Have 4 articles I've been working on here and there for a while now, yet I complete the one I started yesterday... go figure. Idea popped into my head so wrote it out in one go.
attackthesoc.com/posts/detect... - Using KQL to Detect Gaps in your Conditional Access Strategy
Becky Burke of Book Island (a picture book publisher in the UK founded by my fellow Tokarczuk translator Greet Pauwelijn) was "detained" by ICE at the Canadian border on 2/28. Her father asked that her story be shared in case someone can help her. He writes:
ForEach-Object (+ -Parallel when possible)
Grabs the list of emails form the 'email' column, and queries graph for the user Object Id and puts them in a separate file. *Note: even if you don't use this script, always preserve the original list sent to you.
If you work with Application owners you know how fun initializing groups for new SSO apps is. Bulk group member upload makes it easy but app owners tend to only ever provide a big list of emails. Bulk requires UPN or OID so here's a script I always turn to github.com/AttacktheSOC...
On Device Code phishing: Some folks were confused about this so wanted to share here. A generated device code is not tied to a single user. If a shared mailbox or mailbox with other accounts with view rights is hit with a spearphish, investigate all accounts.
CISA is one of the most important agencies you may not have heard of, partly due to its relative youth, and partly due to the fact that when it does its jobโwhich it has done admirablyโit generally does not make headlines.
And now Trump is gutting it.
As @ericazelic.bsky.social mentioned all the energy around Device Code abuse is long overdue.
To get more info about how itโs done, these articles are relevant
2020 & 2022 respectively
@drazuread.bsky.social aadinternals.com/post/phishing/
@inversecos www.inversecos.com/2022/12/how-...
Full disclosure: Needs a lot of work. An over-reliance on filename and cmdline. Performance ugh.
Also asked GPT to clean it up and consolidate it as it was a mess
@wietzebeukema.nl ArgFuscator really comes to mind on this one
๐คCould look at the InitiatingProcess + the InitiatingAccount
Had this saved in the WIP folder forever
KQL for anti-forensics activities
github.com/AttacktheSOC...
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this๐ถupdates to come! github.com/MikeHorn-git...
Was asked by a colleague for some help with a Remediation Script and remembered this little number: reg2ps.azurewebsites.net from
@roger_zander
Thank you!
Bookmark it
If using it for Intune, modify the Check Script output. Replace any $false with a 1. and $true with 0
Just posted a new entry to my blog! Trying to hunt for couple of anomalies using MDE. A lot of problems arised, as usually.
#threathunting #mde #defender
threathunt.blog/registry-hun...
let FileEvents = DeviceFileEvents | where DeviceId == @"<device-id>" | where ActionType endswith "AggregatedReport" | summarize count() by bin(TimeGenerated, 1h) | extend EventType = "FileEvents"; let ProocessEvents = DeviceProcessEvents | where DeviceId == @"<device-id>" | where ActionType endswith "AggregatedReport" | summarize count() by bin(TimeGenerated, 1h) | extend EventType = "ProocessEvents"; let NetworkEvents = DeviceNetworkEvents | where DeviceId == @"<device-id>" | where ActionType endswith "AggregatedReport" | summarize count() by bin(TimeGenerated, 1h) | extend EventType = "NetworkEvents"; let LogonEvents = DeviceLogonEvents | where DeviceId == @"<device-id>" | where ActionType endswith "AggregatedReport" | summarize count() by bin(TimeGenerated, 1h) | extend EventType = "LogonEvents"; union FileEvents, ProocessEvents, NetworkEvents, LogonEvents | render timechart by EventType
the simple query
a timechart showing the trend of aggregated reporting events between Jan 23rd-28th for the 4 different supported tables. (No DeviceLogonEvents are shown)
Looking at some of the Aggregated Reporting of the different tables for the past few days (23-28) for a single device. #XDR #Defender
Took a trip inside to get a break from the bleak winter weather
Defender Resource Hub Update - Winter 2025
defenderresourcehub.info
#Security #Learn #StayUptodate #Defenders #MicrosoftSecurity
Certificate of completion from Kopidion LLC on their course "Adversarial Thinking: The Art of Dangerous Ideas"
Very cool course by the folks
at Kopidion LLC on how to look at things from the adversary's perspective.
Thank you for the training!
I wrote a very timely introduction to digital security for journalists for @gijn.org last fall. This guidance may also apply to activists, lawyers, and anyone else doing at-risk work these days. gijn.org/resource/int...
no way
Any and all feedback is welcome. Did sprint through quite a few things I was hoping to dive into but the presentation gods were not pleased with me on this day.
Here are the slides for MDE Deception Capabilities: github.com/AttacktheSOC...
KQLs: github.com/AttacktheSOC...
many more to trickle in
Well... that was an experience, I thought I prepared for everything, just not Teams failing. Dug out an old laptop.
Very big thanks to @cyb3rmik3.bsky.social for inviting me on and to anyone able to stick around and listen, thank you for your patience. I hope you were able to learn something new.
Thank you, man! Been prepping for it
Will do. Always seems to be the issue, have all these things I intend to say and they all try getting out at the same time causing me to freeze up. ๐ฅค
I do get to cheat a little as it's an online talk so that alone calmed the nerves a bit.
Thank you, Tim!
Thank you! Much appreciated and needed. I never heard of Toorcamp but it looks awesome
Very excited to do my first my talk ever tomorrow. Me and public speaking arenโt close friends. Nervous as hell lol but ready and excited
๐ข Don't miss @attackthesoc.com tomorrow talking about deception with MDE!
The Greek Microsoft Security Community is thrilled to host its 3rd meetup tomorrow, featuring an exciting discussion with Dylan.
โน๏ธ More info on how to join โคต๏ธ
www.meetup.com/greek-micros...
๐คHappy to have you there man!
