Microsoft Defender - Advanced Hunting

Advanced Hunting in 365 is the great starting point for investigating suspicious behavior in your network. The massive range of modules allows it to be very adaptable for a unique environment.

LOLBins / LOLBas

Live Off the Land Binaries. These local binaries are often used in malicious campaigns. They will use these to help achieve their goals without relying on custom code or files.

Azure Active Directory: Threat Hunting - SPN Key Count

Azure Service Principals in your tenant should be periodically reviewed just as app registration secrets and passwords should be, see post https://www.cyber.engineer/azure-active-directory-threat-hunting-app-registration-key-count as they both work hand-in-hand. What is a service principal? To access resources that are secured by an Azure AD tenant, the entity that

Azure Active Directory: Threat Hunting - App Reg Key Count

As part of your organisation's proactive threat hunting, app registrations with secrets and passwords configured should be reviewed to look for any suspicious entries. The following Powershell script which I like to run in CloudShell will give you an overview within your tenant. Service principals work hand-in-hand with app registrations,