Olaf Hartong @olafhartong

@FalconForceTeam | Photographer | Microsoft MVP | Data Dweller | Sysmon | Snow man role model | bibliogram.art/olafhartong/

 The Netherlands
olafhartong.nl
Joined October 2009
  • Tweets 6,575
  • Following 906
  • Followers 13,307
1,005 Photos and videos
I've updated my #Splunk #ThreatHunting app - User fields to all panels (#Sysmon 13.30) - New File Prevalence dashboard - Newly observed hashes dashboard - New Sysmon tuning dashboard - Several bug fixes - Updated the downloadable lookup files splunkbase.splunk.com/app/43…
7
105
6
344
Olaf Hartong retweeted
Cedric Owens @cedowens
May 25
My latest blog post on how in memory JXA exec, dylib exec, keylogging, and other techniques look through the lens of Apple’s ESF 🔎: cedowens.medium.com/taking-e…

Taking ESF For A(nother) Spin

2+ years ago from the date of this blog post I wrote my initial blog post where I started becoming familiar with Apple’s Endpoint Security…

cedowens.medium.com
3
34
2
75
Olaf Hartong retweeted
Andy Robbins @_wald0
May 25
In this blog post, I show you my step-by-step process for automating Azure abuse research. In this example I'm be looking at Azure Virtual Machines and their Managed Identities, based on original research by Karl Fosaaen (@kfosaaen): posts.specterops.io/automati…

Automating Azure Abuse Research — Part 1

Intro

posts.specterops.io
4
73
5
198
Tool Release: Ghostrings - a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis - by James Chambers - research.nccgroup.com/2022/0… - Code - github.com/nccgroup/ghostrin…
1
101
1
248
Olaf Hartong retweeted
Andrew @4ndr3w6S
May 20
(1/2) Happy Friday! Wrote a quick post formalizing the Windows Events surrounding gMSA attacks into SPL queries. H/T to @SemperisTech, @Stealthbits and @mubix for providing the initial detection research
TrustedSec @TrustedSec
May 20
Find out how @4ndr3w6S simulates different gMSA attacks and formalized the Windows Events into Splunk SPL Queries. hubs.la/Q01bP6F90
3
17
1
44
Show this thread
Defender AV started flagging part of my #sysmon config as a ‘Trojan’ nothing to worry about, it’s the bit looking for tampering commands on the command line. Hope it gets addressed soon by @msftsecurity
8
22
98
Thanks to @zaicurity for letting me know of this issue
3
Olaf Hartong retweeted
JMP RSP @0xffhh
May 18
Does anyone know what the status is of API Monitor? Is in dead? Will it ever get an update or be open sourced? I have so many usecases and/or feature requests…🤯 Cc: @rohitab
1
4
Olaf Hartong retweeted
Jonny Johnson @jsecurity101
May 18
The Invoke-ATHMSI gives the caller the ability to enter in at various levels to execute MSI files to best mimic attacker behavior. We leveraged the abstraction map below to help identify entry points an attacker could/would take.
Matt Graeber @mattifestation
May 18
Today, @jsecurity101 and I added Get/New/Invoke-ATHMSI to AtomicTestHarnesses. These functions allow you to automate parsing, building, and executing MSI files with a wide range of customization and test output for defenders. github.com/redcanaryco/Atomi…
17
29
Olaf Hartong retweeted
SwiftOnSecurity @SwiftOnSecurity
May 18
Introduction to Sysmon and discussion: reddit.com/r/sysadmin/commen…

Security Cadence: Sysmon (Logging Part 2 out of ?????)

This is another installment of my weekly Security Cadence posts. If you are not familiar with what these are, please read the FAQ...

reddit.com
2
21
1
108
Today is the day folks! Graph X-Ray is now available for download from all your favourite app stores. graphxray.merill.net/ Credits to the awesome team Dhruv, Clement, @Eunixnho & @mumbihere 🧵👇🏾
18
130
15
300
Show this thread
Olaf Hartong retweeted
James Forshaw @tiraniddo
May 14
I said I'd write up how you could exploit RBCD using a normal user account if you know the password. So here it is tiraniddo.dev/2022/05/exploi…
6
244
4
511
The new FalconFriday is out and focuses on detecting attacks that abuse malicious modifications to Active Directory, for example, in relaying attacks. Our detections give you a head start in identifying known and unknown attacks that rely on these changes! medium.com/falconforce/falco…
11
1
22
Olaf Hartong retweeted
Mauricio Velazco @mvelazco
May 12
As the backbone of Active Directory authentication, Kerberos is commonly abused by adversaries across the attack lifecycle. Spent some time writing @splunk detections. Hope it helps #BlueTeam! #ThreatHunting Detections: research.splunk.com/stories/… Blog: splunk.com/en_us/blog/securi…

Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022

Learn more about the Splunk Threat Research Team's new analytic story to help SOC analysts detect adversaries abusing the Kerberos protocol to attack Windows Active Directory environments

splunk.com
2
66
2
186
Have you been wanting to present at one of our conferences? Well, now is your chance!! Our Call For Papers is open for Deadwood 2022. Submit your paper here. Deadline is June 26, 2022. ➡️ wildwesthackinfest.com/deadw… #cfp #Deadwood2022
23
1
42
Olaf Hartong retweeted
Randall Munroe
 @xkcd
May 11
Selection Bias xkcd.com/2618
54
3,661
203
30,882
Olaf Hartong retweeted
Sysinternals @Sysinternals
May 11
A new update with AccessChk v6.15, RAMMap v1.61 and Sysmon v13.34 has now been posted! Get the tools at sysinternals.com See what's new on the Sysinternals Blog: techcommunity.microsoft.com/…

Sysinternals Blog

techcommunity.microsoft.com
18
42
Olaf Hartong retweeted
Oliver Lyak @ly4k_
May 10
The first blog post is here. This one covers the technical details of CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). The vulnerability was patched as part of the May 2022 Security Updates from Microsoft. research.ifcr.dk/9e098fe298f…

Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)

In this blog post, we’ll dive into a recently patched Active Directory Domain Privilege Escalation vulnerability that I reported through…

research.ifcr.dk
30
382
21
816
Show this thread
Olaf Hartong retweeted
Oddvar Moe @Oddvarmoe
May 10
New blog post about an adventure I had with pre-created computer accounts. Let me tell you, old computer accounts can be fun! Ended up creating an impacket script and a PR to the SharpHound ingestor as part of my adventure 🔥 Feedback is appreciated trustedsec.com/blog/diving-i…

Diving into pre-created computer accounts - TrustedSec

Go on a journey with Oddvar Moe as he uses his legacy knowledge to abuse pre-created computer accounts that could potentially let you escalate privileges.

trustedsec.com
16
106
7
276
Come join us for a full 4 days of detection engineering fun in Las Vegas this summer.
FalconForce Official @falconforceteam
May 10
🦅 Get your early-bird tickets for our #BHUSA training before 29 May! Join our Advanced Detection Engineering for Windows training: a 4-day, in-person, very hands-on training on building advanced, resilient detections in Las Vegas! 🏜️ More details: blackhat.com/us-22/training/…
4
19
Olaf Hartong retweeted
Jonny Johnson @jsecurity101
May 9
Happy Monday 🙂 Over the past week or so @exploitph, @4ndr3w6S, and myself came together to look into the Kerberos Relay attack. During that time we decided it would be good to create a write-up about it. Here it is - jsecurity101.medium.com/defe…

Defending the Three Headed Relay

A joint blog written by Andrew Schwartz, Charlie Clark, and Jonny Johnson

jsecurity101.medium.com
3
49
2
110
Show this thread
Load more