Steven Lim
@stevenlim.bsky.social
#Cybersecurity #Sentinel #DefenderXDR #KQL #Azure #M365 #KQLWizard
https://detections.ai/user/KQLWizard
https://detections.ai/user/KQLWizard
LDAPNightmare POC Detection
www.safebreach.com/blog/ldapnig...
www.safebreach.com/blog/ldapnig...
January 3, 2025 at 12:11 PM
LDAPNightmare POC Detection
www.safebreach.com/blog/ldapnig...
www.safebreach.com/blog/ldapnig...
𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 - 𝗕𝗹𝗼𝗰𝗸𝗶𝗻𝗴 2️⃣4️⃣ 𝗠𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗖𝗵𝗿𝗼𝗺𝗲 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀🛡️
www.extensiontotal.com/cyberhaven-i...
www.extensiontotal.com/cyberhaven-i...
January 1, 2025 at 9:35 AM
𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 - 𝗕𝗹𝗼𝗰𝗸𝗶𝗻𝗴 2️⃣4️⃣ 𝗠𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗖𝗵𝗿𝗼𝗺𝗲 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀🛡️
www.extensiontotal.com/cyberhaven-i...
www.extensiontotal.com/cyberhaven-i...
December 30, 2024 at 6:04 AM
🚨 Reports suggest US authorities may ban TP-Link Wi-Fi routers in 2025. Regulated industries, ensure your end users aren't connected to TP-Link routers. Use MDE discovery and DefenderXDR's SeenBy() to detect connections. 🛡️📡
December 22, 2024 at 4:28 PM
🚨 Reports suggest US authorities may ban TP-Link Wi-Fi routers in 2025. Regulated industries, ensure your end users aren't connected to TP-Link routers. Use MDE discovery and DefenderXDR's SeenBy() to detect connections. 🛡️📡
Advanced Vishing KQL Detection by sending your Teams PSTN call log to ADX 🎯
www.trendmicro.com/en_us/resear...
www.trendmicro.com/en_us/resear...
December 19, 2024 at 5:17 AM
Advanced Vishing KQL Detection by sending your Teams PSTN call log to ADX 🎯
www.trendmicro.com/en_us/resear...
www.trendmicro.com/en_us/resear...
PowerShell Self-Pwn Detection
Proofpoint highlights a social engineering tactic where users are tricked into running malicious PowerShell scripts, leading to malware infections. Despite needing user interaction, the attack's success relies on clever social engineering.
Proofpoint highlights a social engineering tactic where users are tricked into running malicious PowerShell scripts, leading to malware infections. Despite needing user interaction, the attack's success relies on clever social engineering.
December 17, 2024 at 5:55 AM
PowerShell Self-Pwn Detection
Proofpoint highlights a social engineering tactic where users are tricked into running malicious PowerShell scripts, leading to malware infections. Despite needing user interaction, the attack's success relies on clever social engineering.
Proofpoint highlights a social engineering tactic where users are tricked into running malicious PowerShell scripts, leading to malware infections. Despite needing user interaction, the attack's success relies on clever social engineering.
Detecting Teams Red Team Tool ConvoC2
cybersecuritynews.com/red-team-too...
cybersecuritynews.com/red-team-too...
December 11, 2024 at 4:09 PM
Detecting Teams Red Team Tool ConvoC2
cybersecuritynews.com/red-team-too...
cybersecuritynews.com/red-team-too...
SentinelLab observed threat actor targeting service providers in Southern Europe abusing Visual Studio Code tunnels to maintain persistent remote access to compromised systems. www.bleepingcomputer.com/news/securit... KQL to detect such abuse.
December 10, 2024 at 11:51 PM
SentinelLab observed threat actor targeting service providers in Southern Europe abusing Visual Studio Code tunnels to maintain persistent remote access to compromised systems. www.bleepingcomputer.com/news/securit... KQL to detect such abuse.
Detect Black Basta Ransomware Campaign RMMTools Deployment - Social Engineering Attack via Teams where the ransomware operator sends a SharePoint link to user to download portable RMM tools to evade detection from web proxy. www.rapid7.com/blog/post/20...
December 10, 2024 at 5:35 AM
Detect Black Basta Ransomware Campaign RMMTools Deployment - Social Engineering Attack via Teams where the ransomware operator sends a SharePoint link to user to download portable RMM tools to evade detection from web proxy. www.rapid7.com/blog/post/20...
The KQL Grimoire 📖
A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR
www.linkedin.com/pulse/slims-...
A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR
www.linkedin.com/pulse/slims-...
The KQL Grimoire
A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR 🔥 [** Updated: 7th December 2024 **] Hello! Let me share a little about my professional journey. My experience s...
www.linkedin.com
December 7, 2024 at 5:24 AM
The KQL Grimoire 📖
A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR
www.linkedin.com/pulse/slims-...
A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR
www.linkedin.com/pulse/slims-...
𝗡𝗲𝘄 𝗨𝗥𝗟 𝗙𝗶𝗹𝗲 𝗡𝗧𝗟𝗠 𝗛𝗮𝘀𝗵 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 (0️⃣𝗱𝗮𝘆)
A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day) www.bleepingcomputer.com/news/securit...
A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day) www.bleepingcomputer.com/news/securit...
December 6, 2024 at 7:43 PM
𝗡𝗲𝘄 𝗨𝗥𝗟 𝗙𝗶𝗹𝗲 𝗡𝗧𝗟𝗠 𝗛𝗮𝘀𝗵 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 (0️⃣𝗱𝗮𝘆)
A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day) www.bleepingcomputer.com/news/securit...
A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day) www.bleepingcomputer.com/news/securit...
In AD environments, Timeroasting exploits NTP authentication to request password hashes of computer/trust accounts. If non-standard or legacy passwords are used, offline brute-forcing is possible. I've created a KQL query to detect such activities. #KQL #Timeroast
December 2, 2024 at 6:01 AM
In AD environments, Timeroasting exploits NTP authentication to request password hashes of computer/trust accounts. If non-standard or legacy passwords are used, offline brute-forcing is possible. I've created a KQL query to detect such activities. #KQL #Timeroast
Sharing a Sentinel KQL detection for ShadowHound by Friends-Security, which enhances AD enumeration for security assessments. Beware: it can be misused by threat actors & red teamers for reconnaissance. My KQL rule helps identify and mitigate these risks. #KQL #ShadowHound
December 1, 2024 at 12:38 PM
Sharing a Sentinel KQL detection for ShadowHound by Friends-Security, which enhances AD enumeration for security assessments. Beware: it can be misused by threat actors & red teamers for reconnaissance. My KQL rule helps identify and mitigate these risks. #KQL #ShadowHound
Hunting Rockstar 2FA: A Key Player in Phishing-as-a-Service (PaaS)
www.trustwave.com/en-us/resour...
www.trustwave.com/en-us/resour...
November 29, 2024 at 5:30 PM
Hunting Rockstar 2FA: A Key Player in Phishing-as-a-Service (PaaS)
www.trustwave.com/en-us/resour...
www.trustwave.com/en-us/resour...
Social Engineering Attack Alert - Teams & Emails
Kevin Beaumont shared insights on helping orgs recover from ransomware attacks. Key tactic: social engineering. Attackers used phone recon to gather contacts, then flooded users with emails & Teams messages. Custom KQL script for early detection:
Kevin Beaumont shared insights on helping orgs recover from ransomware attacks. Key tactic: social engineering. Attackers used phone recon to gather contacts, then flooded users with emails & Teams messages. Custom KQL script for early detection:
November 29, 2024 at 7:57 AM
Social Engineering Attack Alert - Teams & Emails
Kevin Beaumont shared insights on helping orgs recover from ransomware attacks. Key tactic: social engineering. Attackers used phone recon to gather contacts, then flooded users with emails & Teams messages. Custom KQL script for early detection:
Kevin Beaumont shared insights on helping orgs recover from ransomware attacks. Key tactic: social engineering. Attackers used phone recon to gather contacts, then flooded users with emails & Teams messages. Custom KQL script for early detection:
CloudApp BEC Defense Policy - Axios
Attackers bypass MFA using a phishing framework with Axios HTTP client. Detect compromise in sign-in logs with user agent axios/1.7.7. Proposing auto-detection & isolation for SecOps assessment.
Sources: Asger Deleuran Strunk / Stephan Berger
Attackers bypass MFA using a phishing framework with Axios HTTP client. Detect compromise in sign-in logs with user agent axios/1.7.7. Proposing auto-detection & isolation for SecOps assessment.
Sources: Asger Deleuran Strunk / Stephan Berger
November 28, 2024 at 9:59 AM
CloudApp BEC Defense Policy - Axios
Attackers bypass MFA using a phishing framework with Axios HTTP client. Detect compromise in sign-in logs with user agent axios/1.7.7. Proposing auto-detection & isolation for SecOps assessment.
Sources: Asger Deleuran Strunk / Stephan Berger
Attackers bypass MFA using a phishing framework with Axios HTTP client. Detect compromise in sign-in logs with user agent axios/1.7.7. Proposing auto-detection & isolation for SecOps assessment.
Sources: Asger Deleuran Strunk / Stephan Berger
𝗧𝗵𝗲 𝗣𝗲𝗿𝗳𝗲𝗰𝘁 𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 ... 😘
Using CloudApp & Behaviour Analytics to detect malicious threat actor Copilot Agent.
#Cybersecurity #DefenderXDR #CloudApp #CopilotAgent #KQL
Using CloudApp & Behaviour Analytics to detect malicious threat actor Copilot Agent.
#Cybersecurity #DefenderXDR #CloudApp #CopilotAgent #KQL
November 27, 2024 at 10:44 AM
𝗧𝗵𝗲 𝗣𝗲𝗿𝗳𝗲𝗰𝘁 𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 ... 😘
Using CloudApp & Behaviour Analytics to detect malicious threat actor Copilot Agent.
#Cybersecurity #DefenderXDR #CloudApp #CopilotAgent #KQL
Using CloudApp & Behaviour Analytics to detect malicious threat actor Copilot Agent.
#Cybersecurity #DefenderXDR #CloudApp #CopilotAgent #KQL
Copilot Agent: The Good, the Bad, and the Ugly
www.linkedin.com/pulse/copilo...
www.linkedin.com/pulse/copilo...
Copilot Agent: The Good, the Bad, and the Ugly
It's been a while since my last LinkedIn article in August, but after attending some of the online sessions from Microsoft Ignite, I felt inspired to write this article about Copilot Agents. This prod...
www.linkedin.com
November 23, 2024 at 5:03 PM
Copilot Agent: The Good, the Bad, and the Ugly
www.linkedin.com/pulse/copilo...
www.linkedin.com/pulse/copilo...
Phishing by Design: Two-Step Attacks Using .vsdx Files
I have crafted a precise KQL using Microsoft Defender for Office 365 and Endpoint to detect such abuse scenarios.
perception-point.io/blog/phishin...
#Cybersecurity #KQL #Phishing #Evasion #TrustedPlatform
I have crafted a precise KQL using Microsoft Defender for Office 365 and Endpoint to detect such abuse scenarios.
perception-point.io/blog/phishin...
#Cybersecurity #KQL #Phishing #Evasion #TrustedPlatform
November 12, 2024 at 5:56 AM
Phishing by Design: Two-Step Attacks Using .vsdx Files
I have crafted a precise KQL using Microsoft Defender for Office 365 and Endpoint to detect such abuse scenarios.
perception-point.io/blog/phishin...
#Cybersecurity #KQL #Phishing #Evasion #TrustedPlatform
I have crafted a precise KQL using Microsoft Defender for Office 365 and Endpoint to detect such abuse scenarios.
perception-point.io/blog/phishin...
#Cybersecurity #KQL #Phishing #Evasion #TrustedPlatform
Reposted by Steven Lim
🦋 Introducing bluesky.ms 👏 = A crowdsourced database of anyone and everyone in the Microsoft community on Bluesky.
👉 Add yourself and anyone you know today 👈
🫂 All are welcome.
This is my v1, I'll add options to directly follow from the site itself but first 👇
LET'S FILL IT UP! 🙏
👉 Add yourself and anyone you know today 👈
🫂 All are welcome.
This is my v1, I'll add options to directly follow from the site itself but first 👇
LET'S FILL IT UP! 🙏
Search bluesky.ms
Use this page to search for the Microsoft community on bluesky.ms.
bluesky.ms
November 8, 2024 at 3:51 PM
🦋 Introducing bluesky.ms 👏 = A crowdsourced database of anyone and everyone in the Microsoft community on Bluesky.
👉 Add yourself and anyone you know today 👈
🫂 All are welcome.
This is my v1, I'll add options to directly follow from the site itself but first 👇
LET'S FILL IT UP! 🙏
👉 Add yourself and anyone you know today 👈
🫂 All are welcome.
This is my v1, I'll add options to directly follow from the site itself but first 👇
LET'S FILL IT UP! 🙏
Singapore the lightning capital of the world 🌩
June 25, 2023 at 9:22 PM
Singapore the lightning capital of the world 🌩
A radiant palette igniting the sky.
June 13, 2023 at 1:25 PM
A radiant palette igniting the sky.
I Light Singapore 🇸🇬
#ilightsingapore #singapore
#ilightsingapore #singapore
June 2, 2023 at 1:33 PM
I Light Singapore 🇸🇬
#ilightsingapore #singapore
#ilightsingapore #singapore
