Today I would like to cover two well-known tactics, which will be Credential Access and Lateral Movement. Both of these tactics consist of relevant techniques that attackers have been using in the wild. Examples are Credential Dumping and Pass the Hash. Despite that these techniques are relative old. It is still very important these days. Having a good understanding on
Read moreToday I would like to focus on an improved version of my previous blog post about DFIR in Windows & Active Directory. We will cover examples of different attacker’s techniques and ways how attackers could persist in an environment. This will include things from executing the techniques by ourselves, to diving into the traces that it leaves behind, and much
Read moreService Principals are identities used by created applications, services, and automation tools to access specific resources. It only needs to do specific things, which can be controlled by assigning the required API permissions. The majority of organizations that work a lot with Azure AD, have service principals as well. Every time when an application has been registered. It will automatically
Read moreToday I would like to share my experience with doing Cloud forensics in Azure AD. I’ve been working for over a year with Azure Active Directory, and have primary focused on the different security aspects of it. One of my main focus has been doing Cloud forensics, which I will tell more about. I was always interested in understanding, where
Read moreToday we are going to talk about our good old friend or better known as Windows Defender AV. Not to confuse with the EDR solution that’s called ”Defender for Endpoint”. Windows Defender is the traditional out of the box antivirus for a Windows machine. In this blog post, we are going to explain why it is relevant to keep an
Read moreIn this blog post, we are going to explain how to exfiltrate data over (S)FTP. This blog post is mainly for educational purposes. During this blog post, we will cover everything in steps, which will help the readers being able to simulate this attack by themselves. The goal of this blog post is to demonstrate how relative easy it is
Read moreDuring the past year, we have seen ransomware gangs using public tools to exfiltrate data by copying it to an array of a Cloud storage provider. In November 2020, SentinelOne discovered, that adversaries were using such techniques to transfer data from a victim’s machine to a Cloud storage provider. The blog post of SentinelOne can be found here. Where they
Read moreLightweight Directory Access Protocol (LDAP) is one of the core protocols used for directory services. The primary function of LDAP is to enable folks to find data about users, groups, computers, and much more. It also provides the communication language that applications require to send and receive information from directory services, such as Active Directory. In overall, LDAP is the
Read moreI often get messages from folks who ask me questions around deploying Sysmon on their endpoints, and how to push those logs to an Azure Sentinel workspace. Since I’ve received these kind of messages a couple of times. I thought it would be a great idea to blog about it. This would help me to remember the steps as well,
Read moreToday I’m going to blog about Microsoft Defender for Endpoint, but with the primary goal of investigation. During cases like incident response for example. It can be useful to have an EDR in place, that helps to automate the common tasks, and provide visibility in the process execution layer. Microsoft Defender for Endpoint is a Cloud delivered EDR solution that
Read more