Hello!

Tools required: Linux, iptables (Implied medium knowledge in both) Why? Unfortunately some ISP (Internet Service Provider)s do not delegate every customer a public IP address. In these situations an ISP will typically rely on Carrier Grade NAT (CGNAT) to place multiple customers under one public IP that the customer has no control over. This can have the advantage of the ISP needing less public address space, but typically comes at the cost of the customer not being able to host public services or having issues with NAT (Network Address Translation). ...

Knowledge Required: Medium understanding of KQL concepts Tools required: Microsoft Sentinel, Defender for Endpoint This posts assumes that you have Defender for Plan 2 to log AdvancedHunting events. Has it ever occurred to you when installing software why you didn’t get prompted for administrator privileges? Many people live under a guise that to install software, they ’need’ a privileged account. This isn’t always the case. In fact, one of the worlds most popular browsers, Google Chrome (and therefore most of it’s Chromium brothers) do not need any special privileges to install. ...

Tools required: Javascript Today I learnt that on some browsers you can scroll to the end of a HTML element and Javascript can report the .scrollTop to within 0.5 of the true height of the element. I discovered this when chasing down a bug with infinite list scrolling, where it would randomly stop. Clocked it would only stop when the current scroll height ended in .5. I suspect this is something to do with rounding errors for high DPI displays. ...

Knowledge Required: Medium understanding of KQL concepts Tools required: Microsoft Sentinel, Defender for Endpoint Paste and run malware slowly started gaining prevalence towards the end of 2024. It often convinces users to use the ‘Run’ prompt (Windows + R) key and copies a malicious command to the clipboard for them to paste and run. It’s a simple; easy to distribute via multiple methods and with the rise of generative A.I, unchallenging to generate something that looks convincing: ...

Knowledge Required: Strong understanding of KQL concepts Tools required: Microsoft Sentinel UPDATED WITH REFINED DETECTION BELOW I’m reading a lot of chatter on using the Intune Company Portal to get a hashtag Entra ID refresh token and then bypassing Conditional Access to run other Entra attack tools. I tested a POC POCEntraDeviceComplianceBypass and used the Intune token to retrieve another one. Here’s a very rough KQL detection below where we look for Intune and something else in a 10 minute window: ...

Knowledge Required: Strong understanding of KQL concepts Tools required: Microsoft Sentinel Recently, there has been a dramatic shift in needing to protect the identity when organisations evaluate their biggest cybersecurity risk. Increasing popularity in capabilities like SSO (Single Sign-On) now mean one compromised account will grant an attacker access into many systems and allow them to laterally move across a technology stack. Notably throughout my SOC investigations in 2024, the majority of email-based phishing attacks that evade detection filters leveraged a 3rd party compromised account, exploiting the fact that two companies have an existing trust and relationship with one another. ...

Knowledge Required: Minimal Tools required: Sentinel Today’s post is going to be basic, but hopefully you will get the idea of how you can incorporate using Workspace Functions in your every-day workflows. The primary reason of having Worksapce Functions is that they allow you build queries and then save them in a manner that can easily be re-called in the KQL editor. This can be great for logs which require complex parsing or queries to make them more useful. ...

Knowledge Required: Minimal Tools required: Defender for Endpoint, Proxmox Those who have come across my LinkedIn are aware that I’m a bit of a Proxmox fan. Proxmox typically runs on top of Debian and so this allows for plenty of tinkering… including installing Defender for Endpoint. While I would generally discourage this in a production environment without plenty of testing, there are some events in my homelab that I believe are useful to monitor. Using the below KQL, either as threat hunts or analytical rules, should provide some indication that somebody is performing a series of high-profile activities on your PVE environment. ...

Knowledge Required: Minimal Tools required: Defender for Endpoint, Windows 11, Microsoft Recall UPDATE: Microsoft has since provided updates that Recall will use more modern security methods, such as Windows Hello just-in-time decryption. Users will not be able to use Recall without a user AND admin initiated action. Those in the security space will be well aware of Microsoft’s recent announcement for Recall. The tool, soon to be released for new Snapdragon based PC’s, takes regular screenshots of user activity. ...

Knowledge Required: Minimal Tools required: Defender for Endpoint EDR continues to be the Swiss Army Knife of an analyst, collecting valuable telemetry on an immense scale. Today we’re going to use Defender’s telemetry and the power of KQL to look for a commonly overlooked risk; insider threat. Today’s query uses two main components of Defender’s telemetry to detect if somebody is exfiltrating by physical USB media. The tables used to achieve this: ...