Today we are going to talk about our good old friend or better known as Windows Defender AV. Not to confuse with the EDR solution that’s called ”Defender for Endpoint”. Windows Defender is the traditional out of the box antivirus for a Windows machine. In this blog post, we are going to explain why it is relevant to keep an
Read moreIn this blog post, we are going to explain how to exfiltrate data over (S)FTP. This blog post is mainly for educational purposes. During this blog post, we will cover everything in steps, which will help the readers being able to simulate this attack by themselves. The goal of this blog post is to demonstrate how relative easy it is
Read moreDuring the past year, we have seen ransomware gangs using public tools to exfiltrate data by copying it to an array of a Cloud storage provider. In November 2020, SentinelOne discovered, that adversaries were using such techniques to transfer data from a victim’s machine to a Cloud storage provider. The blog post of SentinelOne can be found here. Where they
Read moreI often get messages from folks who ask me questions around deploying Sysmon on their endpoints, and how to push those logs to an Azure Sentinel workspace. Since I’ve received these kind of messages a couple of times. I thought it would be a great idea to blog about it. This would help me to remember the steps as well,
Read moreToday I’m going to blog about Microsoft Defender for Endpoint, but with the primary goal of investigation. During cases like incident response for example. It can be useful to have an EDR in place, that helps to automate the common tasks, and provide visibility in the process execution layer. Microsoft Defender for Endpoint is a Cloud delivered EDR solution that
Read moreLocal Administrator Password Solution (LAPS) is a password manager that can be used to automatically rotate the Built-in Administrator (RID-500) account on each individual workstation or server. The great thing about LAPS is, that it doesn’t require any additional infrastructure to store passwords, and you don’t have to pay for it, because it is free. There are of course better solutions in the market
Read moreToday I’m going to blog about compromise recovery in an Active Directory forest. I’ve been blogging for a while and have read tons of stuff about Active Directory, but one thing has been missing. Which is how we can recover from an active attacker? There hasn’t been many articles or blog posts around recovering an AD forest. Sure, when you
Read moreMicrosoft Detection and Response (DART) team recently shared a PowerShell module, that they are using in their IR engagements, so I thought it would be great to blog about it. I’ve previously blogged about IR in Azure AD, but today I want to extend it further. This blog post includes more details comparing to my previous blog posts, regarding to
Read moreDefender for Identity is a cloud-based security solution that leverages On-Premises Active Directory signals to identify and detect threats. It monitors Domain Controllers by capturing its network traffic to leverage it with Windows event logs to analyse data for attacks that might occur on a network. Once the sensor of Defender for Identity has been installed on all the Domain
Read moreIn my previous blog post, I’ve blogged about collecting logs in Azure AD and how we could use the exported logs to analyze it. Today, I want to focus on reviewing relevant data to perform further investigation, in a compromised environment. An successful investigation requires understanding of adversaries their behaviors. It is a balance between understanding how they operate, so
Read more
Microsoft 365 Security 