LETHAL FORENSICS's Avatar

LETHAL FORENSICS

@lethalforensics.bsky.social

Official Bluesky account for LETHAL FORENSICS.

7 Followers  |  3 Following  |  4 Posts  |  Joined: 24.02.2025  |  1.4253

Latest posts by lethalforensics.bsky.social on Bluesky

Preview
Release Microsoft-Analyzer-Suite v1.5.0 Β· LETHAL-FORENSICS/Microsoft-Analyzer-Suite [1.5.0] - 2025-05-15 Added EntraSignInLogs-Analyzer: OriginalTransferMethod EntraSignInLogs-Analyzer: OriginalTransferMethod (Stats) EntraSignInLogs-Analyzer: UserAgent-Blacklist.csv EntraSignInLo...

Microsoft-Analyzer-Suite v1.5.0 is now available! We improved among other things the Device Code Flow Abuse detections and added support for the detection of suspicious UpdateInboxRules operations.

Check out the changelog for more information. Happy M365 Threat Hunting!

github.com/LETHAL-FOREN...

15.05.2025 07:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub - LETHAL-FORENSICS/Microsoft-Analyzer-Suite: A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID - LETHAL-FORENSICS/Microsoft-Analyzer-Suite

Quick update on some blacklists of the Microsoft-Analyzer-Suite: ApplicationPermission-Blacklist.csv, DelegatedPermission-Blacklist.csv, and UserAgent-Blacklist.csv. The update of the UserAgent-Blacklist covers the new M365 Account Takeover Attacks using HTTP Client Tools. github.com/LETHAL-FOREN...

25.03.2025 07:41 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

#100DaysOfKQL

Day 75 - Activity From Suspicious User-Agent

I think I have one last after this piggybacking on @lethalforensics.bsky.social / @Evild3ad79 awesome CSV blacklists then I'm done.

Remember: if it can be done in the UAL, it can be done in Sentinel or MCAS.

github.com/SecurityAura...

18.03.2025 02:09 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

All the credits go to @lethalforensics.bsky.social for providing the list I'm using in a handy CSV format!

Go check out their amazing Microsoft-Analyzer-Suite on GitHub!

github.com/LETHAL-FOREN...

17.03.2025 12:12 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

#100DaysOfKQL

Day 73 - Activity From Known Abused Application in Entra ID

All credits for the blacklist used (CSV <3) goes to @LETHAL_DFIR / @evild3ad79 (on Twitter)

I once again invite you to explore the amazing tool that is Microsoft-Analyzer-Suite on Github.

github.com/SecurityAura...

16.03.2025 01:51 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1
Preview
Week 09 – 2025 Abdulrehman AliMustang Panda APT Adversary Simulation Akash Patel Running Plaso/Log2Timeline on Windows Mastering Timeline Analysis: A Practical Guide for Digital Forensics: (Log2timeline) Forensic…

Week 09 - 2025 #DFIR
thisweekin4n6.com/2025/03/02/w...

02.03.2025 12:03 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Post image

Week 11 - 2025 #DFIR

thisweekin4n6.com/2025/03/16/w...

16.03.2025 12:09 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

#100DaysOfKQL

Day 74 - Consent to Application With Dangerous Delegated Permissions

Another one that uses a very helpful blacklist (CSV <3) from @LETHAL_DFIR / @Evild3ad79 (on Twitter).

Anything that can be found in UAL can be found in Sentinel logging.

github.com/SecurityAura...

17.03.2025 01:45 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1

#100DaysOfKQL

Day 72 - New Service Principal Added Following Consent to Application

User being able to consent to apps and creating Service Principals is bad mmmmkay? You don't want to have TAs add eM Client, PERFECTDATA, rclone, etc. through BECs.

github.com/SecurityAura...

15.03.2025 00:54 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Windows Memory Snapshot w/ MAGNET DumpIt (incl. Pagefile) + Triage Collection

Windows Memory Snapshot w/ MAGNET DumpIt (incl. Pagefile) + Triage Collection

Automated Processing of 'ProcessesAndModules-Extended_Info.tsv' (MAGNET Response)

Automated Processing of 'ProcessesAndModules-Extended_Info.tsv' (MAGNET Response)

ProcessesAndModules-Extended_Info.ps1' β†’ MemProcFS-Analyzer

ProcessesAndModules-Extended_Info.ps1' β†’ MemProcFS-Analyzer

Just released Collect-MemoryDump v1.1.0 with various improvements. Triage Collection w/ MAGNET Response (Optional), Microsoft Protection Logs (MPLogs), Automated Processing of 'ProcessesAndModules-Extended_Info.tsv', and much more. #MemoryAnalysis #MemoryForensics #DFIR
github.com/LETHAL-FOREN...

17.03.2025 06:04 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Release Microsoft-Analyzer-Suite v1.4.0 Β· LETHAL-FORENSICS/Microsoft-Analyzer-Suite [1.4.0] - 2025-02-24 Added UAL-Analyzer: Detection of suspicious Inbox Rules via RegEx (incl. Conditional Formatting) UAL-Analyzer: MoveToFolder-Blacklist.csv UAL-Analyzer: UniqueTokenId and Issue...

Happy to announce the release of Microsoft-Analyzer-Suite v1.4.0. It is our first company-branded release! πŸš€

Check out the changelog for more information and don't forget to follow LETHAL FORENSICS. Happy M365 Threat Hunting! #M365 #BEC #CloudIncidentResponse #DFIR

github.com/LETHAL-FOREN...

17.03.2025 05:58 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@lethalforensics is following 3 prominent accounts