-Yiannis-

So i polished my KQL notes and ended up with a 70 page long pdf. You can find it here github.com/secgroundzero/… Thx and credits also go to @DebugPrivilege @rpargman @olafhartong as i rely a lot on their insights.

First post after a long long time. I had the opportunity to present at @EXNESS behind-the-code event at a unique setting. The interaction and networking at a physical event was refreshing.

It's Launch Day for #CloudBreach! Register for #BreachingAzure Lab and get 25% discount code using the promo code "LAUNCHDAY25". #BreachingAzure challenges students to utilise the latest offensive techniques in a realistic hybrid environment. Are you ready to breach the cloud?

Shoutout to @GeorgePatsias1 for his very cool project github.com/GeorgePatsias/…. #netsec #infosec #redteam

@rpargman @DebugPrivilege @olafhartong Very happy to hear that. I learned a lot from the people sharing their work.

@Sec_GroundZero @DebugPrivilege @olafhartong This is such excellent work, Yiannis! I’ve been reading through sections today as I get the chance and I’m so impressed by the thought and care that you put into building such good examples and explanations. You have contributed an amazing work that will benefit many people! 🙏

So i polished my KQL notes and ended up with a 70 page long pdf. You can find it here github.com/secgroundzero/… Thx and credits also go to @DebugPrivilege @rpargman @olafhartong as i rely a lot on their insights.

@arcanecode Thank you. I use notion for technical notes and obsidian for non tech research/book but i will check this out as well.

@Sec_GroundZero Depending on your needs, you might want to check out Standard Notes. I just wrote a blog article about it: arcanecode.com/2021/05/17/sta…

Switched from Evernote to Notion and finally my notes are starting to make visual sense.

@Max_Mal_ @olafhartong @falconforceteam This might be different as the PE header is also changed if i am reading this correct in order to bypass this detection.

@Sec_GroundZero @olafhartong @falconforceteam T1036.003\005 app.any.run/tasks/466fec14… Curl.com == certutil.exe

Quick KQL query to hunt for renamed lolbins not running from c:\windows, \system32 or \syswow64. @olafhartong showed it in a more elegant way for MDE as part of the @falconforceteam FalconFriday. #threathunting (medium.com/falconforce/fa…) gist.github.com/secgroundzero/…

First attempt with standard dev in KQL based on @rpargman beaconing analysis to detect potential bruteforce attacks with EID4625. gist.github.com/secgroundzero/…

Discord bot cnc github.com/GeorgePatsias/… - @GeorgePatsias1

Last Tuesday I moderated an event organized by the Int'al Chamber of Commerce National Committee of CY,titled Digital Economy&the Importance of ICT for Business in a post-COVID environment. If you didn't have the chance to watch it, check out the recording lnkd.in/dhxHg2n

4 days of intense detection engineering training with @olafhartong done. So much info to ingest from the trainers and the great course participants. Now back to that detection cycle.

Day 1 of @falconforceteam detection engineering course done. Amazing content, tons of new learning and @olafhartong makes it easy. Looking forward for the next days.

@s4n7h0 @InfoSecCampus Any of the projects @olafhartong is working on

Howdy twitterland, which tool author do you want to hear in the next @InfoSecCampus SecTools podcast episode? #SecTools #podcast #opensource

Answer is that they don't have to be normalized. EQL understands the schema and it can be queried directly.

@0xffhh @DebugPrivilege Little bit of a hacky solution but I think i got it working working with milliseconds. #file-kql_new_user-kql" target="_blank" rel="nofollow noopener">gist.github.com/secgroundzero/…

@Sec_GroundZero @DebugPrivilege There’s also datetime_diff() which you might be able to use. However, Im not aware of such an elegant solution as with maxspan.

Is there a way to do similar to EQL (sequence with maxspan) with KQL? Basically want to compare the time generated of 2 different events. #azure #Sentinel

1986 when my dad (center) was the distributor for the new North Star microcomputers (mainframes) in Cyprus.

@0xffhh @DebugPrivilege As you said it wont be elegant it seems. I dont think ago will do it but i will try with datetime_diff. went through @DebugPrivilege guide but couldnt find anything close to this. Probably do 2 let commands to hold each date from and then compare the two. Union & iif or something