FalconForce

FalconFriday — Stealing and detecting Azure PRT cookies — 0xFF18

By Henri Hambartsumyan
at October 1, 2021

TL;DR: There is a lot of great research available on how to obtain an Azure Primary Refresh Token (PRT) cookie, post-exploitation.

FalconFriday — Detecting ASR Bypasses — 0xFF17

By Henri Hambartsumyan
at September 10, 2021

Today’s blog is about detection of a bypass for the ASR rule “Block Office applications from creating executable content”.

FalconFriday — Detecting UAC Bypasses — 0xFF16

By Gijs Hollestelle
at August 20, 2021

Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities.

FalconFriday — Detecting important data destruction by ransomware — 0xFF15

By Henri Hambartsumyan
at August 6, 2021

Organisations store heaps of important data, which is important to their business processes or can be considered intellectual property.

FalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14

By Gijs Hollestelle
at July 23, 2021

Direct system calls are a popular technique used by attackers to bypass certain EDR solutions.

FalconFriday — Privilege Escalations to SYSTEM — 0xFF13

By Gijs Hollestelle
at July 9, 2021

Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start without SYSTEM privileges, and spawn child processes that do have SYSTEM privileges.

Our blog