@cyb3rmonk
https://academy.bluraven.io Threat Hunting & Research, Detection Engineering | Microsoft Security MVP #KQL #DFIR #DataScience All is one. Opinions are my own http://posts.bluraven.io https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection
IMO the worst mistake people make trying to AI-proof their career is dropping everything to learn AI. It's like dropping out of math to study how to push calculator buttons really fast. The skill cap for AI is going to be your understanding of the underlying subject, not how good you are at prompts.
I've released my new course:
Practical Threat Hunting for Beginners
Similar courses: $$$$
This course: $$
academy.bluraven.io/course/pract...
#ThreatHunting #DetectionEngineering
π€£π€£π€£
patch ye MongoDB, there's an exploit for a vuln which has been in the product for over a decade that allows the remote, unauth read of any memory - which includes plaintext creds.
Somebody posted an exploit on Christmas Day, Merry Christmas!
doublepulsar.com/merry-christ...
π₯ #BlackFriday discounts are liveπ₯
β€ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.
#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec
πacademy.bluraven.io/blackfriday2...
π₯ #BlackFriday discounts are liveπ₯
β€ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.
#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec
πacademy.bluraven.io/blackfriday2...
Check out my new blog on nested app authentication.
π Azure Resource Graph limits number of results to 1000 when queried from Sentinel or Defender XDR using KQL.
There is a little trick that lets you bypass these limits.π€
π
academy.bluraven.io/blog/queryin...
#KQL #MicrosoftSentinel #AzureResourceGraph #DefenderXDR
Hello, friends! I'm thrilled to announce that The Homelab Almanac, v3.0 has officially launched! There is a **ton** of new stuff in this version, including:
- Proper DNS
- PKI
- Automatic signed certificates
- New secrets management
- Proxmox clustering
- Cloud integration
π¨ BadSuccessor = Bad OPSEC
With the right audit config, it's pretty easy to detect BadSuccessor.
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #ThreatDetection
#BadSuccessor
This blog is a little bitter, but it's what it isπ«
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
This blog is a little bitter, but it's what it isπ«
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
Website is down?
π¨ Test your Lateral Movement investigation skills!
We have just added a new challenge to our FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills π
#KQL #Kusto #MicrosoftSentinel #MicrosoftDefender
academy.bluraven.io/course/intro...
π£ HAPPY EASTER CAPSTONE! π‘οΈ
My KQL courses now include a complete attack scenario to test your skills β end to end.
π― Hands-on labs
π 20% OFF for a limited time!
Crack it open π
#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
academy.bluraven.io
π NEW UPDATE:
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
academy.bluraven.io/course/intro...
π¨ FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
academy.bluraven.io/course/intro...
#KQL #Kusto #ThreatHunting #Infosec
π¨ Problem with Cyber Range/Training platforms β
Most range platforms and training labs provide you with all the questions to solve, hinting answers to other questions.
I've implemented a trick to hide some questions that reveal hints for other questions for a real-life experience.
Stay tuned.π
π¨ Detect C2 Beacons!
New Microsoft Defender for Endpoint telemetry provides new opportunities for threat detection!
π
academy.bluraven.io/blog/beaconi...
#ThreatHunting #DetectionEngineering #MDE
When you group your logs by timestamp(binning) to detect threats, you probably cause false negatives. Solve it using sliding window counts!
academy.bluraven.io/blog/advance...
#KQL #ThreatHunting #DetectionEngineering
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
The phishing usually happens on a managed device, though π€
I used plaintext roadtx and then used roadrecon to dump Entra ID data. I even caused sign-in failures. There isn't any CAP in this tenant. Could that be the reason? AFAIK, it doesn't affect risk identification.
π₯² Seems like you don't even have to use residential proxies for device code phishing for evasion. Just get a machine in one of the cloud providers' corresponding regions. π€·ββοΈ
πFall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQLπ
Code: VLTN30
Valid until 17.02
#ThreatHunting
academy.bluraven.io
I'm for multivariate anomaly detection approach and scoring the results. However, this scoring is not static like "if X, then score += 10".
Window functions do wonders!
academy.bluraven.io/blog/advance...
#ThreatHunting #KQL
π¨ Time to check your detection queries for MDE:
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
Here it is: your complete guide to building a Wireguard network that doesn't require any open ports at home, and doesn't require any third-party tools. Just Wireguard, your devices, and a little elbow grease.
taggart-tech.com/wir...
