In this blog post, we are going to explain how to exfiltrate data over (S)FTP. This blog post is mainly for educational purposes. During this blog post, we will cover everything in steps, which will help the readers being able to simulate this attack by themselves. The goal of this blog post is to demonstrate how relative easy it is
Read moreDuring the past year, we have seen ransomware gangs using public tools to exfiltrate data by copying it to an array of a Cloud storage provider. In November 2020, SentinelOne discovered, that adversaries were using such techniques to transfer data from a victim’s machine to a Cloud storage provider. The blog post of SentinelOne can be found here. Where they
Read moreIn this blog post, we are going to demonstrate how we could use Azure Data Explorer to hunt in data based on ETW Providers and Security event logs. Everything that will be showed during in this blog post, is just sample data. The goal of this blog post is to show practical examples on using ADX for data analysis. Event
Read moreLightweight Directory Access Protocol (LDAP) is one of the core protocols used for directory services. The primary function of LDAP is to enable folks to find data about users, groups, computers, and much more. It also provides the communication language that applications require to send and receive information from directory services, such as Active Directory. In overall, LDAP is the
Read moreI often get messages from folks who ask me questions around deploying Sysmon on their endpoints, and how to push those logs to an Azure Sentinel workspace. Since I’ve received these kind of messages a couple of times. I thought it would be a great idea to blog about it. This would help me to remember the steps as well,
Read moreToday I’m going to blog about Microsoft Defender for Endpoint, but with the primary goal of investigation. During cases like incident response for example. It can be useful to have an EDR in place, that helps to automate the common tasks, and provide visibility in the process execution layer. Microsoft Defender for Endpoint is a Cloud delivered EDR solution that
Read moreLocal Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. The great thing about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it is free. There are of course better solutions in the market
Read moreToday I’m going to blog about compromise recovery in an Active Directory forest. I’ve been blogging for a while and have read tons of stuff about Active Directory, but one thing has been missing. Which is how we can recover from an active attacker? There hasn’t been many articles or blog posts around recovering an AD forest. Sure, when you
Read moreMicrosoft Detection and Response (DART) team recently shared a PowerShell module, that they are using in their IR engagements, so I thought it would be great to blog about it. I’ve previously blogged about IR in Azure AD, but today I want to extend it further. This blog post includes more details comparing to my previous blog posts, regarding to
Read moreDefender for Identity is a cloud-based security solution that leverages On-Premises Active Directory signals to identify and detect threats. It monitors Domain Controllers by capturing it’s network traffic to leverage it with Windows event logs to analyze data for attacks, that might occur on a network. Once the sensor of Defender for Identity has been installed on all the Domain
Read more