Autor: sergioalbea

  • Rating ISP to detect potential attacks and IOCs sources

    I have been working and researching how to classify ISP based on different factors and finally I am able to share a written article ( https://sckipt.com/ub3-c4-k1how-non-secure-isps-aid-attackers-in-evading-detection/ ) explaining all my insights about it. It includes, how to monitor or react against possible attacks from a same ISP, use ISP as…

  • Detect PnP devices connected to my Endpoints

    Lately, I’ve been diving into a bunch of articles and posts about the risks of Bluetooth, USBs, and other Plug-and-Play (PnP) devices.Based on it, I decided to look into DefenderXDR to verify if some table was registering these kind of events and yes, DeviceEvents is doing this job. Basically, you…

  • Detection of OOF messages delivered externally

    Years ago, I encountered a crazy case where a key member of an IT consulting company decided to share confidential information in their Out of Office (OOF) messages, such as their personal email address and phone number.While this person was enjoying their vacation, bad actors were receiving the OOF messages…

  • Detect External Sources scanning my exposed devices

    I had pending to research external IP’s scanning exposure devices in my organisation. Therefore, I decided to create a KQL Query to detect ExternalSource IP’s that are scanning my exposed devices because if I see some IP’s triggering scans multiple times or in multiple devices… I would suggest to block…

  • Potential Threats or network anomalies related to ICMP Inbound Connections

    Hey there! September’s back, and it looks like hackers took a break last month, but now they’re back at it with more suspicious connections popping up. I was digging through the network logs and checking out data related to the ICMP protocol, which is often used by devices like routers…

  • Non-supported Sense Agent version required for the Contain User action by Attack Disruption

    I knew that Attack Disruption existed but I had never invested time in understanding exactly how it works. In a nutshell, if you have DefenderXDR and some requirements related to licenses and specific settings (which are usually enabled by default) it means that DefenderXDR can take actions automatically over your…

  • Methods used to establish secure communication over insecure channels

    Delving deeper into the topic of encryption of communications on our devices, I have been understanding and reading about different fields related to it. In this case, I have been researching about the ‘curve’ value into AdditionalFields field of DeviceNetworkEvents table which I identified into iana.org in two groups ‘Elliptic…

  • Success sign-in from more than 3 countries in 1 day

    A while ago, I was annoyed with some Defender XDR alerts related to «User Impossible travel». I had different false positives, users who were using VPN, different devices, different countries on the same day (not a surprise if you live in central Europe) and others. So, I decided to create…

  • Enriching CVEDevices tables with CVE Mitre Data

    As usual, another week checking some reported CVE’s, what a surprise! 😅Meanwhile I was working on it, I discovered that I often visit CVE Mitre site to get extended information about the CVE’s announced so, why not merge this info with Defender XDR DeviceTvmSoftwareVulnerabilities tables?This query takes the info from…

  • Detection of spoofed Emails

    It has been a long journey to create a query that shows a high percentage of true positives regarding spoofed emails, but finally, I am proud of the results achieved!Basically, I check emails received where the DisplayName matches with EntraID DisplayName Accounts, and then I apply multiple filters and conditions…