Tag: microsoft 365 defender
-
Detecting RMM tools using Microsoft Defender for Endpoint
Introduction It’s no secret that Remote Monitoring and Management (RMM) software is being used by Threat Actors (TAs) for lateral movement and to establish command and control (C2). The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint Cybersecurity Advisory (CSA), highlighting the…
-
Investigating initial access in compromised email accounts using Microsoft 365 Defender
Introduction Fortra recently released a report indicating that business email compromise (BEC) attacks are at their zenith. Why not? As ENISA mentions in its 2022 Threat Landscape Report, financially motivated threat actors find it far more easier to perform a Man-in-The-Middle (MiTM) through an account take over rather than preparing and conducting sophisticated malware attacks…
-
Remotely restart endpoints using MDE live response
If you haven’t familiarized yourself with Microsoft Defender for Endpoint live response, this is a simple exercise to perform a live response while using the scripts library and storing a simple and straightforward PowerShell script that restarts the endpoint, something that is not available through Microsoft 365 Defender portal. What is live response? Live response…
-
The absolute beginner’s guide for hunting with KQL
Building queries for Microsoft 365 Defender or Microsoft Sentinel could be challenging, especially when there are complex requirements which obligate mazelike table data. Be that as it may, it is important to keep a set of simple queries handy to be used immediately in case threat hunting or detecting is required to take place. As…