𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗗𝗞𝗜𝗠 𝗥𝗲𝗽𝗹𝗮𝘆 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 𝗮𝗻𝗱 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝘂𝘀𝗶𝗻𝗴 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥
www.linkedin.com/pulse/defend...
📚 𝗡𝗼𝘁𝗲𝗽𝗮𝗱++ 𝗛𝗶𝗷𝗮𝗰𝗸𝗲𝗱 𝗯𝘆 𝗦𝘁𝗮𝘁𝗲-𝗦𝗽𝗼𝗻𝘀𝗼𝗿𝗲𝗱 𝗧𝗵𝗿𝗲𝗮𝘁 𝗔𝗰𝘁𝗼𝗿
Heads up, defenders: a supply chain compromise targeting Notepad++ has been linked to state-sponsored activity. Here's a Sentinel KQL to help you hunt for potentially affected endpoints🫡
github.com/SlimKQL/Hunt...
LDAPNightmare POC Detection
www.safebreach.com/blog/ldapnig...
Custom detection code:
github.com/SlimKQL/Hunt...
Custom detection code:
github.com/SlimKQL/Hunt...
𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 - 𝗕𝗹𝗼𝗰𝗸𝗶𝗻𝗴 2️⃣4️⃣ 𝗠𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗖𝗵𝗿𝗼𝗺𝗲 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀🛡️
www.extensiontotal.com/cyberhaven-i...
Hunting 16 Malicious Chrome Extension🔥
thehackernews.com/2024/12/16-c...
github.com/SlimKQL/Hunt...
🚨 Reports suggest US authorities may ban TP-Link Wi-Fi routers in 2025. Regulated industries, ensure your end users aren't connected to TP-Link routers. Use MDE discovery and DefenderXDR's SeenBy() to detect connections. 🛡️📡
Advanced Vishing KQL Detection by sending your Teams PSTN call log to ADX 🎯
www.trendmicro.com/en_us/resear...
Thanks! :) The threat actor social engineering attacks are targeting normal business users, uers with role are technical in nature and tend not to follow these type of instruction, hence I exclude this group of privilege roles users.
PowerShell Self-Pwn Detection
Proofpoint highlights a social engineering tactic where users are tricked into running malicious PowerShell scripts, leading to malware infections. Despite needing user interaction, the attack's success relies on clever social engineering.
Detecting Teams Red Team Tool ConvoC2
cybersecuritynews.com/red-team-too...
SentinelLab observed threat actor targeting service providers in Southern Europe abusing Visual Studio Code tunnels to maintain persistent remote access to compromised systems. www.bleepingcomputer.com/news/securit... KQL to detect such abuse.
Detect Black Basta Ransomware Campaign RMMTools Deployment - Social Engineering Attack via Teams where the ransomware operator sends a SharePoint link to user to download portable RMM tools to evade detection from web proxy. www.rapid7.com/blog/post/20...
Thank you! 😄🙏
The KQL Grimoire 📖
A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR
www.linkedin.com/pulse/slims-...
𝗡𝗲𝘄 𝗨𝗥𝗟 𝗙𝗶𝗹𝗲 𝗡𝗧𝗟𝗠 𝗛𝗮𝘀𝗵 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 (0️⃣𝗱𝗮𝘆)
A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day) www.bleepingcomputer.com/news/securit...
github.com/SlimKQL/Hunt...
In AD environments, Timeroasting exploits NTP authentication to request password hashes of computer/trust accounts. If non-standard or legacy passwords are used, offline brute-forcing is possible. I've created a KQL query to detect such activities. #KQL #Timeroast
github.com/SlimKQL/Hunt...
Sharing a Sentinel KQL detection for ShadowHound by Friends-Security, which enhances AD enumeration for security assessments. Beware: it can be misused by threat actors & red teamers for reconnaissance. My KQL rule helps identify and mitigate these risks. #KQL #ShadowHound
Hunting Rockstar 2FA: A Key Player in Phishing-as-a-Service (PaaS)
www.trustwave.com/en-us/resour...
Social Engineering Attack Alert - Teams & Emails
Kevin Beaumont shared insights on helping orgs recover from ransomware attacks. Key tactic: social engineering. Attackers used phone recon to gather contacts, then flooded users with emails & Teams messages. Custom KQL script for early detection:
CloudApp BEC Defense Policy - Axios
Attackers bypass MFA using a phishing framework with Axios HTTP client. Detect compromise in sign-in logs with user agent axios/1.7.7. Proposing auto-detection & isolation for SecOps assessment.
Sources: Asger Deleuran Strunk / Stephan Berger
𝗧𝗵𝗲 𝗣𝗲𝗿𝗳𝗲𝗰𝘁 𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 ... 😘
Using CloudApp & Behaviour Analytics to detect malicious threat actor Copilot Agent.
#Cybersecurity #DefenderXDR #CloudApp #CopilotAgent #KQL
