Tracking Command and Control Communication

With all of the great detective technology we have today we have a number of ways to track adversary activity. If the threat you're tracking is a human adversary within your enterprise, any gap provides an opportunity for them to reestablish persistence using a different type of malware and a different command and control channel. … Continue reading Tracking Command and Control Communication

Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender

For Ignite 2020, Tali and I put together a video covering some demos showing how you can use the Advanced Hunting feature of Microsoft 365 Defender to correlate activity between the various Defender capabilities. Among other things you'll see an example of how to use Defender for Identity and Defender for Endpoint to track down … Continue reading Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender

Tracking the Adversary with M365 Defender Advanced Hunting

If you're new to advanced hunting in Microsoft 365 Defender, be sure to check out the four-part series Tali Ash and I presented in July of 2020. We start with the very basics of Kusto Query Language (KQL) and take you all the way to performing visualizations, performing anomaly detection, and track malicious activity purely … Continue reading Tracking the Adversary with M365 Defender Advanced Hunting