Posts on buildTogether

Detecting Impacket with Elastic Security

Mon, 27 Oct 2025 02:44:52 +0000

Knowledge Required: Familiarity with Elasticsearch ESQL, General Threat Knowledge

Impacket is a suite of tools that enables threat actors to remotely execute commands. Written in Python, it crafts network packets that allow interaction with popular Windows network protocols found in corporate environments, like SMB and WMI. Threat intelligence evidences continuous usage of the tool by threat actors, providing an execution technique and has been observed deploying ransomware; Impacket actually reached the 2nd most prevalent threat in Red Canary’s 2023 threat report. Threat actors likely favour it because Impacket enables programmatic interaction with devices and easy integration with other items in their nefarious toolkit.

Detecting dMSA abuse

Sun, 25 May 2025 02:44:52 +0000

Knowledge Required: Familiarity with KQL

Full Credit goes to Yuval Gordon at Akamai for discovery of this. This post is a summarisation and an extension of their initial article: BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

Windows Server 2025 was released last year. With it, came a brand new account type: Delegated Managed Service Accounts, dMSA. dMSA accounts are designed as a more secure approach to service accounts with the headlining features being self-rotating password management and the ability to lock access down to specific computers within Active Directory.

Using a VPS to expose public services with iptables

Mon, 28 Apr 2025 02:44:52 +0000

Tools required: Linux, iptables (Implied medium knowledge in both)

Why?

Unfortunately some ISP (Internet Service Provider)s do not delegate every customer a public IP address. In these situations an ISP will typically rely on Carrier Grade NAT (CGNAT) to place multiple customers under one public IP that the customer has no control over. This can have the advantage of the ISP needing less public address space, but typically comes at the cost of the customer not being able to host public services or having issues with NAT (Network Address Translation).

Looking for COM Hijacking with Splunk and Sysmon

Mon, 31 Mar 2025 02:44:52 +0000

Knowledge Required: Splunk

I will admit there wasn’t much I could do to make this a prettier title. Today’s content might be niche; it has involved me using Splunk (which I am still relatively new to) and is actually a ’transposition’ of a query I’ve done fairly quickly within KQL.

First and foremost, this post assumes you have:

A Splunk instance
Sysmon ingestion to Splunk

A massive thanks to Hurricane Labs who has written a fantastic guide on how to get Sysmon logs into Splunk

Threat Hunting for AppData Installations

Mon, 17 Feb 2025 02:44:52 +0000

Knowledge Required: Medium understanding of KQL concepts

Tools required: Microsoft Sentinel, Defender for Endpoint

This posts assumes that you have Defender for Plan 2 to log AdvancedHunting events.

Has it ever occurred to you when installing software why you didn’t get prompted for administrator privileges? Many people live under a guise that to install software, they ’need’ a privileged account. This isn’t always the case. In fact, one of the worlds most popular browsers, Google Chrome (and therefore most of it’s Chromium brothers) do not need any special privileges to install.

Scroll Height in Javascript

Sun, 16 Feb 2025 02:44:52 +0000

Tools required: Javascript

Today I learnt that on some browsers you can scroll to the end of a HTML element and Javascript can report the .scrollTop to within 0.5 of the true height of the element. I discovered this when chasing down a bug with infinite list scrolling, where it would randomly stop. Clocked it would only stop when the current scroll height ended in .5. I suspect this is something to do with rounding errors for high DPI displays.

Detecting 'Paste and Run' malware with KQL

Sat, 11 Jan 2025 02:44:52 +0000

Knowledge Required: Medium understanding of KQL concepts

Tools required: Microsoft Sentinel, Defender for Endpoint

Paste and run malware slowly started gaining prevalence towards the end of 2024. It often convinces users to use the ‘Run’ prompt (Windows + R) key and copies a malicious command to the clipboard for them to paste and run. It’s a simple; easy to distribute via multiple methods and with the rise of generative A.I, unchallenging to generate something that looks convincing:

Threat Hunt: Detecting abuse of refresh tokens obtained from Intune

Wed, 25 Dec 2024 02:44:52 +0000

Knowledge Required: Strong understanding of KQL concepts

Tools required: Microsoft Sentinel

UPDATED WITH REFINED DETECTION BELOW

I’m reading a lot of chatter on using the Intune Company Portal to get a hashtag Entra ID refresh token and then bypassing Conditional Access to run other Entra attack tools. I tested a POC POCEntraDeviceComplianceBypass and used the Intune token to retrieve another one. Here’s a very rough KQL detection below where we look for Intune and something else in a 10 minute window:

Detecting Atypical Travel with KQL and Sentinel

Sun, 17 Nov 2024 02:44:52 +0000

Knowledge Required: Strong understanding of KQL concepts

Tools required: Microsoft Sentinel

Recently, there has been a dramatic shift in needing to protect the identity when organisations evaluate their biggest cybersecurity risk. Increasing popularity in capabilities like SSO (Single Sign-On) now mean one compromised account will grant an attacker access into many systems and allow them to laterally move across a technology stack. Notably throughout my SOC investigations in 2024, the majority of email-based phishing attacks that evade detection filters leveraged a 3rd party compromised account, exploiting the fact that two companies have an existing trust and relationship with one another.

Sentinel Workspace Function for 'sudo' commands

Sun, 27 Oct 2024 18:44:52 +0000