📢 New blog post out!

Five reasons to start using Microsoft Defender Threat Intelligence (Basic)

➡️ While MDTI Basic license comes with limited capacity, it is undeniably a valuable resource to consider operationalizing in your daily tasks and incorporating it in your TI processes.

➡️ Join me in exploring 5 (plus 1!) reasons, why and how you can operationalize MDTI in your Cyber Threat Intelligence capacity.

🔗 https://www.michalos.net/2024/07/23/five-reasons-to-start-using-microsoft-defender-threat-intelligence-basic/

#Microsoft #MicrosoftSecurity #MicrosoftDefender #DefenderXDR #MicrosoftSentinel #ThreatIntel #ThreatIntelligence #CyberThreatIntelligence

💡Following recently surfaced news about CVE-2024-3094 vulnerability, the following hashtag#KQL query can help hunt devices identified with the relevant CVE and are internet facing.

➡️ Check the query here: https://lnkd.in/dBf5S7T8

➡️ Check further KQL queries for Microsoft Sentinel and Defender XDR: https://lnkd.in/d9k5qx8t

hashtag#MicrosoftSecurity hashtag#Microsoft365 hashtag#Microsoft365Defender hashtag#MicrosoftSentinel hashtag#MicrosoftXDR hashtag#ThreatHunting hashtag#KustoQueryLanguage

📢 New blog!

Operationalizing MITRE ATT&CK with Microsoft Security (Part 2)

...by understanding Active & Simulated coverage, an Analyst could take advantage of a well disciplined path to build threat-informed defenses.

#MicrosoftSecurity #MitreAttack

https://www.michalos.net/2024/03/25/operationalizing-mitre-attck-with-microsoft-security-part-2/

📢 New blog out!

💡 If you isolate an endpoint during IR, you probably don't have time to notify stakeholders like the help desk that might be reached out for troubleshooting by the user. This logic app is based on #KQL and identifies the isolation action, adds a tag for your #DefenderXDR portal and sends an email.

#MicrosoftSecurity #MicrosoftSentinel #MicrosoftDefender #LogicApps #MicrosoftAutomation #Automation #AdvancedHunting

https://www.michalos.net/2024/02/20/isolated-an-endpoint-automate-tag-adding-and-notifications/

We are one week away from AI, Cloud and Modern Workplace Conference 2024! Join me next Saturday on a presentation for #KQL, we'll go through the basics and how to leverage Sentinel and XDR for threat hunting & incident response!

https://aicmwc.azurewebsites.net

📌 New MDE DFIR resource!

I added Magnet Forensics
Community to integrate with Microsoft Defender for Endpoint Live Response.

#DFIR #MicrosoftSecurity #DefenderXDR

https://github.com/cyb3rmik3/MDE-DFIR-Resources

📢 New blog out on externaldata operator!

💡 externaldata can be used to harness threat intelligence feeds (not only...) and it is a very powerful operator that you may use to empower your defenses.

#MicrosoftDefender #DefenderXDR #MicrosoftSentinel #ThreatIntel #CTI

https://www.michalos.net/2024/01/22/harnessing-threat-intelligence-using-externaldata-operator/

📢 Five (plus one!) notable cyber attacks in #Greece during 2023 blog is out!

➡️ APTs, cybercriminals & hacktivists conducted a plethora of cyber attacks cherishing an interesting threat landscape for Greece throughout 2023.

🔗 https://www.michalos.net/2024/01/04/five-plus-one-notable-cyber-attacks-in-greece-during-2023/

#ThreatIntel #CTI #CyberAttacks

💡 PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts.

➡️ The following #KQL query will help you identify execution policy changes. Also, you may fine tune the query by excluding InitiatingProcessFileName and InitiatingProcessParentFileName from your environment's applications to balance precision and recall.

🔗 https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/01.ThreatHunting/changing-powershell-execution-policy-to-insecure-level.md

❗Find this, and more queries here: https://github.com/cyb3rmik3/KQL-threat-hunting-queries/

ℹ️ I hope you will find the query useful, if you do just ⭐ the repo!

#MicrosoftXDR #ThreatHunting

💡 Shifting from threat hunting to some security operations #KQL queries to help some day-to-day activities.

2️⃣ new added at https://lnkd.in/dKqxrnqR

🔒 Looking into playing with some confirmed compromised accounts data.

➡️ The following query will identify through Microsoft Entra ID Protection capacity, risky users operations that include risk dismissal or account compromised confirmation: https://lnkd.in/dbyzWwXX

➡️ The following query will identify how much time has occurred since a confirmed compromised account, changed password: https://lnkd.in/dbCkBU6W

ℹ️ I hope you will find the query useful, if you do please ⭐ the repo!

#MicrosoftSentinel #MicrosoftSecurity

If you haven't heard, a special website providing exam subjects for Greek high schools, last week suffered #DDoS attacks for 2 days causing hardship for thousands of students.

I followed the attacks and tried to collect evidence of what happened building a timeline of events and presenting what I believe took place. There were different narratives growing including that the attacks never happened, whether the Killnet threat group was involved etc. I hope you will find my analysis interesting.

#Greece #Cybersecurity #ThreatIntelligence

https://www.michalos.net/2023/06/05/an-osint-analysis-of-the-greek-school-exams-site-ddos-attack/

As if defenders haven't had enough headaches already, #Google decided recently to provide gTLD registrations for .zip and .mov domains opening new opportunities for threat actors for malicious activity.

Below is a #Microsoft #KQL query, with high recall for .zip and .mov network connections.

Also, as with any other domain TLD, if you type a non-existent file such as update.zip at the file explorer, user will be redirected to the relevant website (check first comment for PoC).

Query includes MITRE ATT&CK mapping.

➜ https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/Threat%20Hunting/network-zipandmov-access.md

#MicrosoftSecurity #Microsoft365 #Microsoft365Defender #MicrosoftDefender #MITREATTACK