Thanks Kris for a great session today! 

Kris used quite a few queries which are listed below for you to test out and use on your network:

And he also referenced using CTF events or other online resources to learn attacker tactics, so that you can better defend against those attacks in your environments. Here's a few sites that he personally recommends: 

I hope those are all useful to you - let me know in the comments if you have anything else that others might benefit from!

Great seeing all of you on the sessions this week - see you Tuesday for session 4.

  • First and Foremost, thank you Nick, Kris and the remainder of the team both on video and behind the scenes running chat! You guys are doing an amazing job and there is lots to learn.

    I spent some time running through the live queries this afternoon and as has been said many times the journey down the rabbit hole is more than just a full time job, it needs a small army(thankfully I have the MTR team backing anything I miss/do not find - but am eager to learn as much as I can) I ran a query using the “General MITRE” query located in the forums and am wondering if Kris or another knowledgeable team member can confirm if the following scenario would cause a red flag or is potentially a normal occurrence at times. 

    I found several instances in the last 24 hours where a subset of random user endpoints flagged for T1069 multiple times per end point. 

    At face value this looks like a user is running “net localgroup administrators” via command prompt. This far internet sleuthing has not yet ruled in favour of either direction. 

    A second piece to this question, I had run a query to identify local admin accounts on my endpoints half hour before this. Is there any possibility there is a correlation here? I’m assuming not as I have ~1300 endpoints and not even a fraction of are flagged in this report. 

  • Hello - good spot! Kris is adding to the forum right now, so you should be able to find it shortly

  • Hello

    I'm struggling to find Kris Wayman's Live Discover queries, in particular the "Logon Attempts w/ Abuse Score".

    I've looked through the Live Discover & Response Query Forum: https://community.sophos.com/intercept-x-endpoint/i/query-forum

    Are they available please?

    Thanks.