Knowledge Required: Minimal Tools required: Defender for Endpoint, Proxmox Those who have come across my LinkedIn are aware that I’m a bit of a Proxmox fan. Proxmox typically runs on top of Debian and so this allows for plenty of tinkering… including installing Defender for Endpoint. While I would generally discourage this in a production environment without plenty of testing, there are some events in my homelab that I believe are useful to monitor. Using the below KQL, either as threat hunts or analytical rules, should provide some indication that somebody is performing a series of high-profile activities on your PVE environment. ...

Knowledge Required: Minimal Tools required: Defender for Endpoint, Windows 11, Microsoft Recall UPDATE: Microsoft has since provided updates that Recall will use more modern security methods, such as Windows Hello just-in-time decryption. Users will not be able to use Recall without a user AND admin initiated action. Those in the security space will be well aware of Microsoft’s recent announcement for Recall. The tool, soon to be released for new Snapdragon based PC’s, takes regular screenshots of user activity. ...

Knowledge Required: Minimal Tools required: Defender for Endpoint EDR continues to be the Swiss Army Knife of an analyst, collecting valuable telemetry on an immense scale. Today we’re going to use Defender’s telemetry and the power of KQL to look for a commonly overlooked risk; insider threat. Today’s query uses two main components of Defender’s telemetry to detect if somebody is exfiltrating by physical USB media. The tables used to achieve this: ...

Knowledge Required: Minimal Tools required: Defender for Endpoint Seems once again that GitHub is under fire for it’s ability to distribute malware. This time a researcher had found that you could make it looks like legitimate files where being hosted by the repository owner, by uploading it to Github in this story story You can see Defender inspect files downloaded from GitHub as a start. Generally, software directly downloaded from GitHub won’t be used in corporate environments and so this can be considered suspicious. Unfortunately, I still can’t find a way to track the actual download URL back to the original GitHub repository, as the download link is randomised. ...

Knowledge Required: Minimal Tools required: Ansible Curl, a popular Linux command line tool for interacting with the web was determined to contain a critical vulnerability this week. It’s wide array of supported web protocols means this software is commonplace (especially with developers) with many Linux distributions including it as default. QualysLink As such, it’s time to start identifying which systems have the curl package and their versions. Those making use of the popular Linux management tool, Ansible, can use the below playbook. ...

Knowledge Required: Familiarity with Sentinel and Azure Arc Tools required: Linux derivative (this example uses Debian) There is a high chance that if you’ve setup a Linux server to syslog into Sentinel in the past 12 months, that you’ve installed the Log Analytics Agent to send data to Sentinel. Come August 2024, the log analytics agent (or MMA) will be retired and it is important to start thinking about a migration plan now. More information can be found here. This is a quick blog post on what I learnt while migrating my Sentinel syslog feed from MMA to Azure Monitor Agent. ...

Knowledge Required: Low If you’ve arrived on this site, you’ve probably fallen guilty to writing scripts without using absolute paths. Why not? After all, it’s far easier to just type uname in your shell scripts instead of /usr/bin/uname. Today’s post will highlight why this is poor secure coding practice, and how it could potentially lead to exploitation as a result. Path poisoning To understand how attackers can exploit this coding laziness, we first need a bit of background into how most shells use a path. Take the scenario where your script includes a common linux command like uname. ...

Knowledge Required: Strong understanding of KQL concepts Tools required: Microsoft Sentinel This posts assumes that you have the Syslog table enabled in your Sentinel Workspace. In previous blog posts we’ve gone through detecting suspicious credential usage via more traditional ‘factual’ query rules. Purely factual query rules, that don’t account for if the detected behavior is anomalous, usually present the following problems for SOC operations: The query will often require a lot of tuning for ‘known behaviors’ and can be time consuming to identify correct tuning parameters Factual rules can commonly give little context into if the events detected are normal. Today, we’ll introduce native KQL anomaly detection algorithms to help detect suspicious increases in user session behavior, indicating potentially compromised accounts. Anomaly detection is great for this as any malicious behavior should always cause a deviation from the ’normal’ baseline of behavior. We just need to write a query to pick up on it. Today we’ll be doing that against Linux Syslog data. If you want to just skip to the the fully query, click here. ...

Knowledge Required: Strong Sentinel Knowledge Tools required: Microsoft Sentinel, Microsoft Azure Portal; ideally with GA access Introduction Investigating incidents take time. This is because an analyst has to gather a reasonable about of information before they can make an informed decision on if an alert is actually a threat. This begs the question: if an analyst does the same series of steps for every investigation, how can we make the workflow more efficient? This is something Microsoft wants you to do with Automated Responses. ...

Knowledge Required: Familiarity with Sentinel Tools required: Microsoft Sentinel When an attacker gains foothold in your network, which hopefully they never do, it is common they try to immediately see what they have access to. One technique is credential access where an attacker will bruteforce a system in order to find a successful username and password combination. This behavior is typically noisy and many security platforms have detections for this behavior but mass failed authentication doesn’t just mean a bruteforce is occurring and can sometimes occur due to misconfiguration. In order to reduce alert fatigue, what an analyst really wants to know is if an attacker has gained access to the system as a result of a bruteforce. Today, we’re going to explore how we can detect that behavior via SSH logs within the Sentinel platform. ...