I have finally found the time to update my "Log Sources" slide with input from Thomas Patzke phantinuss Daniel Stinson Josh Brower & others Changes - added EDR, cloud & IdP logs - rewrote the texts in the legend - updated values #SIEM github.com/Neo23x0/Talks/…

The lastSignInDateTime & lastNonInteractiveSignInDateTime returned by #MicrosoftGraph are very stale when checked with Entra ID portal. In my case, its around 3 day and 1 day respectively. Someone back in 2021 noticed this same issue: learn.microsoft.com/en-us/answers/… cc.Fabian Bader

2023 has been a very busy year for the sigma team and a great year for the Sigma community at large. We've seen a greater adoption of Sigma across all of the community and even from big vendors ranging from Qradar native support for Sigma rules, Splunk leveraging Sigma for

#MicrosoftGraph is not returning the pagination key [@]odata.nextLink in security/alerts_v2 even though the result is paginated. Looks like another issue Fabian Bader?

🚨 Did you miss the news? Merill Fernando, Thomas Naunheim and I just released maester, the #Microsoft #Security test automation framework! 🛡️ Give it a try today. maester.dev

Note this will not work if your machine is bitlocker encrypted without getting the recovery key for each machine...

Bad news for the onion network. German prosecutors have been able to deanon Tor users since at least 2022 by tapping Tor Nodes over long time and then doing a timing analysis. Journalists saw documents related to at least one court case where this method was successful 4 times.

A cool way to visualize threat actor groups andreacristaldi.github.io/APTmap/

Since Windows event logs lack user's UPN, Sentinel is creating two Account entities for the same user across Windows, O365 & Okta incidents. Is my conclusion correct? If yes then, one solution I think is enriching the 🪟 event logs to have UPN. cc. Fabian Bader Matt Zorich

🚨EDR Telemetry website is live! 🥳 I hope this makes it even easier for folks to compare the telemetry of EDR vendors and visualize their visibility gaps 🙂 ‣ Website🔗edr-telemetry.com ‣ GitHub 🔗github.com/tsale/edr-tele… **Telemetry results reflect the most recent

This hack is brilliant, APT28 hopping into a target environment over wifi by compromising neighbouring companies and finding a dual-homed host within range. volexity.com/blog/2024/11/2… And yet... they got caught doing this!

Great stuff as always. One major gripe with O365 Management API is lack of non-interactive signin logs.🥲

APT coming for the AI! cloud.google.com/blog/topics/th… Guard your LLM!

Just noticed, all the permissions from the Directory Synchronization Accounts role were replaced with a new one back in August👀 This locks down attack paths shown by Fabian Bader which could result in privesc to Global Admin by taking control of a privileged service principal

#Lazarus Operation Traffic sourced from DPRK IPs, masked via VPNs/proxies, routed through Oculus nodes (Hasan, Russia) to C2; multi-hop architecture ensures full-chain anonymity & evasion. securityscorecard.com/blog/operation…

Hey Andy Robbins, do you know if it is possible to access Exchange Online EWS activity log by customers? PS: What an excellent breakdown of the Microsoft breach with nice illustrations!

In real world incidents, we often see attackers compromise on-premises environments and then pivot into the cloud. We understand most large organizations, and even smaller ones, still have a significant on-premises identity footprint. To help you protect M365 from on-premises