In case you missed it, our incident response team put together their very own ninja hub - a collection of all their blogs, articles, lessons from the field and much more, I promise you will find something worthy of your time in the list - aka.ms/MicrosoftIRNin…

Who actively monitors the Application Event Log for the Event ID 15457, containing the string xp_cmdshell? The screenshot below is from an Incident Response engagement this year from an exploited FortiClient EMS server (CVE-2023-48788). xp_cmdshell spawns a Windows command

**NEW** BHIS | Blog If you had to guess, how does BHIS compromise your networks and domains? Let's go Family Feud style with this one! The Top Ten List of Why You Got Hacked This Year by: Jordan Drysdale & Kent Ickler Published: 12/12/2024 Learn more: blackhillsinfosec.com/top-ten-list-o…

The Elastic stack is a powerful tool for centralizing, visualizing, and searching your security data, but the learning curve for new analysts can be steep. However that shouldn't keep you from adding a tool to your arsenal. Earlier this year we were joined by Dave Hoff - SOC

Excellent talk from Brandon Colley about various attacks against Active Directory and how to fix them. I highly recommend this short video for every IT administrator, CISO, CSO, etc., to at least understand the basics of how attackers can fully compromise networks within hours.

Day 351 of 366 Days of Cyber! Explore Detecting Malware Beacons with Zeek and Rita with BHIS - blackhillsinfosec.com/detecting-malw… If you'd like more helpful educational content, check out the Infosec Survival Guide: GREEN BOOK - blackhillsinfosec.com/prompt-zine/pr…

New blog post: Today I Learned - setfacl dfir.ch/posts/today_i_… setfacl is a powerful tool for managing Access Control Lists (ACLs) on Linux/Unix systems, offering flexibility beyond traditional file permissions. By allowing granular control over file and directory access, it

🐧 It’s finally here! 🔍 The Linux EDR Telemetry Project results are live! After months of testing and collaboration, we’re excited to share how well EDR solutions handle Linux visibility. Thank you to everyone who contributed, shared feedback, and supported the project! Your

Incident Response in Microsoft Entra ID (formerly Azure AD) - Compromised user account edition medium.com/@bastradamus/i… #azure #Microsoft365 #entraID #CyberSec #cyberattacks

HijackLoader—a newcomer to our monthly top 10 list—is fond of renaming executables, which presents a detection opportunity. Learn more in this month's edition of Intelligence Insights. redcanary.com/blog/threat-in…

The role of #LDAP in managing directory services makes it an attractive avenue for attackers to access critical information. Using examples ranging from ransomware attacks to cyberespionage, we walk through identifying these attacks as well as solutions. bit.ly/4iE9LAy

New blog post: Oh my .. ! - Suspicious network traffic detected including Ransomware dfir.ch/posts/suspicio… ConnectionAttempt vs. InboundConnectionAccepted vs. How can I be sure the attacker did not successfully log on to the host? 🤔 I spent some time researching this question

If you have developers in your organization using Dev Tunnels in VS Code there are now group policy controls to allow you to manage the configuration. You can disable Dev Tunnels, disable anonymous tunnels or lock down access to specific Entra tenants- techcommunity.microsoft.com/blog/azuredevc…

One of the many reasons why you should share active malware distribution sites on URLhaus ⤵️ Some of the largest cloud-, hosting and CDN-providers use data from URLhaus for signaling, helping them to identify and quickly take down hostile content 🛑💥 Join our community and do

A little while ago I wrote a long piece detailing some of the issues we commonly find in Active Directory during compromises. If you are defender, work in identity or manage AD in anyway hopefully you find something valuable in here - techcommunity.microsoft.com/blog/microsoft…

Today at WWHF Wietze is dropping Invoke-ArgFuscator 👀 github.com/wietze/Invoke-…

NEW: Measure your email security detection rate with this KQL Query github.com/EHLOBen/MDO-He… (run the above query here: security.microsoft.com/v2/advanced-hu…)

Detecting device code phishing attacks in Google Security Operations #entraid #secops bastradamus.com/detecting-devi…

We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by Khoa Dinh to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to Markus Wulftange

Critical Vulnerabilities in React and Next.js: Security Advisory + Shodan query bastradamus.com/critical-vulne…