Threat hunting with Microsoft Defender – Valid Accounts

In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.

Threat hunting with CrowdStrike – Valid Accounts

Techniques of interest: |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares   Hypothesis:  If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines.   If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike – Valid Accounts”

Proactive Threat Hunting – no longer a whim

Originally posted in 2018. We are undoubtedly in the era of huge security alert fatigue. This has been caused by the vast number of false positive alerts generated every day by countless security products that organizations put in place to improve their defences. Because of this, it’s hard to justify resources who would essentially focusContinue reading “Proactive Threat Hunting – no longer a whim”

Let me mine some coin with your browser, Alice!

Originally published in 2017. Recently while I was reviewing AV logs in a large organization one of the things that caught my attention was a large number of hits categorized as JavaScript with the word ‘Miner’ in the threat’s signature name. I looked up some of the files’ hashes in VirusTotal and downloaded some samples.Continue reading “Let me mine some coin with your browser, Alice!”