purpleteam Azure and Azure Active Directory Monitoring Use Cases Wrangling data exposed by various Azure services is a daunting challenge. Because numerous tables exist with many available data types, finding the table with a particular Azure action or its associated query often proves difficult. Azure Monitor can aid you in this journey. Azure Sentinel comes with several preconfigured analytic
purpleteam The Lowdown on Lateral Movement What Is Lateral Movement ? Lateral movement is a broad MITRE ATT&CK category, consisting of nine distinct techniques and numerous sub techniques. Due to its breadth and linkages between other areas of the ATT&CK framework, lateral movement becomes an increasingly interesting category, presenting numerous challenges to defenders. The category
purpleteam Kubernetes Hunting & Visibility Intro Enterprise workloads are increasingly shifting to modern micro-service architectures. This shift can potentially mean that visibility, hunting, and defensive frameworks lag behind their traditional on-premises architectures and deployments. This post provides Kubernetes monitoring and hunting examples from several defensive areas and visibility vantage points. Setup Although most enterprise micro-architecture
purpleteam Sysmon for Linux Test Drive If you have been within planetary orbit of our Purple Team, you will know that we are huge fans of Sysmon. You can imagine our excitement when Microsoft announced that Sysmon would be coming to Linux a few months ago. Well, the wait is now over and Sysmon is available
purpleteam Detection and Mitigation Advice for PrintNightmare PrintNightmare(CVE-2021-34527) was released as a proof of concept this week on Github. This post highlights how the exploit PoCs released on Github work and how the specific vulnerability can be fixed and detected.
purpleteam Introducing Sysmon Config Pusher When providing various services to clients, including Purple, Blue, and Red Team engagements, the Lares team often recommends Sysmon to close detection gaps. Indeed, Sysmon is an incredible and freely available tool that enhances visibility across Windows systems and provides rich data and telemetry from which to build alerting, detections
purpleteam Emails and Malicious Macros – What Can Go Wrong? Intro A few months ago, we published a blog post that examined the telemetry available through Office 365, including email visibility. If you read the blog and thought to yourself, I wish that I could get more comprehensive email visibility, beyond just the basic meta-data, then the Splunk Microsoft O365
bluteam Getting into the Blue Team: A Practical Guide Are you a person who is new to the Information Security industry and want to get deeper into the defensive side of our wonderfully broad and complex industry? Have you read a few "getting into InfoSec" guides but been looking for something more practical, specific, and applicable to your interests
purpleteam Hunting in the Sysmon Call Trace The Sysmon ProcessAccess event has been used in threat hunting and detection efforts in order to alert on techniques such as process injection and credential access. According to the Sysinternals website, the Sysmon ProcessAccess event reports when a process opens another process, an operation that’s often followed by information
