Incident Response

Blue Team, Incident Response, John Strand, Red Team, Webcast Wrap-Up AI, cloud, penetration testing

5 Things We Are Going to Continue to Ignore in 2025

In this video, John Strand discusses the complexities and challenges of penetration testing, emphasizing that it goes beyond just finding and exploiting vulnerabilities.

Read the entire post here

Blue Team, Incident Response, Informational, Jordan Drysdale Blue Team Detections, detection engineering, event auditing, msDS-KeyCredentialLink, Shadow creds

Enable Auditing of Changes to msDS-KeyCredentialLink 

Changes to the msds-KeyCredentialLink attribute are not audited/logged with standard audit configurations. This required serious investigations and a partner firm in infosec provided us the answer: TrustedSec.  So, credit where […]

Read the entire post here

Blue Team, David Perez, Incident Response, Informational Azure, Entra ID, SIEM, SOC

Monitoring High Risk Azure Logins 

Recently in the SOC, we were notified by a partner that they had a potential business email compromise, or BEC. We commonly catch these by identifying suspicious email forwarding rules, […]

Read the entire post here

General InfoSec Tips & Tricks, Incident Response, Informational, Terry Reece externally exploitable services

In Through the Front Door – Protecting Your Perimeter  

While social engineering attacks such as phishing are a great way to gain a foothold in a target environment, direct attacks against externally exploitable services are continuing to make headlines. […]

Read the entire post here

Incident Response, Informational, Patterson Cake OSINT

OSINT for Incident Response (Part 2)

Be sure to read PART 1! Metadata and a New-Fashioned Bank Robbery Let’s face it, some cases are just more interesting than others and, when you do incident response for […]

Read the entire post here

Blue Team, General InfoSec Tips & Tricks, Incident Response, Informational, Patterson Cake OSINT

OSINT for Incident Response (Part 1)

Being a digital forensics and incident response consultant is largely about unanswered questions. When we engage with a client, they know something bad happened or is happening, but they are […]

Read the entire post here

How-To, Incident Response, Informational, InfoSec 201, Patterson Cake, Phishing csv data, M365, Microsoft 365, SOF-ELK, UAL, Unified Audit Log

Wrangling the M365 UAL with SOF-ELK and CSV Data (Part 3 of 3)

Patterson Cake // PART 1 PART 2 In part one of “Wrangling the M365 UAL,” we talked about acquiring, parsing, and querying UAL data using PowerShell and SOF-ELK. In part […]

Read the entire post here

How-To, Incident Response, InfoSec 201, Patterson Cake, Phishing BEC, Business Email Compromise, Exchange Online Management, M365, Microsoft 365, PowerShell EXO, SOF-ELK, UAL, Unified Audit Log

Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3)

Patterson Cake // When it comes to M365 audit and investigation, the “Unified Audit Log” (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend […]

Read the entire post here

Blue Team, Blue Team Tools, General InfoSec Tips & Tricks, How-To, Incident Response, Informational, InfoSec 101, InfoSec 201, Troy Wojewoda DFIR

Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark

Troy Wojewoda // In honor of Shark Week1, I decided to write this blog to demonstrate various techniques I’ve found useful when analyzing network traffic with Wireshark, as well as […]

Read the entire post here