Autor: sergioalbea
-
Detecting Potential Malicious ISP’s and their IP’s associated
•
This query helps to identify ISPs where a successful sign-in was never completed, providing you with a list of malicious IPs associated, ISP country, and allowing you to set the threshold for malicious sign-in attempts.Therefore… ISPs without success user connections and just failure attempts trying to take user credentials/tokens during…
-
Communication at risk due to the encryption algorithms (Ciphers) in use
•
This time, I’m excited to share a shiny new KQL query that dives into the encrypted connections our devices are making. 🔒💻. To do this, I use the DeviceNetworkEvents table filtering by connections where there are encryption algorithms used. Then, I take a list of the encryption algorithms database from…
-
Classifying HTTP Status Code and detecting possible Threats
•
While exploring the DeviceNetworkEvents table in Defender XDR, I wanted to dig deeper into the different actions behind various HTTP status codes. I started with a few queries to identify cases where specific status codes were appearing repeatedly, and I uncovered some interesting insights, such as: – Users consistently accessing…
-
Detect Potential DLL Hijacking cases
•
As part of my daily journey, when I want to research about specific threat, I use to think that someone in internet has done some amazing job trying to collect data related to the threat itself.Indeed, in this case I am talking about the site hijacklibs.net which is a project…
-
Differences between EntraID User Phone and MFA auth. number
•
how easy How easy is to identify a «malicious» phone of an attacker configured as MFA on user authentication? I have seen multiple queries that can help such as identify by country code, suspicious format-number and others. Although are good ones, I have not seen these option as a final…
-
Devices with external RDP connections
•
This query identifies devices in the DeviceEvents table that are initiating RDP connections and provides the location of the remote IP addresses.The DeviceEvents table has a column called ‘LocalIP ’ which can be confusing but also includes RemoteIPs. I have added a line to only see entries where the IP…