In part one and part two of this series, we have established that Microsoft Defender for Endpoint (MDE) uses sampling and caps on events to limit the amount of telemetry being uploaded to the cloud.
In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling.
When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole.
Recently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to add or modify data in Active Directory.
At FalconForce, we like to understand the tools that we work with.