Hey, thank you stopping by! Well, being here means that you are either familiar with the discipline of Digital Forensics and Incident Reponse (DFIR) or you are interested in beginning to explore DFIR tools and techniques.
The common denominator, no matter what your sense is around DFIR, is that you are using Microsoft Defender for Endpoint (MDE) and the wider Microsoft Azure and Microsoft 365 Defender environments.
I hope you will enjoy the following resources which come from my notes and relevant research and testing I have done.
Do you have any other resources that fit here? Drop me a line at any of my mediums here or pull the repo and push your request to review it.
If you find this repo useful, don’t forget to it!
What better way to begin the resource list other than Microsoft Learn itself? MDE supports a lot of functionalities including artifact collection, containment, live response, advanced hunting and others which help analysts and investigators unfold alerts and incidents.
KAPE (Kroll Artifact Parser and Extractor) is a powerful DFIR tool by Eric Zimmerman that primarily collects and processes collected files.
@DFIRanjith and Krzysztof Miodoński have built and published guides on how to deploy KAPE through MDE live response and collect forensic artefacts.
Bert-Jan (@BertJanCyber), a fellow community contributor has prepared a detailed and comprehensive guide on how to accommodate Microsoft technologies available including KQL queries and Live Response in order to practice the DFIR discipline.
THOR-Cloud allows live compromise assessment scans for YARA, Sigma and IOCs on endpoints through MDE. THOR-Cloud Lite comes with a free plan as well.
HUNTERS, an advanced platform that leverages SIEM to help SOC teams, provides highly technical blogs around Microsoft Security.
They started unfolding a series of blogs about IR and Threat hunting that really go deep into platform, differentiating sources, user’s permissions etc.
Repositories hosting Powershell script samples for “Live Response” that can be leveraged in your Microsoft Defender For Endpoint Environment.
This script uses 7zip (7za.exe) to compress a specified folder and then splits the resulting archive into sections of 3GB or less.
It will work (and was designed for) files larger than 3GB. Windows Defender Live Response currently only supports pulling back files of 3GB or less via the console.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…