zak_sec - Network

Threw together a blog post of the common risks / misconfigurations frequently seen in smaller organizations. The blog includes guides and...

Threw together a blog post of the common risks / misconfigurations frequently seen in smaller organizations.

The blog includes guides and steps they can take to quickly improve their security posture and make jumps in security with little overhead.

Please check out the article and share with anyone who may benefit!

#smallbusiness #Risk
https://thoresonconsulting.com/cyber-security-blog/5-easy-steps-small-business-can-take-to-massively-improve-security

Doing some studying / reviewing for the #Azure #AZ500. Highly recommend John Saville's Study Cram if you're re-certifying or taking...

Doing some studying / reviewing for the #Azure #AZ500. Highly recommend John Saville's Study Cram if you're re-certifying or taking it for the first time:

https://www.youtube.com/watch?v=6vISzj-z8k4&

I have had the opportunity to step into a cloud security manager role. Getting up to speed on #cicd without a developer background has been...

I have had the opportunity to step into a cloud security manager role.

Getting up to speed on #cicd without a developer background has been like drinking from a firehose, but I found this video extremely helpful:

https://www.youtube.com/watch?v=qP8kir2GUgo&ab_channel=TechWorldwithNana

As I keep exploring the world of #cloudsecurity I'll share what I learn. Maybe a blog post or something coming soon.

Emotet back still using macros .... but this time the file size is big....

Emotet back still using macros .... but this time the file size is big.

https://www.darkreading.com/threat-intelligence/emotet-resurfaces-yet-again-after-three-month-hiatus

Reading through the Sophos Blog on #QakNote gave some opportunity for some #regex practice: EmailAttachmentInfo| join EmailEvents on...

Reading through the Sophos Blog on #QakNote gave some opportunity for some #regex practice:

EmailAttachmentInfo
| join EmailEvents on NetworkMessageId
| where FileName matches regex @'(?:ApplicationReject_)\d{5}.\w{5}.(?:.one)' or
FileName matches regex @'(?:ComplaintCopy_)\d{5}.\w{5}.(?:.one)'

Happy Hunting ~

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

Those looking into the recent Cybereason article on #sliver (https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors) may...

Those looking into the recent Cybereason article on #sliver (https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors) may find interest in the Microsoft Seucrity Blog from August (https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/) offering additional 'Advanced Hunting' queries and detection logic.

Stumbled on a super helpful repo full of KQL queries - working with Defender for Cloud Apps via 'Advanced Hunt' offers a lot more...

Stumbled on a super helpful repo full of KQL queries - working with Defender for Cloud Apps via 'Advanced Hunt' offers a lot more capabilities than the dashboard allows alone.

https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules

Bunked down, it’s a don’t go anywhere kind of day 🥶

Bunked down, it’s a don’t go anywhere kind of day 🥶

Some #KQL commands to perform #ThreatHunting might look like:EmailAttachmentInfo| where FileName has ".iso" or FileName endswith...

Some #KQL commands to perform #ThreatHunting might look like:

EmailAttachmentInfo
| where FileName has ".iso" or FileName endswith ".img"
| where SenderFromAddress !endswind "company.com"

DeviceFileEvents
| where FileName endswish ".html"
| where FireOriginatingReffererUrl has ".zip"

Digging into the recent Qbot #malware using .svg files embedded with javascript. Seen here:...

Digging into the recent Qbot #malware using .svg files embedded with javascript. Seen here: https://www.bleepingcomputer.com/news/security/attackers-use-svg-files-to-smuggle-qbot-malware-onto-windows-systems/

It's possible to #hunt for e-mails with attachments containing .iso files external or the org. It is also a good idea to include .img files in the hunt as they have also been used in attacks.

Additionally, hunting for .html files originating from .zip files can also lead to interesting finds.

Finally, Intune users can leverage ASR rules to automatically block Javascript and VBscript originating from the internet.

Satellite / Space security is definitely going to heat up. Compromising a satellite is a much quieter alternative to the kinetic approach...

Satellite / Space security is definitely going to heat up. Compromising a satellite is a much quieter alternative to the kinetic approach seen making headlines in the past. https://www.cyberscoop.com/apt28-fancy-bear-satellite/

Excited to explore the new home to network in #threatintel #dfir and #infosec. Looking forward to finding old connections & making new...

Excited to explore the new home to network in #threatintel #dfir and #infosec.

Looking forward to finding old connections & making new ones!