Welcome to JohnCySA! A site for the Digital Forensics and Incident Response blogs written by John - Cyber Security Analyst.
'About Me' coming soon... Possibly.
In a malware infection investigation, I identified a high confidence artefact of file opening for Adobe Acrobat Reader.
I carried out some experiments to confirm which implementations of MFA in Azure AD are sufficient to protect against the TeamFiltration Exfil module's MFA bypass capabilities, should a user's credentials have been compromised.
During a single endpoint compromise investigation, I identified a cool use case for conducting forensics with Microsoft's EDR tool 'Defender for Endpoint' - lifting the veil on Incognito browsing sessions.
How attackers are bypassing Multi Factor Authentication with stolen session cookies and what you can look out for in Azure Active Directory Sign-in Logs.
A resource for mapping User Agents observed in Defender for Cloud Apps and Unified Audit Logs to common Microsoft 365 attack tools.
A blog which asks: What does WeTransfer data exfiltration look like to the forensic investigator?
A handy how to guide for creating custom detection rules for F-Secure's event log threat hunting tool 'Chainsaw'.
An in-depth analysis of artefacts left on a host by the Quick Assist remote administration tool.
New blogs coming soon... Probably.