@FalconForceTeam | Photographer | Microsoft MVP | Data Dweller | Sysmon | Snow man role model | bibliogram.art/olafhartong/

The Netherlands
Joined October 2009
I've updated my #Splunk #ThreatHunting app - User fields to all panels (#Sysmon 13.30) - New File Prevalence dashboard - Newly observed hashes dashboard - New Sysmon tuning dashboard - Several bug fixes - Updated the downloadable lookup files splunkbase.splunk.com/app/43…
7
105
6
344
Olaf Hartong retweeted
My latest blog post on how in memory JXA exec, dylib exec, keylogging, and other techniques look through the lens of Apple’s ESF 🔎: cedowens.medium.com/taking-e…
3
34
2
75
Olaf Hartong retweeted
In this blog post, I show you my step-by-step process for automating Azure abuse research. In this example I'm be looking at Azure Virtual Machines and their Managed Identities, based on original research by Karl Fosaaen (@kfosaaen): posts.specterops.io/automati…
4
73
5
198
Tool Release: Ghostrings - a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis - by James Chambers - research.nccgroup.com/2022/0… - Code - github.com/nccgroup/ghostrin…
1
101
1
248
Olaf Hartong retweeted
(1/2) Happy Friday! Wrote a quick post formalizing the Windows Events surrounding gMSA attacks into SPL queries. H/T to @SemperisTech, @Stealthbits and @mubix for providing the initial detection research
Find out how @4ndr3w6S simulates different gMSA attacks and formalized the Windows Events into Splunk SPL Queries. hubs.la/Q01bP6F90
3
17
1
44
Show this thread
Defender AV started flagging part of my #sysmon config as a ‘Trojan’ nothing to worry about, it’s the bit looking for tampering commands on the command line. Hope it gets addressed soon by @msftsecurity
8
22
98
Thanks to @zaicurity for letting me know of this issue
3
Olaf Hartong retweeted
Does anyone know what the status is of API Monitor? Is in dead? Will it ever get an update or be open sourced? I have so many usecases and/or feature requests…🤯 Cc: @rohitab
1
4
Olaf Hartong retweeted
The Invoke-ATHMSI gives the caller the ability to enter in at various levels to execute MSI files to best mimic attacker behavior. We leveraged the abstraction map below to help identify entry points an attacker could/would take.
Today, @jsecurity101 and I added Get/New/Invoke-ATHMSI to AtomicTestHarnesses. These functions allow you to automate parsing, building, and executing MSI files with a wide range of customization and test output for defenders. github.com/redcanaryco/Atomi…
17
29
Today is the day folks! Graph X-Ray is now available for download from all your favourite app stores. graphxray.merill.net/ Credits to the awesome team Dhruv, Clement, @Eunixnho & @mumbihere 🧵👇🏾
18
130
15
300
Show this thread
Olaf Hartong retweeted
I said I'd write up how you could exploit RBCD using a normal user account if you know the password. So here it is tiraniddo.dev/2022/05/exploi…
6
244
4
511
The new FalconFriday is out and focuses on detecting attacks that abuse malicious modifications to Active Directory, for example, in relaying attacks. Our detections give you a head start in identifying known and unknown attacks that rely on these changes! medium.com/falconforce/falco…
11
1
22
Have you been wanting to present at one of our conferences? Well, now is your chance!! Our Call For Papers is open for Deadwood 2022. Submit your paper here. Deadline is June 26, 2022. ➡️ wildwesthackinfest.com/deadw… #cfp #Deadwood2022
23
1
42
Olaf Hartong retweeted
Selection Bias xkcd.com/2618
54
3,661
203
30,882
Olaf Hartong retweeted
A new update with AccessChk v6.15, RAMMap v1.61 and Sysmon v13.34 has now been posted! Get the tools at sysinternals.com See what's new on the Sysinternals Blog: techcommunity.microsoft.com/…
18
42
Olaf Hartong retweeted
The first blog post is here. This one covers the technical details of CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). The vulnerability was patched as part of the May 2022 Security Updates from Microsoft. research.ifcr.dk/9e098fe298f…
30
382
21
816
Show this thread
Olaf Hartong retweeted
New blog post about an adventure I had with pre-created computer accounts. Let me tell you, old computer accounts can be fun! Ended up creating an impacket script and a PR to the SharpHound ingestor as part of my adventure 🔥 Feedback is appreciated trustedsec.com/blog/diving-i…
16
106
7
276
Come join us for a full 4 days of detection engineering fun in Las Vegas this summer.
🦅 Get your early-bird tickets for our #BHUSA training before 29 May! Join our Advanced Detection Engineering for Windows training: a 4-day, in-person, very hands-on training on building advanced, resilient detections in Las Vegas! 🏜️ More details: blackhat.com/us-22/training/…
4
19
Olaf Hartong retweeted
Happy Monday 🙂 Over the past week or so @exploitph, @4ndr3w6S, and myself came together to look into the Kerberos Relay attack. During that time we decided it would be good to create a write-up about it. Here it is - jsecurity101.medium.com/defe…
3
49
2
110
Show this thread