Starting your week 🏡 & looking for ways to automate the deployment of #AzureSentinel w/ a basic Windows environment in your lab? 1) Go to GitHub (OTRF/Azure-Sentinel2Go) 2) Click on Win10 scenario 🏗️ -> ☁️ 3) Wait a few mins ⏲️ 4) Play 🚀 5) Repeat ♻️ techcommunity.microsoft.com/t5/azure-senti…

Check out mordordatasets.com/notebooks/smal… and threathunterplaybook.com/notebooks/wind… - Mordor Dataset and Playbook entry for wuauclt.exe abuse with many thanks to Roberto Rodriguez 🇵🇪 🤜 for his epic work as ever! Will be updating blog with these links too for reference 💪

HOW to contribute a @Mordor_Project dataset in 2 mins ⏳w/ the help of Red Canary, a Zscaler company ART & then contribute to sigma after exploring the data! Open Threat Research ♻️ Clear, Exec & Collect: youtu.be/6iteEfbuwU8 😈 Data: mordordatasets.com/notebooks/smal… 🏹 Rule: github.com/OTRF/sigma/blo…

If you are wondering what this might look like in Sysmon, we got you covered with a new small dataset. You can simply download it from the link below and explore it with PSH as shown in the second image below 😊 Thank you Johnny Shaw ! 😈 mordordatasets.com/notebooks/smal…

Very happy to see the OSSEM leading the way to help standardize how we add metadata about the security events and relationships used in the detection rules / analytics we share with the community!! Thank you Jose Rodriguez 🇵🇪 ! I like the "How can you contribute?" section! 🍻

💥😱 James Forshaw added "named pipe RPC client transport" to NtObjectManager 🔥 Thank you very much James for all your work 👏! I'll create PS scripts to cover a few scenarios 🍻 (Img 4) If anyone would like to help me, let me know 😉 Open Threat Research github.com/Cyb3rWard0g/Wi…

Looking for anything to do this weekend? 😉 🔥 A way to create and start services remotely using the amazing NtObjectManager from James Forshaw leveraging the latest support for named pipes RPC clients 🔥 Help us to create more PS scripts Open Threat Research blog.openthreatresearch.com/ntobjectmanage…

Now that #ProxyLogon POCs are public, help defenders learn the underlying behavior? The weekend isn't over yet! Roberto Rodriguez 🇵🇪 1⃣ Azure Sentinel Env: github.com/OTRF/Azure-Sen… 2⃣ Install 🐍, ⬇️ &💥 POC 4⃣ Share @Mordor_Project datasets, sigma rules, Project Jupyter notebooks

Roberto Rodriguez 🇵🇪 @Mordor_Project Open Threat Research sigma Project Jupyter Jack Halon Melvin langvik Mauricio Velazco CVE-2021-27065 - sigma rule to detect adversaries modifying the offline address book (OAB) virtual directory in Exchange and setting the ExternalUrl property to script. #ProxyLogon chain event PR: github.com/SigmaHQ/sigma/…

This morning Starship SN15’s nosecone is heading into the high bay. It appears that SpaceX is not wasting any time in preparing SN15 to roll to the launch site ASAP.🔥🚀🔥 NSF - NASASpaceflight.com

Sharing @Mordor_Project datasets for "Getting AD FS Database Config Remotely" (Security, Sysmon & PCAP) Roberto Rodriguez 🇵🇪 🍻🙏 mordordatasets.com/notebooks/smal… 1⃣ A few tool-based comments at the host level 2⃣ Group hosts & processes connecting to AD FS server over port 80 (Usually 443)

It's time to go to SimuLand! 🎠🎡🎢 But it isn't a new vacation theme park hot spot, it's a new open-source initiative that will help you deploy a lab environment to reproduce real attack scenarios to test your security defenses. Get the details: msft.it/6017VxcHv

🚨 New version of the Windows Security Events connector from #AzureSentinel reached public preview Looking for a way to test & filter the collection of event logs via XPath queries? I got you! 💜🍻 Microsoft SIEM and XDR #MSTIC Open Threat Research OSSEM techcommunity.microsoft.com/t5/azure-senti…

Today, Microsoft is open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. Read about the design principles and learn how to deploy: msft.it/6011n46MT

🚨 A few detection opportunities while interacting with local AD hybrid health agent registry keys & Azure AD connect health AD FS services ☁️ 📡SACLs & 🛰️Activity Logs (Directory Activity) FTW 🛡️ #AzureSentinel : github.com/search?q=repo%… 🌎 sigma : github.com/SigmaHQ/sigma/…

🚨 Learning how to install #Sysmon for Linux 🐧 & send security events to #AzureSentinel in a research lab environment!! 🧪 #MSTIC #Microsoft 📡 Sysmon (SysinternalsEBPF) -> Syslog -> SIEM 🚀 ✅ Scripts ✅ ARM templates ✅ Sysmon configs and more.. techcommunity.microsoft.com/t5/azure-senti…

🚨 #InfosecJupyterthon going live 🔴 in 24hrs 😎 Dec 2nd and 3rd at 8:30 AM (PST) 🗓️ The agenda for this year is 🔥🔥 aka.ms/Jupyterthon202… Live Streams 📺(FREE virtual event) Day 1: aka.ms/Jupyterthon202… Day 2: aka.ms/Jupyterthon202… Open Threat Research #MSTIC #Jupyter 🙏

Looking forward to speak on #ThreatHunting at scale with Spark notebooks at 4:15 PM PST. #infosecjupyterthon 👀Tune it to Youtube Livestream : youtube.com/watch?v=nMnHBn…

⏳ Good morning! #InfosecJupyterthon Day 2 is here! ⏰Starting at 8:30 AM (PST) 😎 Discord Q&A: discord.com/invite/tFsRKR72 🚀 Agenda: infosecjupyterthon.com/2021/agenda.ht… 📺YouTube Live Stream 🔴: aka.ms/Jupyterthon202… See you soon!

Thank you for sharing Dr. Nestori Syynimaa 😎! A process that is NOT Lsass attempting to access ("CloudDomainJoin" OR "WorkplaceJoin") AND "Ngc\KeyTransportKey" before exporting the Device certificate and transport key is interesting 😉 ✅ SACL ✅ Detection Idea: github.com/Azure/Azure-Se…