I recently followed a live session of Dirk-Jan Mollema and Ceri Coburn on how Windows Hello for Business can be abused as a non-privileged user. I was very intrigued by the concept of the attack they demonstrated, which is why a spend a couple of days thinking of ways how we can counter this attack with detective controls as blue teamers.

This blogpost is probably the first of a series that I will create in the coming months on Device Discovery. I regularly see organizations buy a specific tool to create an asset inventory list of what lives in their networks, while this is something we can actually do with Microsoft technology

If you are working with Microsoft security solutions, you might have heard of the new kid on the block called Microsoft Global Secure Access. Being a blue teamer myself, I asked myself how we can use this new Secure Service Edge solution - and specifically the Internet Access logs - to make our detections better.

How can you effectively isolate a device in your network, and be sure a threat will not perform lateral movement?

Learn how Microsoft Defender for Endpoint performs network inspections with Zeek

Learn how to get insights in your corporate network without having to but specific network scanning tools.

Use the OSSEM framework to map MDE and Windows Security Events overlap on the MITRE framework