Local Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. The great thing about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it is free. There are of course better solutions in the market
Read moreToday I’m going to blog about compromise recovery in an Active Directory forest. I’ve been blogging for a while and have read tons of stuff about Active Directory, but one thing has been missing. Which is how we can recover from an active attacker? There hasn’t been many articles or blog posts around recovering an AD forest. Sure, when you
Read moreMicrosoft Detection and Response (DART) team recently shared a PowerShell module, that they are using in their IR engagements, so I thought it would be great to blog about it. I’ve previously blogged about IR in Azure AD, but today I want to extend it further. This blog post includes more details comparing to my previous blog posts, regarding to
Read moreDefender for Identity is a cloud-based security solution that leverages On-Premises Active Directory signals to identify and detect threats. It monitors Domain Controllers by capturing its network traffic to leverage it with Windows event logs to analyse data for attacks that might occur on a network. Once the sensor of Defender for Identity has been installed on all the Domain
Read moreIn my previous blog post, I’ve blogged about collecting logs in Azure AD and how we could use the exported logs to analyze it. Today, I want to focus on reviewing relevant data to perform further investigation, in a compromised environment. An successful investigation requires understanding of adversaries their behaviors. It is a balance between understanding how they operate, so
Read moreToday, I’m going to start my incident response series. Where I will focus on Azure Active Directory and Office 365. What are the steps, that we have to take when doing an IR engagement in a Cloud environment? Incident Response is a broad topic and it’s hard to cover every specific detail, so I’ve decided to split it into a
Read moreA time series is a sequence of numerical data points, such as a frequency of counts or occurrences against a column of a particular dataset. Time series is used to identify meaningful statistics in historical data, which can later be used to baseline certain statistics. In this blog post, we are going to apply time-series analysis on Azure Active Directory
Read moreToday I’ve received an e-mail from Microsoft that I’ve been awarded the Windows Insider MVP title. It’s a great honor for me to receive this award to kick-off 2021! Windows Insiders are focusing on providing feedback to make Windows better. This can go all the way up to providing feedback on improving security aspects of Windows or just suggesting new
Read moreMicrosoft 365 Defender has a feature that is called ‘Advanced Hunting’, which is a query based hunting tool that allows you to explore up to 30 days of raw data. This allows threat hunters to analyze data across different domains such as, identities, endpoints, cloud apps, email and documents. While using the Advanced Hunting feature in the portal is great.
Read more