Olaf Hartong
@olafhartong
Followers
16,650
Following
936
Media
1,500
Statuses
8,321
@FalconForceTeam | researcher with a camera | Microsoft MVP | Snow man role model | |
The Netherlands
Joined October 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Francia
• 654168 Tweets
#HouseOfTheDragon
• 535575 Tweets
Rhaenys
• 250488 Tweets
#GranHermano
• 243693 Tweets
Bautista
• 175820 Tweets
Meleys
• 163799 Tweets
Emma
• 161185 Tweets
#HOTD
• 128363 Tweets
#loveislandusa
• 125905 Tweets
Aegon
• 98265 Tweets
Serena
• 63800 Tweets
Daemon
• 61714 Tweets
Uruguayo
• 59118 Tweets
Jana
• 50525 Tweets
Marcos
• 46967 Tweets
FURIA ES LEYENDA
• 41532 Tweets
Sunfyre
• 40143 Tweets
KIM SEOKJIN
• 32163 Tweets
Criston Cole
• 28387 Tweets
Kordell
• 27677 Tweets
FRED GLOBAL AMBASSADOR JIN
• 27438 Tweets
リリカルなのは
• 22584 Tweets
Kaylor
• 18435 Tweets
間宮結婚
• 17164 Tweets
セレクトセール
• 16914 Tweets
Jace
• 16309 Tweets
#JinxFredJewelry
• 15865 Tweets
間宮祥太朗
• 13438 Tweets
萩のツッキー
• 13010 Tweets
hyuna
• 12321 Tweets
KMPDU
• 11068 Tweets
For all people (planning on) working with
#Sysmon
, I've created a set of
#cheatsheets
explaining all fields and added some field relationship graphs. In regular and a hip dark mode. Thanks to
@Cyb3rWard0g
for his OSSEM documentation.
#DFIR
#BlueTeam
19
484
1K
I've just updated my
#Sysmon
cheatsheets. They contain all fields up to the latest release, version 13.30. In light and dark mode.
8
381
1K
Sysmon 10 is out! This version brings DNS monitoring. I've just posted a blog post detailing the changes here;
#Sysmon
#DFIR
#BlueTeam
#infosec
great thanks to
@markrussinovich
8
422
768
I've just released my
@MITREattack
datasource assessment tool also a blog post detailing it a bit more here
#DIFR
#Blueteam
#infosec
6
334
739
Sysmon 14.0 has been just released by
@Sysinternals
. Sporting a new feature that will now allow it to start having prevention features. The new Event ID is 27 and is called FileBlockExecutable.
I've written a short blog with some more details.
#sysmon
9
317
743
It is out! FalconHound is now public.
A blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion
Yesterday I spoke about FalconHound
@WWHackinFest
, slides to the talk:
12
283
681
I've updated my ThreatHunting app on GitHub
and on
Splunkbase to version 1.3
Several new features, some fixes. Release notes;
#sysmon
#dfir
#threathunting
#blueteam
#splunk
#infosec
#mitreattack
14
274
633
I've uploaded a big update to my modular
#Sysmon
configuration repository. 28 changes in total. All newly published
@MITREattack
techniques are added where possible, plus I worked on some older ones.
#Attack
#dfir
#blueteam
5
289
636
My
@MITREattack
per DataSource possible coverage assessment is nearing completion. Needs a bit more polishing and it's ready for public release. In the end one
#Excel
sheet will need to be filled and a set of
#PowerShell
commandlets will do the rest
#BlueTeam
#DFIR
#ThreatHunting
17
194
627
It's out there! I've released my ThreatHunting app on GitHub
and Splunkbase
My BlackHat Arsenal presentation and demovideo are available here
#sysmon
#dfir
#threathunting
#blueteam
#splunk
10
294
564
SOAPHound is out for walkies!
SOAPHound is a
#BloodHound
collector to enumerate AD over SOAP instead of LDAP directly.
Proud of Nikos for all his hard work!
Blog:
Tool repo:
Detections:
15
234
550
#Sysmon
11 is out with a new Event type and several improvements!
I’ve published a blog post detailing all new features here:
#DFIR
#Sysinternals
#ThreatHunting
7
253
533
#Sysmon
for Linux has been released!
I've posted a short overview of what you can currently expect from it.
Great job by
@markrussinovich
@mxatone
@kevsecurity
and the rest of the
@Sysinternals
team!
4
230
507
We get a lot of questions about whether
#Sysmon
still makes sense when you have an EDR like
#MDE
, so I wrote blog about it :)
#dfir
#detectionengineering
16
186
501
I’ve just posted a small blog on how I utilize
#Bloodhound
to dig into
@MITREattack
Many thanks to
@SadProcessor
,
@_wald0
and
@CptJesus
for providing me the means to do so.
4
203
477
Microsoft recommended block rules for applications(Windows 10)
Recommended by lots of smart ppl that are nicely credited by
@msftsecurity
#DFIR
#BlueTeam
2
204
461
Simulating MITRE ATT&CK with RE:TERNAL, cool write up of a tool under heavy development but already very promising!
2
171
446
I just published “Endpoint detection Superpowers on the cheap — part 1”
8
185
404
I've updated my
#Splunk
#ThreatHunting
app
- User fields to all panels (
#Sysmon
13.30)
- New File Prevalence dashboard
- Newly observed hashes dashboard
- New Sysmon tuning dashboard
- Several bug fixes
- Updated the downloadable lookup files
8
116
386
#Sysmon
is out on Linux and is open source!
Currently it supports Process and Network events based on eBPF. The schema has the same structure as its Windows equivalent. Configuration is done in the same XML format
Awesome work by the
@Sysinternals
team
5
145
357
It has been a while since I shared some Microsoft Defender for Endpoint internals.
This new post explores the telemetry differences between the Timeline and the Advanced Hunting page.
#MDE
#M365
#FalconFriday
#FalconForce
#DefenderForEndpoint
8
109
354
I’ve just uploaded a new release of the ThreatHunting app for Splunk.
This release has some new features, speed improvements and several bug fixes. Working on some big new feature additions.
#threathunting
#dfir
#sysmon
#splunk
7
128
349
I'm working on an assessment to visualize data coverage for
@MITREattack
techniques based on event data. This will allow you to see where you can start a hunt, build a use case and where you need additional data sources. Still some bugs to squash.
#dfir
#threathunting
#security
15
96
339
I've just published 'The ATT&CK Rainbow of Tactics’, a proposed colour scheme to tag
@MITREattack
tactics in visual representations like dashboards, graphs or reports.
6
103
340
#Sysmon
15 is out and brings a new event type, FileExecutableDetected, which allows for much more detection opportunities.
I've wrote up some of my thoughts on what this feature brings and where it could be even better in this blog post
8
140
305
The next edition of my MDE-internals blog series has just been published on our blog. This edition dives into the telemetry and some of the audit settings that might currently cause you some blind spots.
#MDE
#DetectionEngineering
#FalconForce
6
104
299
I’ve just published a small blogpost "Using Sysmon in Azure Sentinel”
#DFIR
#Sysmon
#AzureSentinel
#BlueTeam
#ThreatHunting
2
107
274
Sysmon 10.4 has been released by
@markrussinovich
this is a fantastic upgrade, go check it out!
I wrote a small blog outlining the added features,
#sysmon
#dfir
#blueteam
#ThreatHunting
2
153
276
A great new useful tool by my colleague
@_vivami
for red and blue teamers in finding sensitive data
4
118
273
The great team at
@Sysinternals
released
#Sysmon
version 13.10 adding a new event type. I posted a small blog to describe the new functionality here
#DFIR
4
125
272
Working on some additions to my
@MITREattack
Datamap tool, one of which is a rating for applicability in Alerting, Hunting or Forensics. The screenshot shows my rating in terms of coverage potential per technique, darker is higher true positive potential.
5
89
269
Based on my data source + weight calculation by technique the theoretical coverage of
@MITREattack
by
#Sysmon
is very impressive. Mind you this is purely based on its potential. In practice this will be less due to performance reasons and current configuration limitations.
#DFIR
8
108
271
I've just pushed a major upgrade to my repository, adding
@MITREattack
annotation to all my configuration modules and upgraded the schema for
#Sysmon
8 compatibility, expect new configuration modules soon!
#dfir
#blueteam
4
147
265
I’ve just uploaded a long overdue maintenance release to my ThreatHunting app for Splunk
No new features in this release yet. A ton of bug fixes and code improvements.
Also, due to popular demand it’s Splunk Cloud ready.
#threathunting
#sysmon
#splunk
9
79
258
I've just published a small blog article on "Detecting Cobalt Strike Process Injections"
#Sysmon
#Splunk
#ThreatHunting
#BlueTeam
#DFIR
4
130
262
With
#Sysmon
10.4x being stable now, I'd love to enable everyone to utilize it's great new features.
I've merged my 10.4 branch to the master branch, making it the default one I'll be maintaining;
#DFIR
#ThreatHunting
0
110
248
Sysmon 11.1 is out with a new feature and some bug fixes. I’ve detailed all changes in a small blog post.
#sysmon
#dfir
#blueteam
#threathunting
2
112
238
With the
@MITREattack
Sub techniques out it was time to retag all my
#Sysmon
modules.
I’ve updated the repo
I’ll also go through it later to tag some more untagged rules and update it with more detections
#DFIR
#ThreatHunting
1
92
240
Microsoft Brings eBPF to Windows – This could be very interesting for red an blue teams
3
78
239
A few hours ago
@FireEye
has published a very well documented article on the Solarwinds supply chain compromise.
I've converted their indicator share into KQL hunting queries
#SUNBURST
#MDE
#ThreatHunting
6
83
231
ATT&CKized Splunk - Threat Hunting with MITRE’s ATT&CK using Splunk. Thanks to
@Kirtar_Oza
for the shoutout
5
98
230
I've been doing a lot of maintenance on my
#Sysmon
repository, and more will follow soon.
Apart from adding and improving a lot of modules also the merge script got some love. Environment specific configurations are even easier now.
#DFIR
#FalconForce
7
79
224
Later this week, we
@falconforceteam
will release FalconHound at
@WWHackinFest
, a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. Co-developed with
@SadProcessor
and
@gijs_h
. Will post the link once its out!
4
39
217
Amazing. I’m deeply humbled and super proud to have received a Microsoft MVP award!
Great thanks to
@microsoft
and
@mvpaward
for this honor.
49
5
216
I’ve been playing with visualizing the Microsoft Defender schema’s in Neo4j.
Want to extend it with more granularity now and add Sentinel to it. Is this something people would be interested in ?
15
18
212
In the spirit of Christmas and sustainability I’m giving away my copy of the excellent book “Defender for Endpoint in Depth” which I won in a MVP session by
@Threatzman
. It has served me well.
I’ll select a random person from the likes at Christmas and will ship it to you.
7
16
205
As promised, I have just published a blog on "Using Azure Pipelines to validate my Sysmon configuration"
#Sysmon
#azuredevops
#azurepipelines
#infosec
#DFIR
2
66
197
Are you looking at rundll32 command lines ? In particular try hunting for the function called.
The top functions called by
#malware
families over the past 90 days are an interesting artefact
to have a look at.
#ThreatHunting
#DetectionEngineering
2
66
197
I’ve just pushed a large update to my sysmon-modular repo, making it V11 compatible.
Expect more updates over the coming weeks. Will add more configs and start prepping for sub-techniques
#sysmon
#dfir
#blueteam
#sysinternals
3
77
195
I love the development the MDE team puts into expanding the telemetry! Our slackbot informed me JA3 / JA3S hashes are now recorded. Pretty cool for hunting and detection engineering!
10
36
191
Microsoft publishes the Security Audit types and the respective EventIDs here
However, does anyone have the overview of which setting is required for the EventID to be generated?
{Succes:Failure:Success and Failure}
@msftsecurity
#AskingForAFriend
6
68
188
My
@DerbyCon
talk slides are up
Including the demo video (no voice-over)
Full talk is available here
Thanks sooo much for everyone there making it one I’ll never forget!
3
87
186
Working on a new blog in the MDE internals series, should be out tomorrow.
"Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions" including a tool drop
6
13
180
Don’t forget to build detections for connections to DynamicDNS urls , quite a few malware also makes use of these services.
Found 21 unique ones that I’ve seen in use in the last months, there are probably more
9
41
177
Playing with
@MITREattack
, together with SHIELD in Neo4j
This graph shows what Active Defense techniques can be taken to address;
Scheduled Tasks,
Process Injection
and Credential Dumping.
On the left all techniques also impacted, on the right all possible activities
4
42
175
All
#Sysmon
related searches based on
#mitreattack
are done, now some refinement/tuning is required. The image depicts the result of a successful redteam on my lab domain, completely pwning it.
#dfir
#blueteam
12
55
172
Happy Friday! Another blog in the
#MDE
internals series is out. I dove into Live Response action telemetry after we used it in a red team and wanted to build detections
I wrote DefenderHarvester to collect telemetry and much more from the service APIs
3
52
171
I am super stoked for 2020.
Today we start a joint adventure as FalconForce, providing highly skilled technical security services.
34
12
166
Sample of one of the new
#ThreatHunting
@splunk
dashboard that’s in progress. Allows for quick triage of uncommon process chains.
From the details deeper drilldowns are also possible
#Sysmon
#DFIR
5
35
167
MITRE just released a great new addition
@MITREattack
for ICS, more details in a blog post
The matrix can be found here
0
87
165
Not long ago we released
#FalconHound
, a blue team attack path management extension to the beloved
#Bloodhound
I've written a blog explaining more on why we've built it and how to apply it.
The dev branch has full
#Splunk
support, soon available in main
5
61
166
I’m super happy to see all great research and meticulous work of
@Carlos_Perez
, the DarkDocumentor, out in the public. This is a amazing resource for everyone using or planning to use
#Sysmon
#BlueTeam
1
59
165
I’ve built a side project to show the functional status of the current
#Sysmon
version here:
Note; It’s not complete yet, still adding things. There are some small manual tasks left so it will change over time, I plan to host historical info. Blog soon.
2
55
163
Last weeks the MDE internals blog involved the audit settings. This new episode goes into some telemetry unreliability and a possible fix to augment MDE telemetry within the product.
#MDEinternals
#FalconForce
#DetectionEngineering
6
50
162
I had a great time presenting My Threathunting app and Sysmon project today at
#SplunkConf19
, the slides and recoding will be published on the
@splunk
conf website soon. Thanks everyone for attending!!
10
22
161
For people working with
#azuresecurity
#sentinel
I’ve created an overview of all currently available template rules
And a script to parse the JSON obtained from the API
2
29
159
This is one of the first captchas I can appreciate ☺️🤣
6
51
158
Excited we almost get to share what the red team has been using for a long time, expect a sweet tool and blog drop tomorrow!
11
13
158
Pretty stoked to see my
@Microsoft
MVP Award has been extended for the third year! I’m proud to see my community contributions are being appreciated.
#MVPBuzz
20
2
157
MITRE updated
@MITREattack
with a new Tactic, 14 new techniques and updated several others.
I've updated my data mapping tool accordingly, one data source is still missing from the feed, I'll update the weights when that is live
#dfir
#ThreatHunting
2
55
151
My colleague
@gijs_h
posted an awesome blog on converting BOFs to shellcode, which enables you to use them with other/custom C2s.
Shoutout to
@TrustedSec
for the COFFLoader.
#FalconForce
#RedTeam
#Shellcode
1
60
147
At
@falconforceteam
we love automation. We apply this to a lot of our processes, including Detection Engineering. We will be sharing our internal tooling for validation, deployments etc as open source software.
Enjoy our first blog, written by
@gijs_h
7
50
145
During some research we’ve uncovered some interesting behavior. We’re now allowed to publish about it. My colleague
@0xffhh
wrote a blog about it.
1
75
146
I've just published Endpoint detection Superpowers on the cheap — part 3 — Sysmon Tampering
#sysmon
#splunk
#dfir
#blueteam
#threathunting
2
74
141
My talk at the MITRE
#ATTACK
workshop in Brussels, Coverage from a data perspective can be found here; … Thanks to
@FDezeure
and
@MITREattack
for organising this great event
#DFIR
#infosec
#ThreatHunting
#BlueTeam
1
52
142
My SO-CON talk "Attack Path Based Detection Engineering: Leveraging BloodHound for Robust Defense" on FalconHound just got posted to YouTube by the folks over at
@SpecterOps
1
42
140
I've just published "Endpoint detection Superpowers on the cheap — Part 2 — Deploy and Maintain"
#sysmon
#splunk
#dfir
#threathunting
4
62
139
I've posted a small blog post titled Keeping an eye out for detection content here
#DFIR
#ThreatHunting
#BlueTeam
#SIEM
accompanied by a git repo
3
67
134
Endorsement thread of some ppl I highly respect, because it’s Friday 😁
@Carlos_Perez
for being an amazing researcher
@Oddvarmoe
lolbins and so much more
@cyb3rops
so much great defensive research
@HackingDave
for being a role model in various ways.
@PyroTek3
anything AD
7
25
131
I’ve added CI/CD to my
#Sysmon
repo using Azure Pipelines.
It’ll check whether it merges correctly and will load on Sysmon to make sure there is no misconfiguratio, then commit the new config.
This way it stays up to date and error free.
Blog soon :)
3
31
127
That awkward moment when you see your own company name in DefenderATP.
I’ll forgive them the misspelling 😎😊
5
11
125
I've just posted a blog post on how I will use the new feature in
#Sysmon
v8 . Thanks to
@markrussinovich
for adding my feature request.
#dfir
#blueteam
2
66
122
Exciting week ahead, teaching a private
#DetectionEngineering
training and delivering two talks at a meetup event tonight.
10
5
120
I've just presented on analysing your detection mapping - How does your coverage compare to ATTACK? at the
@MITREattack
EU Workshop, organised by
@FDezeure
Slides are available here;
Might upload a voice over recording soon.
2
44
120
FalconHound got a big update for my upcoming SO-CON talk next Monday.
This release has a ton of performance improvements plus;
Collection of MFA settings per user,
AppConsent incl scope,
Dynamic groups
Eligible roles.
Elastic cloud query support
2
32
116
Developing an Adaptive Threat Hunting Solution: The Elasticsearch Stack (Masters Thesis) - Syspanda
1
43
115
Today is the day! Day 1 of 4 of our Advanced Detection Engineering training.
Looking forward to meeting all students!
Super excited to teach this content, we’ve spent a ton of time making sure it’s going to be a great experience.
#blackhat2022
#falconforce
2
3
118
Working on some chinese actor group comparisons in
#Bloodhound
after talking to
@SBousseaden
. With some support from the awesome
@SadProcessor
@_wald0
and
@CptJesus
so much great ideas to add properties and relations to this data
@MITREattack
6
40
115
Hi
#Sysmon
users on Azure Sentinel.
I've built a pipeline that daily generates a parser based on the current schema. The one in the Azure git repo is missing quite some fields, causing blind spots, PR is submitted.
My generated parser can be found here;
2
38
115
Super excited to present my ThreatHunting app in 2 days at
#BlackHatEU
, I'll release it right after on
@Splunkbase
and
#dfir
#splunk
#sysmon
4
35
111
If you're working with larger collections of
#BloodHound
and AzureHound and want to ingest them into BHCE via the api, this might help you out.
For very large collections (15Gb+), splitting the files first is recommended to avoid HTTP session timeouts
2
36
110