Category Archives: Incident Response

DFIR: Windows and Active Directory Attacks and Persistence

Today I would like to focus on an improved version of my previous blog post about DFIR in Windows & Active Directory. We will cover examples of different attacker’s techniques and ways how attackers could persist in an environment. This will include things from executing the techniques by ourselves, to diving into the traces that it leaves behind, and much

Read more

What I have learned from doing a year of Cloud Forensics in Azure AD

Today I would like to share my experience with doing Cloud forensics in Azure AD. I’ve been working for over a year with Azure Active Directory, and have primary focused on the different security aspects of it. One of my main focus has been doing Cloud forensics, which I will tell more about. I was always interested in understanding, where

Read more

Why are Windows Defender AV logs so important and how to monitor them with Azure Sentinel?

Today we are going to talk about our good old friend or better known as Windows Defender AV. Not to confuse with the EDR solution that’s called ”Defender for Endpoint”. Windows Defender is the traditional out of the box antivirus for a Windows machine. In this blog post, we are going to explain why it is relevant to keep an

Read more

Exfiltrating data by transfering it to the cloud with Azcopy

During the past year, we have seen ransomware gangs using public tools to exfiltrate data by copying it to an array of a Cloud storage provider. In November 2020, SentinelOne discovered, that adversaries were using such techniques to transfer data from a victim’s machine to a Cloud storage provider. The blog post of SentinelOne can be found here. Where they

Read more

Incident Response in a Microsoft cloud environment

Microsoft Detection and Response (DART) team recently shared a PowerShell module, that they are using in their IR engagements, so I thought it would be great to blog about it. I’ve previously blogged about IR in Azure AD, but today I want to extend it further. This blog post includes more details comparing to my previous blog posts, regarding to

Read more