Mehmet Ergene
@cyb3rmonk.bsky.social
https://academy.bluraven.io
Threat Hunting & Research, Detection Engineering | Microsoft Security MVP
#KQL #DFIR #DataScience
All is one.
Opinions are my own
http://posts.bluraven.io
https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection
Threat Hunting & Research, Detection Engineering | Microsoft Security MVP
#KQL #DFIR #DataScience
All is one.
Opinions are my own
http://posts.bluraven.io
https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection
Reposted by Mehmet Ergene
Check out my new blog on nested app authentication.
Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @1cemoon.bsky.social breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3
Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - SpecterOps
In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.
ghst.ly
August 13, 2025 at 4:43 PM
Check out my new blog on nested app authentication.
🛑 Azure Resource Graph limits number of results to 1000 when queried from Sentinel or Defender XDR using KQL.
There is a little trick that lets you bypass these limits.🤓
🔗
academy.bluraven.io/blog/queryin...
#KQL #MicrosoftSentinel #AzureResourceGraph #DefenderXDR
There is a little trick that lets you bypass these limits.🤓
🔗
academy.bluraven.io/blog/queryin...
#KQL #MicrosoftSentinel #AzureResourceGraph #DefenderXDR
Querying Azure Resource Graph Without Limits Using KQL
Learn how to query Azure Resource Graph using KQL without hitting limits.
academy.bluraven.io
June 24, 2025 at 2:33 PM
🛑 Azure Resource Graph limits number of results to 1000 when queried from Sentinel or Defender XDR using KQL.
There is a little trick that lets you bypass these limits.🤓
🔗
academy.bluraven.io/blog/queryin...
#KQL #MicrosoftSentinel #AzureResourceGraph #DefenderXDR
There is a little trick that lets you bypass these limits.🤓
🔗
academy.bluraven.io/blog/queryin...
#KQL #MicrosoftSentinel #AzureResourceGraph #DefenderXDR
Reposted by Mehmet Ergene
Hello, friends! I'm thrilled to announce that The Homelab Almanac, v3.0 has officially launched! There is a **ton** of new stuff in this version, including:
- Proper DNS
- PKI
- Automatic signed certificates
- New secrets management
- Proxmox clustering
- Cloud integration
- Proper DNS
- PKI
- Automatic signed certificates
- New secrets management
- Proxmox clustering
- Cloud integration
Announcing The Homelab Almanac: Version 3.0
The best guide to homelabs just got a lot better—and bigger.
taggart-tech.com
June 7, 2025 at 4:58 AM
Hello, friends! I'm thrilled to announce that The Homelab Almanac, v3.0 has officially launched! There is a **ton** of new stuff in this version, including:
- Proper DNS
- PKI
- Automatic signed certificates
- New secrets management
- Proxmox clustering
- Cloud integration
- Proper DNS
- PKI
- Automatic signed certificates
- New secrets management
- Proxmox clustering
- Cloud integration
🚨 BadSuccessor = Bad OPSEC
With the right audit config, it's pretty easy to detect BadSuccessor.
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #ThreatDetection
#BadSuccessor
With the right audit config, it's pretty easy to detect BadSuccessor.
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #ThreatDetection
#BadSuccessor
Detecting BadSuccessor: Shorcut to Domain Admin
Detect BadSuccessor attacks exploiting dMSA in Windows Server 2025. Learn key detection methods and auditing configurations.
academy.bluraven.io
June 3, 2025 at 2:50 PM
🚨 BadSuccessor = Bad OPSEC
With the right audit config, it's pretty easy to detect BadSuccessor.
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #ThreatDetection
#BadSuccessor
With the right audit config, it's pretty easy to detect BadSuccessor.
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering #ThreatDetection
#BadSuccessor
Reposted by Mehmet Ergene
This blog is a little bitter, but it's what it is🫠
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way
Detect vulnerable Windows drivers in MDE the right way using KQL and LOLDrivers.io. Avoid common query mistakes and boost detection accuracy.
academy.bluraven.io
May 29, 2025 at 11:36 AM
This blog is a little bitter, but it's what it is🫠
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
This blog is a little bitter, but it's what it is🫠
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way
Detect vulnerable Windows drivers in MDE the right way using KQL and LOLDrivers.io. Avoid common query mistakes and boost detection accuracy.
academy.bluraven.io
May 29, 2025 at 11:36 AM
This blog is a little bitter, but it's what it is🫠
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
academy.bluraven.io/blog/detecti...
#ThreatHunting #DetectionEngineering
🚨 Test your Lateral Movement investigation skills!
We have just added a new challenge to our FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills 😉
#KQL #Kusto #MicrosoftSentinel #MicrosoftDefender
academy.bluraven.io/course/intro...
We have just added a new challenge to our FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills 😉
#KQL #Kusto #MicrosoftSentinel #MicrosoftDefender
academy.bluraven.io/course/intro...
April 19, 2025 at 3:49 PM
🚨 Test your Lateral Movement investigation skills!
We have just added a new challenge to our FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills 😉
#KQL #Kusto #MicrosoftSentinel #MicrosoftDefender
academy.bluraven.io/course/intro...
We have just added a new challenge to our FREE "Hands-On Introduction to KQL for Security Analysis" course!
You can even test your AI agents' skills 😉
#KQL #Kusto #MicrosoftSentinel #MicrosoftDefender
academy.bluraven.io/course/intro...
🐣 HAPPY EASTER CAPSTONE! 🛡️
My KQL courses now include a complete attack scenario to test your skills — end to end.
🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇
#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
academy.bluraven.io
My KQL courses now include a complete attack scenario to test your skills — end to end.
🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇
#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
academy.bluraven.io
Home - Blu Raven Academy
Master KQL for threat hunting, detection engineering, and incident response in a hyper-realistic lab environment using real logs!
academy.bluraven.io
April 18, 2025 at 12:46 PM
🐣 HAPPY EASTER CAPSTONE! 🛡️
My KQL courses now include a complete attack scenario to test your skills — end to end.
🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇
#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
academy.bluraven.io
My KQL courses now include a complete attack scenario to test your skills — end to end.
🎯 Hands-on labs
📉 20% OFF for a limited time!
Crack it open 👇
#KQL #Kusto #ThreatHunting #DetectionEngineering #DFIR
academy.bluraven.io
🎁 NEW UPDATE:
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
academy.bluraven.io/course/intro...
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
academy.bluraven.io/course/intro...
April 17, 2025 at 3:31 PM
🎁 NEW UPDATE:
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
academy.bluraven.io/course/intro...
I've added a small challenge to my FREE "Hands-On Introduction to KQL for Security Analysis" course.
More will be coming soon!
#KQL #Kusto #MicrosoftDefender #MicrosoftSentinel
academy.bluraven.io/course/intro...
🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
academy.bluraven.io/course/intro...
#KQL #Kusto #ThreatHunting #Infosec
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
academy.bluraven.io/course/intro...
#KQL #Kusto #ThreatHunting #Infosec
Introduction to KQL for Security Analysis
Learn the basics of KQL to start your journey into security investigations, threat hunting, and detection engineering with hands-on experience in a hyper-realistic lab environment!
Certificate of Com...
academy.bluraven.io
April 10, 2025 at 2:37 PM
🚨 FREE unlimited lab access to "Introduction to KQL for Security Analysis" course!
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
academy.bluraven.io/course/intro...
#KQL #Kusto #ThreatHunting #Infosec
Thrilled to announce that my Intro to KQL for Security Analysis lab environment is now completely free with no time restrictions!
academy.bluraven.io/course/intro...
#KQL #Kusto #ThreatHunting #Infosec
🚨 Problem with Cyber Range/Training platforms ❓
Most range platforms and training labs provide you with all the questions to solve, hinting answers to other questions.
I've implemented a trick to hide some questions that reveal hints for other questions for a real-life experience.
Stay tuned.👀
Most range platforms and training labs provide you with all the questions to solve, hinting answers to other questions.
I've implemented a trick to hide some questions that reveal hints for other questions for a real-life experience.
Stay tuned.👀
April 2, 2025 at 2:26 PM
🚨 Problem with Cyber Range/Training platforms ❓
Most range platforms and training labs provide you with all the questions to solve, hinting answers to other questions.
I've implemented a trick to hide some questions that reveal hints for other questions for a real-life experience.
Stay tuned.👀
Most range platforms and training labs provide you with all the questions to solve, hinting answers to other questions.
I've implemented a trick to hide some questions that reveal hints for other questions for a real-life experience.
Stay tuned.👀
🚨 Detect C2 Beacons!
New Microsoft Defender for Endpoint telemetry provides new opportunities for threat detection!
🔗
academy.bluraven.io/blog/beaconi...
#ThreatHunting #DetectionEngineering #MDE
New Microsoft Defender for Endpoint telemetry provides new opportunities for threat detection!
🔗
academy.bluraven.io/blog/beaconi...
#ThreatHunting #DetectionEngineering #MDE
C2 Beaconing Detection with MDE Aggregated Report Telemetry
Detecting C2 Beaconing using MDE Aggregated Report Telemetry.
academy.bluraven.io
March 14, 2025 at 2:13 PM
🚨 Detect C2 Beacons!
New Microsoft Defender for Endpoint telemetry provides new opportunities for threat detection!
🔗
academy.bluraven.io/blog/beaconi...
#ThreatHunting #DetectionEngineering #MDE
New Microsoft Defender for Endpoint telemetry provides new opportunities for threat detection!
🔗
academy.bluraven.io/blog/beaconi...
#ThreatHunting #DetectionEngineering #MDE
When you group your logs by timestamp(binning) to detect threats, you probably cause false negatives. Solve it using sliding window counts!
academy.bluraven.io/blog/advance...
#KQL #ThreatHunting #DetectionEngineering
academy.bluraven.io/blog/advance...
#KQL #ThreatHunting #DetectionEngineering
Advanced KQL for Threat Hunting: Window Functions — Part 2
Sliding window functions are one of the powerful methods for accurate detections as they eliminate the potential false negatives. They can be used in threat hunting, detection engineering, and DFIR to...
academy.bluraven.io
February 28, 2025 at 3:52 PM
When you group your logs by timestamp(binning) to detect threats, you probably cause false negatives. Solve it using sliding window counts!
academy.bluraven.io/blog/advance...
#KQL #ThreatHunting #DetectionEngineering
academy.bluraven.io/blog/advance...
#KQL #ThreatHunting #DetectionEngineering
Reposted by Mehmet Ergene
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
February 20, 2025 at 11:08 AM
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
🥲 Seems like you don't even have to use residential proxies for device code phishing for evasion. Just get a machine in one of the cloud providers' corresponding regions. 🤷♂️
February 15, 2025 at 3:15 PM
🥲 Seems like you don't even have to use residential proxies for device code phishing for evasion. Just get a machine in one of the cloud providers' corresponding regions. 🤷♂️
💙Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL💙
Code: VLTN30
Valid until 17.02
#ThreatHunting
academy.bluraven.io
Code: VLTN30
Valid until 17.02
#ThreatHunting
academy.bluraven.io
February 15, 2025 at 2:27 PM
💙Fall in Love with Threat Hunting, Incident Response, and Detection Engineering using #KQL💙
Code: VLTN30
Valid until 17.02
#ThreatHunting
academy.bluraven.io
Code: VLTN30
Valid until 17.02
#ThreatHunting
academy.bluraven.io
🚨 Time to check your detection queries for MDE:
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
February 8, 2025 at 11:51 AM
🚨 Time to check your detection queries for MDE:
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
Reposted by Mehmet Ergene
Here it is: your complete guide to building a Wireguard network that doesn't require any open ports at home, and doesn't require any third-party tools. Just Wireguard, your devices, and a little elbow grease.
taggart-tech.com/wir...
taggart-tech.com/wir...
Your Private Wireguard Network from Scratch
Let's learn how to set up our own private network for secure self-hosted services.
taggart-tech.com
January 30, 2025 at 5:32 PM
Here it is: your complete guide to building a Wireguard network that doesn't require any open ports at home, and doesn't require any third-party tools. Just Wireguard, your devices, and a little elbow grease.
taggart-tech.com/wir...
taggart-tech.com/wir...
It seems like there is an easy way to block VS Code tunnels (Dev Tunnels) on Windows to prevent malicious usage. 😮
techcommunity.microsoft.com/blog/azurede...
techcommunity.microsoft.com/blog/azurede...
How to Manage Dev Tunnels with Group Policies
Dev Tunnels is a tunneling service that can boost your productivity when testing and debugging web apps, webhooks, APIs, and more
techcommunity.microsoft.com
January 30, 2025 at 2:40 PM
It seems like there is an easy way to block VS Code tunnels (Dev Tunnels) on Windows to prevent malicious usage. 😮
techcommunity.microsoft.com/blog/azurede...
techcommunity.microsoft.com/blog/azurede...
Reposted by Mehmet Ergene
#LOLBAS project update:
Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (lolbas-project.github.io/api/) it'll be easier to use with automation.
Check it out:
⭐ lolbas-project.github.io
Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (lolbas-project.github.io/api/) it'll be easier to use with automation.
Check it out:
⭐ lolbas-project.github.io
January 28, 2025 at 3:13 PM
#LOLBAS project update:
Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (lolbas-project.github.io/api/) it'll be easier to use with automation.
Check it out:
⭐ lolbas-project.github.io
Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (lolbas-project.github.io/api/) it'll be easier to use with automation.
Check it out:
⭐ lolbas-project.github.io
Detectable by Design?
We keep failing on "shift left", "secure by design", etc. to prevent malicious activities.
How about "detectable by design" approach? It's certain your product will fail on the prevention side but you could design it in a way that makes it easy to detect malicious activities.
We keep failing on "shift left", "secure by design", etc. to prevent malicious activities.
How about "detectable by design" approach? It's certain your product will fail on the prevention side but you could design it in a way that makes it easy to detect malicious activities.
January 24, 2025 at 4:59 PM
Detectable by Design?
We keep failing on "shift left", "secure by design", etc. to prevent malicious activities.
How about "detectable by design" approach? It's certain your product will fail on the prevention side but you could design it in a way that makes it easy to detect malicious activities.
We keep failing on "shift left", "secure by design", etc. to prevent malicious activities.
How about "detectable by design" approach? It's certain your product will fail on the prevention side but you could design it in a way that makes it easy to detect malicious activities.
Reposted by Mehmet Ergene
