• Isolated an Endpoint? Automate tag adding and notifications

    Isolated an Endpoint? Automate tag adding and notifications

    If you are part of a big organization, you might need to reach out to some colleagues and teams, in case you isolate an endpoint. An end user will probably reach out to your help desk in order to identify if there is an issue with her/his endpoint. Hence, you may want to spare some…

  • Harnessing threat intelligence using externaldata operator

    Harnessing threat intelligence using externaldata operator

    Having a Threat Intelligence Platform (TIP) to maintain Indicators of Compromise (IoCs) is somewhat a standard these days. However, not all organizations use a TIP such as MISP, but this shouldn’t prevent anyone from using threat intelligence feeds for hunting, especially when it comes to Microsoft Defender XDR. Table of Contents What are threat intelligence…

  • Five (plus one) notable cyber attacks in Greece during 2023

    Five (plus one) notable cyber attacks in Greece during 2023

    Advanced Persistent Threats (APTs), cybercriminals and hacktivists conducted a plethora of cyber attacks including ransomware and DDoS attacks cherishing an interesting threat landscape for Greece throughout 2023. As developed for 2022, following you will find a report of five (plus one this year!) notable cyber attacks in Greece with information derived from publicly accessible reports…

  • Detecting RMM tools using Microsoft Defender for Endpoint

    Detecting RMM tools using Microsoft Defender for Endpoint

    Introduction It’s no secret that Remote Monitoring and Management (RMM) software is being used by Threat Actors (TAs) for lateral movement and to establish command and control (C2). The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint Cybersecurity Advisory (CSA), highlighting the…

  • Investigating initial access in compromised email accounts using Microsoft 365 Defender

    Investigating initial access in compromised email accounts using Microsoft 365 Defender

    Introduction Fortra recently released a report indicating that business email compromise (BEC) attacks are at their zenith. Why not? As ENISA mentions in its 2022 Threat Landscape Report, financially motivated threat actors find it far more easier to perform a Man-in-The-Middle (MiTM) through an account take over rather than preparing and conducting sophisticated malware attacks…

  • Remotely restart endpoints using MDE live response

    Remotely restart endpoints using MDE live response

    If you haven’t familiarized yourself with Microsoft Defender for Endpoint live response, this is a simple exercise to perform a live response while using the scripts library and storing a simple and straightforward PowerShell script that restarts the endpoint, something that is not available through Microsoft 365 Defender portal. What is live response? Live response…

  • The absolute beginner’s guide for hunting with KQL

    The absolute beginner’s guide for hunting with KQL

    Building queries for Microsoft 365 Defender or Microsoft Sentinel could be challenging, especially when there are complex requirements which obligate mazelike table data. Be that as it may, it is important to keep a set of simple queries handy to be used immediately in case threat hunting or detecting is required to take place. As…

  • An OSINT analysis of the Greek school exams site DDoS attack

    An OSINT analysis of the Greek school exams site DDoS attack

    In the early hours of Monday, May 29th thousands of high school students throughout Greece have gone to their schools in order to sit their scheduled exams. Little did they know, they were going into a hardship until the exam subjects would reach them due to “technical difficulties”. Later that day, the Ministry of Education…

  • Operationalizing MITRE ATT&CK with Microsoft Security (Part 1)

    Operationalizing MITRE ATT&CK with Microsoft Security (Part 1)

    The MITRE ATT&CK framework has emerged as a cornerstone of modern cybersecurity, empowering organizations to navigate the complex world of cyber attacks with greater clarity and effectiveness. The ATT&CK matrix provides a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs) that enable security teams to better understand, detect, and respond to sophisticated threats.…

  • ​Threat intelligence and contextualization, here’s what you need to consider

    ​Threat intelligence and contextualization, here’s what you need to consider

    Introduction Threat intelligence is a growing domain as it allows organizations to face increasingly sophisticated and persistent threats from cybercriminals, state-sponsored hackers, and other malicious actors there are some aspects to keep into consideration for building competent informed-defense countermeasures. To effectively defend against these threats, organizations need to build contextualization into their threat intelligence platforms.…