"A system administrator noticed that the user account kiosk had an active SSL-VPN connection to the corporate network. However, the kiosk user should not have been able to establish such a connection, as access via SSL-VPN is intended to be restricted to specific user groups

Did you know about the Windows Notifications database? While investigating suspicious behavior on a computer, I discovered evidence of a blocked DNS connection within the Notifications database (see attached screenshot). This database could hold valuable information for other

For those using the full User Agent in their queries, detection, hunt, etc ... Time to increment the last number. Or even better, just look for "axios" and see what comes out 😂

Teaser: Microsoft-Analyzer-Suite v1.2.0 will detect the new Device Compliance bypass technique via Microsoft Intune Company Portal Check out: labs.jumpsec.com/tokensmith-byp… quzara.com/blog/bypass-in…

New blog post: Analysis of Python's .pth files as a persistence mechanism dfir.ch/posts/publish_… I dig into Pythons Path Configuration Files (.pth) and how an attacker can (mis-)use them for a sneaky persistence mechanism.

New blog post: Tear Down The Castle - Part 1 dfir.ch/posts/tear_dow… I analyzed 250 PingCastle Reports, grouping the findings along the categories I used for my 10 AD Commandments series. The number of affected domains is stated within each finding, i.e., in how many domains we

I just released Microsoft-Analyzer-Suite v1.3.0. UserAgent Blacklist added, ClientInfoString and Mailbox Synchronization detection of eM Client (Traitorware) added, and much more. Happy M365 Threat Hunting! Invictus Incident Response #M365 #Entra #BEC #DFIR github.com/evild3ad/Micro…

New blog post: Tear Down The Castle - Part 2 dfir.ch/posts/tear_dow… I analyzed 250 PingCastle Reports, grouping the findings along the categories I used for my 10 AD Commandments series. The number of affected domains is stated within each finding, i.e., in how many domains we

My big boss man is having a party writing awesome blogs. Take a look!

I am reposting my old post as a reminder to regularly check which UserAgents are logging into your tenant. In more recent instances, we have noticed that TAs are using tools with the following as part of their toolkit: 'node-fetch/1.0 (+github.com/bitinn/node-fe…)' 'GuzzleHttp/7'

Could you all take a moment to check that UAL is enabled on your M365 tenant? The IR team will really appreciate it later!

We just released Microsoft-Analyzer-Suite v1.5.1. This update includes bug fixes and a new version of RiskyDetections-Analyzer. Check out the changelog for more information. Happy M365/Azure Threat Hunting! #M365 #Azure #Entra #BEC #CloudIncidentResponse #DFIR #Microsoft

Some people commented on my post below, asking, "But isen't the domain legitimate?" Well.. maybe? Take a moment to visit this web page here: wizer-training.com/blog/copy-paste Done? Copy and paste could be abused by attackers, along with a lookalike domain (e.g., g0ogle[.]com), who

We just released MemProcFS-Analyzer v1.2.0 with various enhancements. Check out the changelog for more information. Happy Memory Analysis! #MemProcFS #MemoryAnalysis #DFIR github.com/LETHAL-FORENSI…

Yesterday, I presented "Anti-Forensic" techniques for Windows and Linux at the Troopers conference in Heidelberg. This morning at breakfast, I was approached by an attendee and asked if I had looked at the zapper tool from The Hacker's Choice. [1] I said no, but of course, my

Active Directory hardening is free…outside of your time. Overall - PingCastle Passwords - FGPP, LAPS, Lithnet Permissions - ADeleg/ADeleginator Applocker - Applocker Inspector/Applocker gen ADCS - Locksmith Logon scripts - ScriptSentry GPO - GPOZaurr Baselines - CIS/Microsoft

Quick wins for hardening Active Directory that actually move the needle… (Not in any particulate order) 1. Run Locksmith and fix all findings 2. Make sure all admin accounts have unique, strong passwords 3. Use fine-grained password policies 4. Remove unnecessary accounts

My colleague Manuel keeps on finding flaws and vulnerabilities in EDRs, as if it were a stroll in the park 😂 well done - keep up the pace!

Microsoft-Analyzer-Suite v1.7.0 released today! This update includes a new PowerShell script for analyzing Microsoft Service Principal Sign-In Logs.🚀 Check out the changelog for more information. Happy M365/Azure Threat Hunting! #M365 #Azure #EntraID #BEC #DFIR #Microsoft

Two of my teammates published artifacts on the Velociraptor Exchange this week 💪 mirwitch released several VHDX artifacts, as described in his detailed blog post. [1] Matthew Green 🌻 continues rocking here at InfoGuard by publishing the Windows.Detection.HyperV artifact, designed