, it was closed as not important for immediate fixing. Persisted on the urge with several dev teams they have a kernel patch but still are reluctant to release it πdue to uncertainty whether it could cause disruption.
26.02.2025 06:28 β π 2 π 0 π¬ 0 π 0
I believe the stack covering westeu has longer running issues. Ingestion delays have been significantly higher there for over a year.
This is also the region where they have a huge client pool so I have a gut feeling that region needs some more hardware or restructuring due to the success.
26.02.2025 06:20 β π 3 π 0 π¬ 1 π 0
For the fourth consecutive year, we will be back in Las Vegas to facilitate our Advanced Detection Engineering in the Enterprise training!
Get your ticket before May 25. More information and registration: www.blackhat.com/us-25/traini...
#detectionengineering #training
14.02.2025 11:06 β π 5 π 1 π¬ 1 π 1
We held our first webinar and had a great time presenting our insights in delivering and maintaining high-fidelity bespoke detection content! Did you miss it? Or forgot to make a note? We got you covered with the recording and a PDF with the slides: falconforce.nl/webinar-sent...
23.01.2025 14:36 β π 5 π 1 π¬ 0 π 0
Thanks man, that means a lot. So are we π Weβre building something we think is super useful and hope to release that this year.
25.01.2025 07:00 β π 1 π 0 π¬ 1 π 0
Now I want that based on my region for in my office. Beautiful
24.01.2025 19:15 β π 1 π 0 π¬ 0 π 0
Itβs amazing to realize that it has been 5 years already! So proud of the team of amazing individuals who I learn from and enjoy working with every day π₯ππ₯³
24.01.2025 15:07 β π 7 π 1 π¬ 2 π 0
Microsoft Virtual Events Powered by Teams
Microsoft Virtual Events Powered by Teams
Today at 4PM CET / 3PM GMT / 10AM EST / 7AM PST, we'll host a webinar on our Managed Detection Engineering service. There is still time to join!
events.teams.microsoft.com/event/700051...
Looking forward to seeing you there.
22.01.2025 12:16 β π 3 π 0 π¬ 0 π 0
n our latest blog, we follow Arnau (www.linkedin.com/in/arnauorte...) on his journey to leverage #WinRM plugins for lateral movement. A deep rabbit hole that ultimately led to a custom plugin, #BOF and a solid detection in our #FalconFriday repository π¦
falconforce.nl/exploring-wi...
20.01.2025 12:01 β π 6 π 1 π¬ 0 π 0
This also accidentally mitigates several domain fronting opportunities for adversaries that could leverage several Microsoft.com subdomains for a long time.
13.01.2025 18:08 β π 1 π 0 π¬ 0 π 0
ADFSβββLiving in the Legacy of DRS
Itβs no secret that Microsoft have been trying to move customers away from ADFS for a while. Short of slapping a βdeprecatedβ label on itβ¦
Achievement unlocked, my first blog with SpecterOps π€ This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didnβt want to leave sat on Notion. buff.ly/4j41VQU
07.01.2025 14:33 β π 37 π 18 π¬ 2 π 1
onbetroubare mense!
05.01.2025 09:45 β π 0 π 0 π¬ 0 π 0
At least Iβm happy to see them use the metric system, the only proper standard.
05.01.2025 09:39 β π 0 π 0 π¬ 1 π 0
Obviously, there are way more mature tools like SilkETW, Sealighter and ETWInspector. These tools are amazing. I just needed something fast and with basic CLI output while doing research on providers and certain events. This was just easier than reconfiguring them constantly.
04.01.2025 21:18 β π 2 π 0 π¬ 0 π 0
GitHub - olafhartong/PockETWatcher: a tiny program to consume an ETW trace for research
a tiny program to consume an ETW trace for research - olafhartong/PockETWatcher
Adding to my ETW research toolkit, a tiny program to consume information from a provider with as little overhead as possible.
PockETWatcher, a tool to get the essential information from a ETW provider to the CLI or a JSON file
github.com/olafhartong/...
04.01.2025 21:15 β π 19 π 10 π¬ 1 π 1
Yes! Iβm probably going with Keith on the Wednesday and have the Saturday after open, would love to hang!
03.01.2025 14:12 β π 3 π 0 π¬ 1 π 0
While working on some ETW research I whipped up this dirty script to enumerate registered Trace logging providers and more importantly their DACLs which I needed mostly.
gist.github.com/olafhartong/...
03.01.2025 14:11 β π 8 π 3 π¬ 0 π 0
Releases Β· FalconForceTeam/FalconHound
FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log ag...
FalconHound 1.4.2 is out!
* Added Managed identity authentication for Azure based inputs (KeyVaults, MDE, Sentinel, GraphAPI)
* Added report command line option and actions
* Added HTML output option
Grab it here > github.com/FalconForceT...
30.12.2024 16:09 β π 18 π 10 π¬ 0 π 0
No sleep for us! We will facilitate a 3-day workshop version of our Advanced Detection Engineering in the Enterprise training at #insomnihack in Switzerland. Registration is open! Information and registration: insomnihack.ch/workshops/ad...
#detectionengineering #training #purpleteam
20.12.2024 09:49 β π 1 π 2 π¬ 0 π 0
Upcoming FalconForce Sentry Detect webinar! Register now: events.teams.microsoft.com/event/700051... Join us on Wed 22 January 2025, 16:00h CET, to get actionable insights on how we deliver and maintain high-fidelity bespoke detection content. Facilitated by @olafhartong.nl and Henri (x.com/0xffhh).
17.12.2024 13:10 β π 3 π 1 π¬ 0 π 1
Detection engineering rabbit holesβββparsing ASN.1 packets in KQL
TL;DR: Detection engineering is sometimes hard. Your efforts may seem to have failed, but perseverance can pay off. Or you can still failβ¦
Detection Engineering is sometimes hard, and may fail. Still a lot of things can be learned by the process. In this blog I cover a lot. I had a detection, currently it's broken but MS is on it :D
medium.com/falconforce/...
16.12.2024 14:37 β π 6 π 5 π¬ 0 π 0
Excel championship material
15.12.2024 20:49 β π 1 π 0 π¬ 0 π 0
Only took one pic, donβt think youβre in there βΊοΈ
08.12.2024 19:44 β π 1 π 0 π¬ 1 π 0
I must have seen you drive at some point. I was biking there around noon. Seen several cars explore the gravel too π
08.12.2024 19:42 β π 0 π 0 π¬ 2 π 0
I learned to appreciate you for it π
06.12.2024 07:02 β π 0 π 0 π¬ 0 π 0
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
Cybersecurity leader challenging traditional approaches. Veteran incident responder. Advocate for human-centered security that builds trust, not barriers. Speaker on resilient design.
Also likes rowing, running, reading.
π³π±βtemp in πΊπΈ (New Haven CT)
Community + Content @ Red Canary
GCIH, GCFE | DFIR, Threat Hunting, Detection Engineering | @CuratedIntel DFIR Member
https://github.com/SecurityAura
http://infosec.exchange/@SecurityAura
Manager, Research @ SpecterOps
https://github.com/JonasBK/JonasBK/blob/main/README.md
A photo viewing client for u from the creator of @skeetsapp.com & @bluescreen.blue
iOS: https://t1p.de/b3o4x
Android: Not available yet
β FAQS: https://t1p.de/24kj0
π Bug Reports: https://t1p.de/phwii
π‘ Feature Requests: https://t1p.de/8tmnc
Just a person hacking away.
Red Teamer, Business Owner, Hacker, CEO, Investor, Cybersecurity, dog dad, Lares, Breachquest, Liability, B-sides co-founder, @TEDalumni , kinda canadian, #303
A mountain man with an Internet connection and a professional interest in malware.
SANS Principal Instructor & Author #SEC565 | #RedTeam | #PurpleTeam | #PenTest | #C2Matrix Creator | ATT&CK & Atomic Red Team Contributor | Published Author
Threat Detection & Response. Interested in cyber security, tech and politics. Views are my own, unless retweeted.
Principal Consultant at SpecterOps. All opinions are my own.
Bellingcat is an independent investigative collective of researchers, investigators and citizen journalists brought together by a passion for open source research.
Want to support our charity? bellingcat.com/donate
Principal Windows Security Researcher @HuntressLabs | Windows Internals & Telemetry Research
CSIRT | http://kqlquery.com | Microsoft Security MVP | Blue & Purple Team | SOC | SIEM | Threat Hunting | Detection Engineering | #KQL |
Real Intrusions by Real Attackers, the Truth Behind the Intrusion.
https://thedfirreport.com
Know. When it matters.
https://canary.tools
