April 03, 2024

It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024

The latter half of 2023 found numerous fronts on which attackers failed to press ahead. Are defenders failing to take advantage?

Threat Research

March 20, 2024

Remote Desktop Protocol: The Series

What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground it when it goes wrong? An Active Adversary Special Report

Security OperationsThreat Research

March 20, 2024

Remote Desktop Protocol: Exposed RDP (is dangerous)

Is it really that risky to expose an RDP port to the internet? What if you change the default port? What if it’s just for a little while? The data answers, loud and clear

Security Operations

March 20, 2024

Remote Desktop Protocol: Queries for Investigation

How can defenders begin to make sense of RDP issues on their networks? We present three powerful tools for investigators’ toolkits

Security Operations

March 20, 2024

Remote Desktop Protocol: How to Use Time Zone Bias

Where in the world is your attacker? Presenting a less-known but useful event to look for in your logs

Security Operations

March 20, 2024

Remote Desktop Protocol: Executing the 4624_4625 Login Query

Keeping an eye on who’s trying to get onto your network – whether or not they’re successful – can pay off on multiple fronts

Security Operations

March 20, 2024

Remote Desktop Protocol: Executing the External RDP Query

On the hunt for successful RDP connections that have entered your network from outside? A step-by-step guide (and a query to get you started)

Security Operations

November 14, 2023

The song remains the same: The 2023 Active Adversary Report for Security Practitioners

The remarkable decline in attacker dwell time is now well-documented, but what does that mean for those doing the hands-on work of infosecurity?

Threat Research

November 08, 2023

Identifying Group Policy attacks

A threat hunt looks at three attacker changes to a compromised Active Directory, and explains how to both understand and overcome them

Threat Research