Examining access token privileges with MDATP and Kusto

As a defender, looking at events occurring at user endpoints is very useful. Knowing exactly what’s happening is essential and having insight in detailled log information gives the opportunity to perform threat hunting and to create detection rules.

It’s a no-brainer that looking at processes on an user endpoint is crucial in order to find adversary’s activities. In this blog I will show you the value of looking at the access token of a process using Microsoft Defender ATP (MDATP) and the Kusto query language.

Read More
Mapping your Blue Team to MITRE ATT&CK™

A month ago Marcus and I released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats. Today we released version 1.1, which contains multiple improvements. Most changes are related to additional functionality to allow more detailed administration of your visibility and detection.

By creating DeTT&CT we aim to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation.

In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation. Detailed information about DeTT&CT and how it can be used, is documented on the GitHub Wiki pages. Therefore, the explanation we give in this blog will be high-level.

Read More
Visualizing Netflow data

This is the first post in a series on visualizing Netflow data. The post starts with some basic Netflow concepts and some guidelines to setup an environment to reproduce the samples in these posts. After this, we'll be using FlowPlotter to create our first visualizations.

What is Netflow?
Netflow data is a recording of all traffic passing a certain network interface or device and can be invaluable during Incident Response and forensic investigations. Unlike full packet captures (FPC), Netflow only contains the meta-data from the network traffic.

Read More
HTTP Public Key Pinning

Every now and then you hear an abbreviation of a new technology. Today: HPKP which stands for HTTP Public Key Pinning. It's an IETF standard that became final this month.

HTTP Public Key Pinning (HPKP) is an HTTP extension and security policy which can be set through HTTP response headers, just like HSTS (HTTP Strict Transport Security). It gives a website the possibility to instruct the browser to check for a specific public key when the website is visited the next time.

Read More
New version of VolWeb

I've been playing around with the script I've created in the previous blog post and I'm starting to think that there is some real potential in a web interface for Volatilty. So I've made some improvements to the script to make it more functional.

Read More
VolShell For The Web!

So we're up for the second blogpost, it took me almost a year to get another one out. But as always, I try to focus on quality over quantity ;-). Again, the object of my affection is Volatilty, an amazingly flexible tool to perform memory analysis. For this sample I've used Volatility 2.2, but this will probably work on other versions as well.

Read More
Automating Volatility

When I use Volatility I'm always amazed of the amount of forensic information that is available just from memory. Volatility comes with a large amount of plugins that make it very easy to get that information out of a memory image without extensive knowledge on how memory actually is organized.

Read More