Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI


Monitoring your network and gathering massive amounts of data has become easier and easier. Many guides exist on how to gather data, and lots of companies have “enterprise grade” Security Information and Event Management products that can ingest terabytes of data. But what seems to be missing from most environments is the ability to apply…


When the manual is not enough – runas /netonly, Unexpected Credential Exposure and the Need for Reality Based Holistic Threat Models

One of the things I always advocate for IT Professionals/Defenders is that versus letting Penetration Testers and Real Attackers figure out the holes in their systems, is a serious contemplation of how you would bypass your own defenses. Your adversaries are more than willing to spend time learning the apps and defenses you have in…


Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including mini threat model)

I did a guest post over on the Ask PFE Platforms blog about the Local Administrator Password Solution (LAPS) this week. You can check it out here : -Jessica @jepayneMSFT 


Tracking Lateral Movement Part One – Special Groups and Specific Service Accounts

Lateral Movement – the moving of an attacker from one compromised host throughout your domain until they find what they are looking for – is something we see many just about all attackers doing during compromise. I’ve talked a lot about the attacker behavior and how to stop it – strong protective controls can serve…


Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)

   Last week at Ignite Australia I presented a session (available here ) on something I don’t think gets talked about enough – Windows Event Forwarding, or WEF.  (Edit: I’ve also since done an depth Microsoft Virtual Academy session on Event Forwarding too!). Often when we engage for an Incident Response, we find the customer : Has no centralized logging Are…


What should I know about security? The massive list of links post.

I maintain a list of links I call “security stuff every Microsoft customer should know” that I send to every customer I visit. The list ranges from basic things to more in depth security knowledge, and is now available even if I haven’t visited you. 🙂 You might want to bookmark this page, as it will…