🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Collection of 6 small #KQL queries that can help you get started in #MDE to poke around Windows Services for investigation and/or hunting. I may ... change that page in the future (add more queries or split them in pages) but for now, this is it. github.com/SecurityAura/D…

Little #KQL query of the day for #MDE where you can leverage HttpConnectionInspected to look for WebDAV GET or PROPFIND towards files with known executable extensions on external hosts. There are 2-3 more queries possible for WebDAV stuff👀 github.com/SecurityAura/D…

Sunday Fun Day #KQL query for #MDE where a Windows Service would attempt to masquerade as a per-user service on Windows 10+ Saw this used last year in a Nitrogen Ransomware! Pretty easy to spot. github.com/SecurityAura/D…

What's going on over there in that thread? 👀 reddit.com/r/kaseya/s/fMm…

I still think about that one company that had alienvualt[.]cloud allowed in their FW instead of alienvault[.]cloud and our OffSec Team was $2,99 CAD away from having the greatest C2 domain ever on an engagement.

Luckily for those of us with #MDE, operations impacting Windows Services Registry keys are captured, whether you create a new service or modify an existing one! Gives us a way to look for that behavior in #KQL. github.com/SecurityAura/D… Thanks Wietze ! 🙏

How's your Friday going?

I had completely forgotten about this! I think I've only seen this technique on one SOC alert or IR I've responded to in the last few years. Luckily for us, #MDE logs this and a simple matches regex in #KQL can return us these events! github.com/SecurityAura/D… Thanks Wietze! 🙏

Kudos to Squiblydoo for making this awesome data available!🔥 #KQL queries that can be used in #MDE to leverage this data for locations where you're most likely to find these files (e.g.: user's Downloads folder) are now available on Github. github.com/SecurityAura/D…

Hey guess what kind of IR came in today.

Well, it happened. The company I worked at for 6 years will be closing and thus I got laid off. This doesn't affect Octopwn operations in any negative ways, but I'm actively looking for a new day job. If someone has something please DM me. Retweets are appreciated.