With all of the great detective technology we have today we have a number of ways to track adversary activity. If the threat you're tracking is a human adversary within your enterprise, any gap provides an opportunity for them to reestablish persistence using a different type of malware and a different command and control channel. … Continue reading Tracking Command and Control Communication
Tag: M365 Defender
Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender
For Ignite 2020, Tali and I put together a video covering some demos showing how you can use the Advanced Hunting feature of Microsoft 365 Defender to correlate activity between the various Defender capabilities. Among other things you'll see an example of how to use Defender for Identity and Defender for Endpoint to track down … Continue reading Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender
Anomaly Detection in Microsoft 365 Defender
As a former incident responder, anomaly detection was part of my day-to-day job. When an attacker persists on an endpoint or within identity there is typically something that deviates from the norm - whether that be a misspelling, obscure launch string, odd configuration, or just general strange behavior. Because of this, many of the queries … Continue reading Anomaly Detection in Microsoft 365 Defender