Setting up Kali Linux on Windows Subsystem for Linux

Kali Linux on Windows 10 “Kali Linux on Windows 10? What the hell?” – one might ask. But we are in the year 2018 and we can run Linux directly on Windows,  install SQL server on Linux and Microsoft is the top open-source contributor on GitHub.  Using one PowerShell command and a download from the Store,…


Detecting Kerberoasting activity using Azure Security Center

Kerberoasting, a term coined by Tim Medin, is a privilege escalation technique which proves to be very effective in extracting service account credentials in a domain environment. A service account is standard user account that has been configured with the specific task of running a service or scheduled task. Many organizations are using service accounts…


List of Azure Active Directory Audit Activities

Hi all, Audit logs in Azure Active Directory help customers to gain visibility about users and group management, managed applications and directory activities in their cloud-based Active Directory. Using the logs you can detect and investigate security incidents, and review important configuration changes. By using the Graph API, which provides programmatic access to Azure AD,…


Deploying Sysmon through Group Policy (GPO) Preferences

In my previous post I explained how to leverage Group Policy Preferences to deploy and update Sysmon configuration in the enterprise. I decided to write a script to automate the entire process. What you need to have in order to run this script? A baseline computer with the following: Sysmon installed and Sysmon XML configuration…


Update: Sysmon configuration file version 8

This new version of config_v8.xml adds the latest additions from Sysmon : FileCreateStreamHash events PipeEvent events WmiEvent events In addition, the XML was cleaned and all the events categories are now ordered by the event number. Link to file: 


Sysinternals Sysmon suspicious activity guide

Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events….


Quickpost: Encrypting Azure Virtual Machine using BitLocker

Here are the steps that are required to encrypt the disk of Azure Virtual Machine. This is a very high level overview of the process, and I do recommend on reading the full guide: Open Azure portal and navigate to the virtual machine (Windows 2008 R2 and above) you want to encrypt and then…


Chasing Adversaries with Autoruns – evading techniques and countermeasures

Abstract Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence points. There are similar programs, but as the author of Autoruns says: “(Autoruns) has the most comprehensive knowledge of auto-starting locations “, therefore the focus here is on Autoruns. In the last weeks couple of security researches (Kyle…


Securing remote connections

Consider the following scenario: a standard user was tricked to run a malicious code and his device was compromised. Typically, standard users do not have high privileges, so the next thing for the attackers is getting their hands on privileged accounts. How? They can delete an important file required by Office or by slowing down…


Locking up Your BitLocker

Hello, Today I want to talk about securing your Bitlocker-enabled devices against a common attack vector: Direct Memory Access/Side channel attack. BitLocker quick overview First, a little primer on how BitLocker works is in order Trusted Platform Module (TPM) is a hardware security device that stores a master key, or Storage Root Key (SRK), and…