Posts

Knowledge Required: Familiarity with Elasticsearch ESQL, General Threat Knowledge Impacket is a suite of tools that enables threat actors to remotely execute commands. Written in Python, it crafts network packets that allow interaction with popular Windows network protocols found in corporate environments, like SMB and WMI. Threat intelligence evidences continuous usage of the tool by threat actors, providing an execution technique and has been observed deploying ransomware; Impacket actually reached the 2nd most prevalent threat in Red Canary’s 2023 threat report. Threat actors likely favour it because Impacket enables programmatic interaction with devices and easy integration with other items in their nefarious toolkit. ...

Knowledge Required: Familiarity with KQL Full Credit goes to Yuval Gordon at Akamai for discovery of this. This post is a summarisation and an extension of their initial article: BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory Windows Server 2025 was released last year. With it, came a brand new account type: Delegated Managed Service Accounts, dMSA. dMSA accounts are designed as a more secure approach to service accounts with the headlining features being self-rotating password management and the ability to lock access down to specific computers within Active Directory. ...

Tools required: Linux, iptables (Implied medium knowledge in both) Why? Unfortunately some ISP (Internet Service Provider)s do not delegate every customer a public IP address. In these situations an ISP will typically rely on Carrier Grade NAT (CGNAT) to place multiple customers under one public IP that the customer has no control over. This can have the advantage of the ISP needing less public address space, but typically comes at the cost of the customer not being able to host public services or having issues with NAT (Network Address Translation). ...

Knowledge Required: Splunk I will admit there wasn’t much I could do to make this a prettier title. Today’s content might be niche; it has involved me using Splunk (which I am still relatively new to) and is actually a ’transposition’ of a query I’ve done fairly quickly within KQL. First and foremost, this post assumes you have: A Splunk instance Sysmon ingestion to Splunk A massive thanks to Hurricane Labs who has written a fantastic guide on how to get Sysmon logs into Splunk ...

Knowledge Required: Medium understanding of KQL concepts Tools required: Microsoft Sentinel, Defender for Endpoint This posts assumes that you have Defender for Plan 2 to log AdvancedHunting events. Has it ever occurred to you when installing software why you didn’t get prompted for administrator privileges? Many people live under a guise that to install software, they ’need’ a privileged account. This isn’t always the case. In fact, one of the worlds most popular browsers, Google Chrome (and therefore most of it’s Chromium brothers) do not need any special privileges to install. ...

Tools required: Javascript Today I learnt that on some browsers you can scroll to the end of a HTML element and Javascript can report the .scrollTop to within 0.5 of the true height of the element. I discovered this when chasing down a bug with infinite list scrolling, where it would randomly stop. Clocked it would only stop when the current scroll height ended in .5. I suspect this is something to do with rounding errors for high DPI displays. ...

Knowledge Required: Medium understanding of KQL concepts Tools required: Microsoft Sentinel, Defender for Endpoint Paste and run malware slowly started gaining prevalence towards the end of 2024. It often convinces users to use the ‘Run’ prompt (Windows + R) key and copies a malicious command to the clipboard for them to paste and run. It’s a simple; easy to distribute via multiple methods and with the rise of generative A.I, unchallenging to generate something that looks convincing: ...

Knowledge Required: Strong understanding of KQL concepts Tools required: Microsoft Sentinel UPDATED WITH REFINED DETECTION BELOW I’m reading a lot of chatter on using the Intune Company Portal to get a hashtag Entra ID refresh token and then bypassing Conditional Access to run other Entra attack tools. I tested a POC POCEntraDeviceComplianceBypass and used the Intune token to retrieve another one. Here’s a very rough KQL detection below where we look for Intune and something else in a 10 minute window: ...

Knowledge Required: Strong understanding of KQL concepts Tools required: Microsoft Sentinel Recently, there has been a dramatic shift in needing to protect the identity when organisations evaluate their biggest cybersecurity risk. Increasing popularity in capabilities like SSO (Single Sign-On) now mean one compromised account will grant an attacker access into many systems and allow them to laterally move across a technology stack. Notably throughout my SOC investigations in 2024, the majority of email-based phishing attacks that evade detection filters leveraged a 3rd party compromised account, exploiting the fact that two companies have an existing trust and relationship with one another. ...

Knowledge Required: Minimal Tools required: Sentinel Today’s post is going to be basic, but hopefully you will get the idea of how you can incorporate using Workspace Functions in your every-day workflows. The primary reason of having Worksapce Functions is that they allow you build queries and then save them in a manner that can easily be re-called in the KQL editor. This can be great for logs which require complex parsing or queries to make them more useful. ...