Tracking Command and Control Communication

With all of the great detective technology we have today we have a number of ways to track adversary activity. If the threat you're tracking is a human adversary within your enterprise, any gap provides an opportunity for them to reestablish persistence using a different type of malware and a different command and control channel. … Continue reading Tracking Command and Control Communication

Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender

For Ignite 2020, Tali and I put together a video covering some demos showing how you can use the Advanced Hunting feature of Microsoft 365 Defender to correlate activity between the various Defender capabilities. Among other things you'll see an example of how to use Defender for Identity and Defender for Endpoint to track down … Continue reading Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender

Anomaly Detection in Microsoft 365 Defender

As a former incident responder, anomaly detection was part of my day-to-day job. When an attacker persists on an endpoint or within identity there is typically something that deviates from the norm - whether that be a misspelling, obscure launch string, odd configuration, or just general strange behavior. Because of this, many of the queries … Continue reading Anomaly Detection in Microsoft 365 Defender