RT @malmoeb: Yesterday, I presented "Anti-Forensic" techniques for Windows and Linux at the Troopers conference in Heidelberg. This morning….

RT @LETHAL_DFIR: We just released MemProcFS-Analyzer v1.2.0 with various enhancements. Check out the changelog for more information. Happy….

RT @malmoeb: Some people commented on my post below, asking, "But isen't the domain legitimate?" Well. maybe? . Take a moment to visit th….

RT @LETHAL_DFIR: We just released Microsoft-Analyzer-Suite v1.5.1. This update includes bug fixes and a new version of RiskyDetections-Anal….

Could you all take a moment to check that UAL is enabled on your M365 tenant? The IR team will really appreciate it later!

I am reposting my old post as a reminder to regularly check which UserAgents are logging into your tenant. In more recent instances, we have noticed that TAs are using tools with the following as part of their toolkit: .'node-fetch/1.0 (+'.'GuzzleHttp/7'.

My big boss man is having a party writing awesome blogs. Take a look!.

RT @malmoeb: New blog post: Tear Down The Castle - Part 2. I analyzed 250 PingCastle Reports, grouping the findings….

RT @Evild3ad79: I just released Microsoft-Analyzer-Suite v1.3.0. UserAgent Blacklist added, ClientInfoString and Mailbox Synchronization de….

RT @malmoeb: New blog post: Tear Down The Castle - Part 1. I analyzed 250 PingCastle Reports, grouping the findings….

RT @malmoeb: New blog post: Analysis of Python's .pth files as a persistence mechanism. I dig into Pythons Path Con….

RT @Evild3ad79: Teaser: Microsoft-Analyzer-Suite v1.2.0 will detect the new Device Compliance bypass technique via Microsoft Intune Company….

RT @SecurityAura: For those using the full User Agent in their queries, detection, hunt, etc . Time to increment the last number. Or ev….

RT @malmoeb: Did you know about the Windows Notifications database? While investigating suspicious behavior on a computer, I discovered evi….

RT @malmoeb: "A system administrator noticed that the user account kiosk had an active SSL-VPN connection to the corporate network. However….

RT @malmoeb: "The attacker successfully gained unauthorized access to the organization’s internal network through an SSL VPN endpoint hoste….

Throwback to a case I had in June.

RT @malmoeb: Who actively monitors the Application Event Log for the Event ID 15457, containing the string xp_cmdshell?. The screenshot bel….

RT @malmoeb: I was looking through older Incident Response reports from our team and came across this paragraph here: . "The attackers were….

Lessons learned: Only allow approved external tenants to contact your tenant and lock down unused RMM tools. 3/3 . Ref: and