November 22, 2019
September 9, 2019
August 30, 2019
November 22, 2019 | Conference Talks | No Comments
Back in April of 2016, Zaid Arafeh, Clare Kearney, and I, recorded a 7 part series for the Microsoft Virtual Academy titled “Defending Active Directory against Cyberattacks”. Unfortunately Microsoft retired the Virtual Academy and most of the recordings are no longer available. Some of the content is now part of this edX course on Managing […]
September 9, 2019 | Conference Talks | No Comments
Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on […]
August 30, 2019 | Conference Talks | No Comments
In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent […]
August 30, 2019 | Conference Talks | No Comments
Public and private enterprises face the same threats, and yet often have different approaches to defense. What if you could take some of the best tactics from each and blend them together? What if I told you this is already happening in small pockets around the US? Enhance your defenses by studying the strengths and […]
August 30, 2019 | Conference Talks | No Comments
The results are in, you’ve been breached. It’s officially the worst day of your career. How will you handle what comes next? Are you prepared to navigate the long road to recovery? Where do you even begin? Come, hitch a ride with me, I’ll show you the way. Lessons learned from dozens of compromise recoveries […]
February 12, 2019 | Uncategorized | No Comments
Three years ago I wrote a document titled “Removing Exchange’s ability to impact Tier 0 and Tier 1” that was distributed internally at Microsoft as well as to dozens of Microsoft customers as part of Cybersecurity services delivered through Microsoft Consulting Services (MCS). I had always intended to get this document published publicly, but for […]
August 31, 2018 | Uncategorized | No Comments
How fitting that 7 years after I started this blog I would relaunch it on a new platform (more on that to come). I know there’s been a lot of times it’s been neglected over the years due to my work/travel schedule, but that’s changing now. I’d like to thank anyone and everyone who’s stuck […]
May 8, 2017 | Conference Talks | No Comments
Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using […]
December 13, 2016 | Conference Talks | No Comments
I’ll be presenting a brand new session titled “Hunting Webshells on Microsoft Exchange Server” at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th! My session abstract:“Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? […]
April 1, 2016 | Uncategorized | No Comments
Ever since last month’s announcement that Microsoft SQL Server will be coming to Linux, quiet rumors have been floating around that some of Microsoft’s other Enterprise Products, such as Exchange Server, may follow suit. With this week’s announcement at the Build conference about the popular Linux shell “BASH” coming to Windows, I decided it was time to see […]