All Stories

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

In threat hunting, Nov 28, 2022
MDE/MDI/MDO365 advanced hunt queries to ELK

Qakbot

Qakbot - anything new on a recent sample?

In threat hunting, Nov 22, 2022
Qakbot

My version of a home lab

This time I am going to introduced my version of a home lab. This is not as “pro” as many others have but have a good combination of lab and a home computer in a same package. The pos...

In threat hunting, Nov 19, 2022
My version of a home lab

Recent phishing emails + Emotet recent sample analysis

Phishing emails

In threat hunting, Nov 13, 2022
Recent phishing emails + Emotet recent sample analysis

From Shodan to MDE queries

I’ve had an idea for some time for using the Shodan and MDE API:s. The idea is to pull recently identified C2 servers from Shodan and use the IP-addresses to run a query against the M...

In threat hunting, Sep 04, 2022
From Shodan to MDE queries

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

In threat hunting, Aug 13, 2022
Running live malware for threat hunting purposes

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

In threat hunting, Jul 17, 2022
Detecting a Payload delivered with ISO files with MDE

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

In threat hunting, Jun 05, 2022
Detecting Follina with MDE

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

In threat hunting, May 27, 2022
AMSI bypass detection with MDE

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

In threat hunting, May 08, 2022
Bzz.. Bzz.. Bumblebee loader

Featured

  1. Having a look at a few new fields in MDE
    In threat hunting,
  2. Look into couple of suspicous registry activities
    In threat hunting,
  3. Hunting for Windows Subsystem for Linux based attacks
    In threat hunting,
  4. The DFIR thing
    In dfir,
  5. OpenCTI RSS feed support
    In threat intelligence,
  6. Threat Intelligence Platform - OpenCTI
    In threat intelligence,