How to hunt for LDAP reconnaissance within M365 Defender?

Lightweight Directory Access Protocol (LDAP) is one of the core protocols used for directory services. The primary function of LDAP is to enable folks to find data about users, groups, computers, and much more. It also provides the communication language that applications require to send and receive information from directory services, such as Active Directory. In overall, LDAP is the

Read more

Using Microsoft Defender for Endpoint during investigation

Today I’m going to blog about Microsoft Defender for Endpoint, but with the primary goal of investigation. During cases like incident response for example. It can be useful to have an EDR in place, that helps to automate the common tasks, and provide visibility in the process execution layer. Microsoft Defender for Endpoint is a Cloud delivered EDR solution that

Read more

How to roll out Microsoft LAPS via GPO and why you should do it?

Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. The great thing about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it is free. There are of course better solutions in the market

Read more

Incident Response in a Microsoft cloud environment

Microsoft Detection and Response (DART) team recently shared a PowerShell module, that they are using in their IR engagements, so I thought it would be great to blog about it. I’ve previously blogged about IR in Azure AD, but today I want to extend it further. This blog post includes more details comparing to my previous blog posts, regarding to

Read more

Start having visibility in service accounts with defender for identity

Defender for Identity is a cloud-based security solution that leverages On-Premises Active Directory signals to identify and detect threats. It monitors Domain Controllers by capturing its network traffic to leverage it with Windows event logs to analyse data for attacks that might occur on a network. Once the sensor of Defender for Identity has been installed on all the Domain

Read more

Incident Response Series: Reviewing data in Azure AD for investigation

In my previous blog post, I’ve blogged about collecting logs in Azure AD and how we could use the exported logs to analyze it. Today, I want to focus on reviewing relevant data to perform further investigation, in a compromised environment. An successful investigation requires understanding of adversaries their behaviors. It is a balance between understanding how they operate, so

Read more
« Older Entries Recent Entries »