Team Axon

126 posts

Team Axon banner
Team Axon

Team Axon

@team__axon

An elite team of threat hunting experts by @hunters_ai. Follow us for timely updates on emerging cyber threats and more.

Katılım Ekim 2022
210 Takip Edilen166 Takipçiler
Team Axon
Team Axon@team__axon·
In the example above, "awesome gift card.pdf" was downloaded from Telegram on Windows machine: COMP-TEST01
English
0
0
2
60
Team Axon
Team Axon@team__axon·
🔥 Forensics Tip🔥 If you ingest CrowdStrike Raw Events, look for MotwWritten (“Mark of the Web”). It can show if a file was web-downloaded, plus the URL and referrer. ⚠️ We’ve seen it’s not always triggered, so missing it ≠ not downloaded. But when present, it’s very valuable.
Team Axon tweet media
English
2
3
7
103
Team Axon retweetledi
Lavi Goldshtein
Lavi Goldshtein@LaviGoldshtein·
While investigating various account takeovers in M365, we found a simple yet powerful hunting logic that consistently surfaces suspicious activity:  Look for successful logins to the OfficeHome application from non-browser user agents.
English
2
2
9
122
Team Axon
Team Axon@team__axon·
Last week, we had the honor of attending Avantec’s Cyber Threat Exchange conference in Switzerland 🇨🇭. Our researcher Uri Kornitzer shared valuable insights around building agentic AI for SOC teams. Huge thanks to Avantec for hosting - it was a great event !
Team Axon tweet mediaTeam Axon tweet media
English
0
1
5
164
Team Axon
Team Axon@team__axon·
Unique Token Identifier (UTI) and IP address are key attributes when investigating incidents in Azure, especially those involving Managed Identities. Here’s where and how they appear across Azure data sources relevant to Managed Identity events.
Team Axon tweet media
English
1
3
9
180
Team Axon
Team Axon@team__axon·
Detection Engineering ...
Team Axon tweet media
English
1
2
10
150
Team Axon
Team Axon@team__axon·
Threat hunting tip 🔥 Look for ChatCreated events in M365 logs where the sender domain is external + rarely seen. This pattern often signals fake IT/Helpdesk phishing in Teams. We share detection logic in our latest blog hubs.li/Q03G1Z-_0 #ThreatHunting #MicrosoftTeams
English
0
3
7
184
Team Axon
Team Axon@team__axon·
Attackers are abusing #MicrosoftTeams as an initial access vector. - Fake IT/Helpdesk chats - Vishing calls with no warning banners - File delivery via hidden SharePoint links We break down the logs, artifacts & hunting queries SOCs need: hubs.li/Q03G1Z-_0
English
0
5
14
664
Team Axon
Team Axon@team__axon·
Understanding Azure Managed Identities (NHIs) is critical for defenders, red teamers, and researchers alike. Our researchers break down MI internals, JWT token abuse, and real-world attack vectors in Part 1 of our technical deep dive. Read the research: hubs.li/Q03dGK7T0
Team Axon tweet media
English
0
0
1
178
Team Axon
Team Axon@team__axon·
GitHub Actions Supply Chain Attack (tj-actions & reviewdog) update: Team AXON dropped tools to detect secrets leaked via CVE-2025-30066 & CVE-2025-30154: 🔍 Secret Scanner 📦 Log Fetcher (Linux/Win) Protect your repos now: hubs.li/Q03cXXTl0
Team Axon tweet media
English
0
2
7
477
Team Axon
Team Axon@team__axon·
C2 over OneDrive, Social engineering via Microsoft Teams OneOnOne messages, and much more #VEILDrive includes them all. The new threat campaign identified by team #AXON. IOCs, Hunting Queries, detailed analysis, can be found here: hubs.li/Q02WRnrn0 #CYBERSEC #DFIR #Hunters
English
0
0
4
342
Team Axon retweetledi
Alon Klayman
Alon Klayman@CYBER_TLDR·
Hunters’ team AXON has observed a concerning rise in Microsoft services abuse over the past few months. A notable trend is the increase in targeted attacks initiated through social engineering via Microsoft Teams, specifically through OneOnOne messages that exploit the default “External Access” feature in Microsoft 365. To protect yourself and your organization, make sure to: ✅ Allow only specific external domains (if necessary) 🚦 Strictly control your organization’s guest access settings 🚫 Block anonymous access Stay tuned for more details coming soon! #Microsoft365 #DFIR #THREATHUNTING #THREATINTEL #CyberSecurity #MicrosoftTeams
English
0
2
10
418
Team Axon retweetledi
Lavi Goldshtein
Lavi Goldshtein@LaviGoldshtein·
1 / 2 We've researched how EDRs audit plist files in macOS LaunchAgents. Detection issues can allow persistence mechanisms to slip through, impacting visibility and security posture. #Cybersecurity #macOS #EDR #ThreatHunting #Infosec
Lavi Goldshtein tweet media
English
2
4
13
406
Team Axon
Team Axon@team__axon·
The following query identifies Win machines affected by the recent CrowdStrike outage. It detects C-00000291 driver downloads (based on LFODownloadConfirmation events,) and correlates it with deletions to identify repaired machines. github.com/axon-git/rapid… #Crowdstrikeoutage
English
0
4
12
638
Team Axon
Team Axon@team__axon·
Check out @ElirazLevi 's analysis of the MailItemsAccessed event. This can be crucial when investigating incidents in O365
Eliraz Levi@ElirazLevi

Microsoft has recently rolled out the cool MailItemsAccessed events by default for Audit standard functionality as well - not just for Audit premium anymore. Yet, figuring out if an email was actually read using these events can still be pretty tricky. The main challenges revolve around throttling and sync events. Check out this diagram to help simplify the validation process:

English
0
0
1
230

Keşfet

@defcon @cloudvillage_dc @CYBER_TLDR @ElirazLevi @InfoSecInsights @elonmusk @BarackObama @taylorswift13