Don't Click It!

dfir-ent

Cybersecurity. Cyber Defense + (DF) Incident Response

SOC Pt 1: Elastic, Tines, and Jira

A few months ago, I was reading Coinbase's blog series about how they scaled their detection and response operations, and aside from the SecurityBot, I was really interested in the platform they built to centralize their investigations. I believe I was looking at one of their job descriptions

Hunting Encoded PowerShell Commands in Defender

In Microsoft Defender under "Advanced Hunting," I ran several different queries to see if I could find anything interesting in the environment. This was my first time experiencing the hunt capabilities, and I really enjoyed learning about how useful this is. One of these queries was to look

Auditing M365 Mailbox Permissions

While reviewing the Identity and Access Management (IAM) lifecycle in SEC401, one concept that stood out to me was revocation. This step is often overlooked in the access management process. One area that I thought of immediately where revocation is frequently skipped is M365 mailbox permissions. Where? Why? In most

Prefetch in Windows

Prefetch is a "tool" that I have used many times previously in different "forensic investigations", put simply, due to how simple it is to use, and how valuable it can be. In case you are not familiar with it, Prefetch is a directory that you can

Avoiding the Steam API Scam: Fake CS:GO Tournaments

At the height of the pandemic, naturally, I started playing more games online. The star of this blog is the game Counter-Strike: Global Offensive. I was really into this game and had started playing it very frequently. A couple of months into the game, I got into the skin market.

Phishing for Prey: Shady Saviors

While I was browsing Twitter, I happened to glance over at “What’s happening” and saw Coinbase trending with 61k+ Tweets. As it does, curiosity struck and I fell into the Twitter wormhole we all know so well. After scrolling past a few tweets, I saw a Tweet from a