Autor: sergioalbea

  • Detecting Potential Malicious ISP’s and their IP’s associated

    This query helps to identify ISPs where a successful sign-in was never completed, providing you with a list of malicious IPs associated, ISP country, and allowing you to set the threshold for malicious sign-in attempts.Therefore… ISPs without success user connections and just failure attempts trying to take user credentials/tokens during…

  • Communication at risk due to the encryption algorithms (Ciphers) in use

    This time, I’m excited to share a shiny new KQL query that dives into the encrypted connections our devices are making. 🔒💻. To do this, I use the DeviceNetworkEvents table filtering by connections where there are encryption algorithms used. Then, I take a list of the encryption algorithms database from…

  • Classifying HTTP Status Code and detecting possible Threats

    While exploring the DeviceNetworkEvents table in Defender XDR, I wanted to dig deeper into the different actions behind various HTTP status codes. I started with a few queries to identify cases where specific status codes were appearing repeatedly, and I uncovered some interesting insights, such as: – Users consistently accessing…

  • Detect Potential DLL Hijacking cases

    As part of my daily journey, when I want to research about specific threat, I use to think that someone in internet has done some amazing job trying to collect data related to the threat itself.Indeed, in this case I am talking about the site hijacklibs.net which is a project…

  • Differences between EntraID User Phone and MFA auth. number

    how easy How easy is to identify a «malicious» phone of an attacker configured as MFA on user authentication? I have seen multiple queries that can help such as identify by country code, suspicious format-number and others. Although are good ones, I have not seen these option as a final…

  • Devices with external RDP connections

    This query identifies devices in the DeviceEvents table that are initiating RDP connections and provides the location of the remote IP addresses.The DeviceEvents table has a column called ‘LocalIP ’ which can be confusing but also includes RemoteIPs. I have added a line to only see entries where the IP…