BertJanCyber
@BertJanCyber
Followers
3,224
Following
538
Media
124
Statuses
1,209
SOC Lead | | Microsoft Security MVP | Blue & Purple Team | SOC | SIEM | Threat Hunting | Detection Engineering | #KQL |
127.0.0.1
Joined January 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
WEIBO LIVE X FAYEYOKO
• 145073 Tweets
百鬼夜行
• 90824 Tweets
#西園寺さんは家事をしない
• 55622 Tweets
Martes 13
• 42550 Tweets
#HUEAreMyEverything
• 37343 Tweets
#휴닝카이가수놓은여름밤의은하수
• 36170 Tweets
ゴリラ審神者
• 35470 Tweets
シャトレーゼ
• 29366 Tweets
ガラスの仮面
• 28650 Tweets
#愛され天使ヒュニンカイ
• 21998 Tweets
D-14 TO CHANYEOL SOLO
• 21594 Tweets
OUR BAND LEADER HUENINGKAI
• 21233 Tweets
للهلال
• 16873 Tweets
さんま御殿
• 15531 Tweets
CRAZY TRACK SAMPLER
• 15247 Tweets
計画運休
• 14650 Tweets
浪川さん
• 14622 Tweets
高難易度
• 14380 Tweets
レイド戦
• 14063 Tweets
警告試合
• 13218 Tweets
高津監督
• 11541 Tweets
#インターネット老人会検定
• 10251 Tweets
横井さん
• 10111 Tweets
Pinned Tweet
is live! 🛡️ I thought about starting a blog page for a while now, the first steps have been taken. In the next period, I will start uploading more
#KQL
and security related content.
5
49
177
🔍🛡️Incident Response PowerShell V2.0.0 is out!
The update includes SIEM exports, new artefact collections and more! A blog about the script and the integration with ADX and MDE Live Response will follow next week.
🔗
6
138
425
Are you using any of the Microsoft Security products and/or
#Sentinel
? Then this thread is for you! The best resources for
#KQL
Advanced Hunting Queries or Analytics rules in my opinion.
#MDE
#ThreatHunting
#Detection
#DFIR
10
101
361
I have pushed some new IR scripts to the Incident Response Powershell repo. For those wondering, yes you can also run them in MDE Live Response.
🔗
3
59
265
Let's start a twitter new series named
#MITREKQL
🧵. Each week I will discuss a
@MITREattack
tactic and the
#KQL
queries that can be used to detect some of the techniques. We start today with Initial Access and each week we take a step towards Impact.
3
76
260
Pushed a new
#KQL
to search for vulnerable XZ devices (CVE-2024-3094). Since it seems related to SSH server compromise I also created a KQL query to list all inbound SSH connections to vulnerable XZ devices, you may want to review those.
2
72
246
Last summer I developed a
#KQL
Incident Response Query Pack for Azure and Microsoft 365. This is for the
@InvictusIR
Hands-On Incident Response In The Cloud Training 🛡️. The query pack is available on GitHub for all of you to try out!
#MicrosoftSentinel
1
55
220
I recently created my own GitHub repo to share
#KQL
hunting queries and detection rules. This is inspired by
@reprise_99
and
@msftsecurity
. The following categories have been added so far: DFIR, VM, Threat Hunting, 0-day & DFE detection rules.
4
57
219
In the last months, I have collected some awesome new
#KQL
sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE
#Sentinel
#Intune
#Detection
#ThreatHunting
8
69
208
🛡️I have published an updated
#KQL
security sources list with over 25+ GitHub Repos, Blogs and Guides. Since more and more people are adopting KQL it was time for an update. Containing 1000s of detections and hunting queries for you to investigate! 🏹
🔗
4
56
191
🛡️ The new version of the Incident Response Powershell script is released.
Two updates:
1. Collect the PowerShell history of all users.
2. Different approach to retrieving MPLogs.
1
52
196
Just finished updating my repository which contains links to a lot of free IOC / Threat Intel feeds which you can implement in your security solutions. Most (if not all) of them can be combined with
#KQL
as well.
3
52
174
[New
#KQL
Queries!🛡️]
1. Visualize Malware Detection Reasons
2. Visualize Phish Detection Reasons
3. Rare outgoing IPv4 connections by
@ateixei
4. Visualize daily ingested events per table
All individual links in 🧵
#MicrosoftSentinel
#MDE
1
54
173
(1/5) Hunt for suspicious
#PowerShell
in your environment! A Thread about encoded PowerShell commands. Various Threat Actors use this to obfuscate their activities.
#ThreatHunting
#MDE
#KQL
8
63
164
[New Blog! 🛡] Incident Response Part 1: IR on Microsoft Security Incidents (
#KQL
edition).
The new incident response blog series consists of three parts (see 🧵).
#MicrosoftDefender
#MicrosoftSentinel
2
53
168
Domain Response is Live! 🚨 This new tool helps you to quickly collect all domain information needed to perform a domain investigation. This is done by collecting:
- WHOIS
- Cert
- DNS
For more info see link!
#phishing
#DomainResponse
6
65
155
Writing a new version of the DFIR PS script. This will include CSV exports that can be ingested in your SIEM/ADX/Sentinel, to analyse the content in your preferred query language.
Question: Would you rather have one file with all data or separate files?
🔗
7
31
149
Three new
#KQL
queries have been added! The queries are based on MDE and Office 365 logs
1. ASR Executable Content detection and enrichment.
2. PsExec usage
3. SafeLinks block enrichment
For individual query links see below.
#Sentinel
#MDE
#Office365
5
43
147
[New
#KQL
Queries!🛡️]
1. List *.All Graph API Permissions
2. AAD Signins by Operating System
3. List Defender Config Discovery Activities
4. IPv4 command detected in lolbin execution
5. Comparison between devices in Intune and MDE
Individual links in 🧵
3
42
148
Thanks all for the 100 stars!⭐️ If you are looking for free IOC feeds, then have a look at the repository (details in 🧵). Almost 100 feeds are listed at the moment. For the
#KQL
fans, almost all of those can be used in the externaldata operator.
1
36
138
🚨 In two days the high severity curl vulnerability (CVE-2023-38545) will be disclosed.
The
#KQL
queries below create an inventory of all systems that run curl. This will allow you to react quickly once a patch has been pushed, to prevent exploitation.
3
39
143
Great start for 2024! Happy to announce that I have been awarded the Microsoft MVP award 🎯
#MVPBuzz
#HappyHunting
24
5
137
[New
#KQL
Queries!🛡️]
1. Successful sign-in from new country
2. Local Group Created
3. Local Administrator Additions
4. Connected Plug and Play Types
5. List Connected USB Devices
All individual links in 🧵
#MicrosoftSentinel
#MDE
1
27
137
[NEW BLOG 🛡️] Threat Hunting: Encoded PowerShell!
I have written a blog that uses
#KQL
to hunt for encoded PowerShell. The focus is on identifying suspicious executions in your environment. Examples and queries are included.
Happy hunting! 🏹
0
38
127
🚨 NEW KQL QUERIES! This time 3 new active directory queries that use MDI logs.
1. Potential Kerberos Encryption Downgrade
2. Password Change After Succesful Brute Force
3. Anomalous LDAP Traffic
All
#KQL
queries:
Details 🧵
1
46
128
Now that all the parts of the incident response series have been published, it is up to you to prepare for the next incident.
🛠 All tools featured in the blogs can be used in a free test environment, more on that in the🧵
📚 IR Blogs:
1
29
124
[🛡 NEW BLOG 🛡]
From Threat Report to (KQL) Hunting Query
Writing valuable hunting queries based on TI reports can be challenging. This blog explores the steps involved in going from a TI report to a
#KQL
query, based on two
#StopRansomware
reports.
🔗
2
39
120
CISApy is live! 💻 CISAPy is a small command line tool that lets you interact with the
@CISACyber
Known Exploited Vulnerabilities Catalog. It can return filtered results and statistics.
🔜 More in the next blog that will be published later this week.
🔗
2
35
117
Happy hunting for CVE-2023-36884!
let CVE_2023_36884 = dynamic(['74.50.94.156', '104.234.239.26', '94.232.40.34' , '66.23.226.102']);
EmailEvents
| where SenderIPv4 in (CVE_2023_36884)
Want to hunt for all Twitter IOCs with one query? Check ⬇️
Observed IP's exploiting CVE-2023-36884:
74[.]50[.]94[.]156
104[.]234[.]239[.]26
94[.]232[.]40[.]34
66[.]23[.]226[.]102
0
23
79
1
36
116
A month ago I published . The views on the blogs have been way above expectations with already more than 5K visitors.
Thanks for all the support! ❤️
More
#KQL
blogs will follow, the next one being: Incident Response Part 2: What about everything else? 🛡️
4
25
113
New
#KQL
Queries 🚨🛡️ A list of the recent additions to the repo. Full links in 🧵.
1. RG: Tag Search
2. RG: List all used public IPs
3. List EntraID signing based on UPN
4. TI Feed: MontySecurity C2 Tracker All IPs
5. Longest outstanding password resets
4
33
114
KQL TIP: is the perfect place to monitor for new
#KQL
queries🎯. The home page shows all newly released queries first, which makes it a perfect KQL backlog. If you check this once a week you will be on top of all the released content.
Thanks
@UgurKocDe
!
The new website is now live at 🥳
Thanks for all the feedback and the contributions 🙏
- Matt Zorich
@reprise_99
- Rod Trent
@rodtrent
- Jose Sebastián Canós
@ep3p
- Bert-Jan Pals
@BertJanCyber
- Alex Verboon
@alexverboon
- Daniel Card
@UK_Daniel_Card
-
4
44
123
1
29
111
🚨 KQL MISP is live! 🛡️ The first batch of 18
@MISPProject
feeds are translated to
#KQL
queries for
#MDE
and
#Sentinel
. This solution only requires KQL and no additional configuration as shown in the image below.
For all the content & queries see
5
48
109
This week I have spent some time developing a detection for T1046 (Service Discovery) and specifically for database discovery. The
#KQL
query is listed below, depending on your needs you can tweak the query for better results!
#MDE
#Sentinel
#Discovery
1
36
109
[New Blog 🛡] Detecting Post-Exploitation Behaviour
This blog explains how you can detect some of the ScreenConnect (and other) post-exploitation activities and will share multiple KQL queries to hunt for this behaviour in your environment.
1
31
108
Added a script to the IR PowerShell repo that lists all configured exclusions. This lists:
- IP
- Process
- FolderPath
- File Extension
‼️ Proactively run this in your environment to determine if the exclusions are still valid or need to be removed.
This is utter crap for AV advice from Microsoft
It's bad enough that Teams still runs in a user-writable location (AppData), but lets combine that with AV exclusions AND not specify path based vs process based exclusions
I would highly advise against path based exclusions here
20
78
404
2
20
109
Working on the last part of the incident response blog series: Leveraging Live Response. The blog will be out later this week, so stay tuned.
2
12
107
500 STARS! ⭐️Thanks all for the support on the
#KQL
repository, I did not expect this when I started.
Of course, more queries will be added and I am working on a new repo to deliver even more KQL content.
4
22
105
🖥 New project! Sentinel Automation
The Logic Apps/Playbooks are aimed to:
- Enrich Incidents
- Perform Incident Response Steps
First automation is already available, this automation flow collects the last 10 inbound connections to a device.
0
38
101
New
#KQL
query alert! 🚨 The new BehaviorInfo and BehaviorEntities have been used to create a detection based on a user performing multiple
@MITREattack
techniques. All entities related to those actions are collected for further investigation.🏹
#MDE
#MCAS
0
37
99
New
#KQL
Queries! 🚨 Had some fun combining the
@CISACyber
Known Exploited vulnerability list and KQL.
1. ListCISAExploitedVulnerabilites()
2. New Active CISA Know Exploited Vulnerability Detected
3. Due Date Passed CISA Known Exploited Vulnerabilities
🧵
1
22
100
A great document to be aware of is the Security Operations Guide for AAD. This also includes which activities should be monitored and what the conditions are. If a Sentinel Analytics or Sigma rule is already available, it will also be linked.
1
32
101
The results are in, from today on I start the
#KQLADS
(KQL Adversary Detection Series) 🛡️🏹
We start with a
#KQL
query that is used to identify suspicious database discovery activities. Why you want to monitor this is described in the 🧵
#MDE
#Sentinel
The
#KQL
repository now contains 200+ KQL queries, which cover various areas. Should I create a small series/thread that covers the best x queries and explains why they should be used?
If you want this to focus on a specific area please share below!
Repo:
4
15
52
2
27
95
🛡️I have updated the MITRE ATT&CK Mapping in the
#KQL
GitHub Repository with a Statistics section. This lists the amount of mapped KQL queries for each MTIRE Tactic. At this moment 60 queries are mapped to a tactic.
Interested in all the mapped queries?🔗
3
24
97
Nice
#KQL
stuff
@Thomas_Live
! It is always a good Friday when you find a repo containing KQL stuff you want! 👀
2
23
90
Many thanks to the twitter community for sharing their IOCs! The IOCs from twitter have now been integrated in a
#KQL
query (Thanks
@0xDanielLopez
!). Hunt for C2, Malware, Phishing and Ransomware IOCs in your environment🧵
#ThreatHunting
#MDE
#Sentinel
2
26
91
This for AiTM ⬇️. Alternatively for the empty deviceid you can hunt for OfficeHome in combination with 0, 50140, 50074 or 53000 depending on your tenant setup.
Have some fun with the
#KQL
from
@reprise_99
:
In our last few IR engagements we have found “OfficeHome” a pretty reliable application for detecting threat actors, in particular when the DeviceID field is empty. Happy Hunting!
#CyberSecurity
#DFIR
7
11
139
3
25
92
For all the Threat Hunters and Detection Engineers, I have just pushed a new
#KQL
function that lists all ActionTypes, Operations and OperationNames in a single view. This enables you to get easy insight into all the activities in your Sentinel data.
2
16
92
The
#MITREKQL
series continues with persistence. Each week we take a look at a different
@MITREattack
tactic and the
#KQL
queries which can detect some of the related techniques.
#MDE
#Sentinel
3
32
87
[New Blog! 🛡] Incident Response Part 2: What about the other logs?
This blog explains how you can perform incident response on data that you do not have in Sentinel or M365D with
#KQL
. Windows Security Events and Unified Audit logs are used as examples!
0
31
89
Ever wondered what accounts use clear text credentials on the command line? Use this
#KQL
query to collect the users, devices and the executed command lines. If possible start improving your security posture today, by getting rid of clear text passwords🛡️
2
20
86
More of you see many unsuccessful sign-ins on your personal Microsoft Accounts? I extracted all the 279 failed sign-ins in the last 7 days and visualised them in ADX to get some statistics. Almost all of them originate from IPv6 addresses hosted in Europe.
11
11
87
Created a
#KQL
query that lists all the Graph Mail permissions that have been granted to applications in your tenant. Mail permissions can be very permissive and should be scoped to specific mailboxes only.
🎯 Query:
3
16
86
I have also pushed a
#KQL
to detect this behaviour in the SigninLogs (Sentinel) and the AADSignInEventsBeta (Defender XDR) table. Happy hunting :) 🏹
🔗
In our last few IR engagements we have found “OfficeHome” a pretty reliable application for detecting threat actors, in particular when the DeviceID field is empty. Happy Hunting!
#CyberSecurity
#DFIR
7
11
139
0
17
85
New
#MITREKQL
🧵! Each week a
@MITREattack
tactic is discussed and the
#KQL
queries that can detect some of the techniques. This week we discuss Defense Evasion and have 8 queries to detect this behaviour
#Sentinel
#MDE
#ThreatHunting
#Detection
2
25
81
Aaaaand that is the third repo with 100 ⭐️s! Unbelievable support on all the delivered content ❤️, totally unexpected when I started publishing content. More to come for sure! 🛡️
Have a good weekend all!
GitHub:
2
14
84
In this week's episode of
#MITREKQL
the tactic Privilege Escalation is discussed 🧵. Each week a new
@MITREattack
tactic is discussed with the
#KQL
queries that detect some of the techniques.
#MDE
#Sentinel
1
30
82
I will release some
#KQL
queries in the upcoming days. As
@HuntressLabs
mentions very clearly "Most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding"
Thus having detection in place for these techniques is a must!
Time to play around with the ScreenConnect post-exploitation activities as shared by
@HuntressLabs
.
🔗
1
5
37
1
16
80
New
#KQL
queries. In the last update of the year some less serious queries to have some fun:
- Teams Emojis used
- Teams Emojis used by department
- visits
- visits
All queries:
3
17
77
New
#KQL
queries for SOC Operations! 🛡️
I have added another KQL query category to the repository. This category provides statistical insights and visualisations to manage your SOC.
#Sentintel
#MDE
1
22
79
If you want to hunt 🏹for LockBit 3.0 behavior I have a new
#KQL
query for your toolkit. The
#StopRansomware
campaign shared interesting indicators that can be used to hunt for the killing of SQL processes.
🔗
More details will follow in the upcoming blog!
1
17
76
I have given the
#KQL
@MISPProject
implementation an update. If you are looking for KQL MISP queries then have a look at the repository. Both Sentinel and MDE are included.
2
26
74
If you have an incident on a device and want to know what other malicious activities have happened, without going through the full timeline. Use this
#KQL
query to quickly list a summary of malicious activities from that device to determine the next steps.
1
18
70
The free IOC Feed repository has been updated with some new feeds! The current total is 97 feeds 🛡️
Link:
0
18
68
Two new
#kql
detections have been added to the repo. Both based on
#MDE
data.
1. Qakbot post compromise commands executed.
2. AnyDesk remote connection made
#Qakbot
#CyberSecurity
1
23
70
Created new
#KQL
queries based on the post-exploitation activities of actors abusing the ScreenConnect vulnerability.
1. PowerShell Invoke-Webrequest:
2. Certutil Remote Download:
Blog and more queries follow soon! Happy hunting!🏹
0
17
69
📚 New Blog:
Sentinel Automation Part 1: Enriching Sentinel Incidents with KQL Results.
The blog includes two Sentinel Playbooks to automate your incidents:
- Device Enrichment
- Inbound Device Connections
Sentinel Playbooks:
Blog:
2
23
69
You probably ingest more in Sentinel than you know, friendly reminder to look at 'new' data sources to investigate by looking at the tables with the least events.
union *
| where TimeGenerated > ago(30d)
| summarize TotalEvents = count() by Type
| sort by TotalEvents asc
0
9
69
[New Blog 🛡 ] KQL Functions For Network Operations!
Data in Sentinel, MDE or ADX will contain columns with IPs. To be able to effectively query the logs this blog explains functions that help you filter to get the right results quickly using
#KQL
.
🔗Link:
0
15
69
#MITREKQL
continues again with a new
@MITREattack
tactic. This time we discuss Discovery with 8
#KQL
queries. See the 🧵below for all queries and details.
#MDE
#Sentinel
#ThreatHunting
1
15
64
[New Blog 🛡️] The last part of the incident response series: Leveraging Live Response.
This blog will explore how LR can help you to perform IR in MDE. This will include useful commands and most interesting custom IR scripts.
#MicrosoftSecurity
#MDE
1
21
66
For those interested offers a RSS feed to keep you updated on all the content.
RSS Link:
0
14
66
When using custom detection rules in MDE in which results have a column with hashes, try to use the FileProfile() function to enrich your results. This will return information about the prevalence and certificates. Note that there is a limit of 1000 lookups, so use it wisely.
4
8
64
[New
#KQL
Queries!🛡️] Focused on some conditional access:
1. Deletion, Addition and updates of CA policies.
2. CA Application Failures
3. CA User Failures
4. Visualize SignIn Failures due to CA policies.
#MicrosoftSentinel
3
18
64
Some useful
#KQL
queries in this blog! Strategies to monitor and prevent vulnerable driver attacks.
1
14
63
With Qakbot becoming active again this
#KQL
query can help to list post-compromise commands related to their operation.
🔗
0
21
61
New
#KQL
Queries! 🚨 Played around with net(1).exe discovery activities:
1. Net Query Statistics, who is most queried?
2. Detectect suspicious amounts of discovery activities
3. Local Group Discovery
4. Rare net parameter execution
🔗
Individual links in🧵
2
12
63