Code Monkey home page Code Monkey logo

falconfriday's Introduction

FalconFriday

TL;DR: We believe there isn't enough content available to detect advanced adversary techniques. That's why reguarly on "Falcon Friday", we will release (Microsoft Defender for Endpoint - MDE) hunting queries to detect offensive techniques.

To give you an idea, we're going to release hunts for attacks such as:

  • DLL Injection
  • Process Injection
  • COM Hijacking
  • .NET-to-JScript
  • Aborted MFA requests
  • Abuse of LOLBins
  • Misbehaving Office Applications
  • Process Hollowing
  • Unmanaged binaries running managed code
  • Anomalies in LDAP traffic
  • Command execution using WMI
  • SMB NULL session attempts
  • etc

Stay tuned and let us know if there is any specific attack technique you want to detect.

Background

Our current plan is to release hunting MDE queries on a regular basis. The queries will be released on GitHub, accompanied by a short blog post on Medium detailing background, working of the query, the accuracy we expect, any possible variations or improvements, any catches and really anything else we deem relevant. Initially, we'll be working based on the excellent library of @spotheplanet's https://www.ired.team/ and release the queries specifically for MDE. Since @olafhartong is involved, we might release Sysmon hunts as well...we'll see how it goes.

We will publish the KQL queries on GitHub. Each query will be aimed at detecting some specific technique as precisely as possible and linked to MITRE ATT&CK. We anticipate that some queries will have more than 1 variant, aimed at detecting the same attack in different ways with varying trade-offs. Similarly, we will document trade-offs for various options in a single query to give you the flexibility to gear towards more false positives or more false negatives.

Having said that, don't expect to copy-paste the queries in your environment and be done with it. We will provide a foundation query which can detect a certain technique. However, you will still need to fine-tune/extend the query to your organization's specifics to make it work in your environment and integrate into your monitoring solution.

The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.

falconfriday's People

Contributors

0xffhh avatar olafhartong avatar gijsh avatar gertjanbruggink avatar whurd-redcanary avatar korving-f avatar kubajir avatar ep3p avatar cyb3r-monk avatar

Watchers

avatar

Forkers

51nk0r5w1m

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.