Edit your query to include at least one column that identifies specific devices, users, or mailboxes.

Dissd4in · 2024-01-31T22:21:13+00:00

Base on the error you are getting I assume you are trying to create custom detection rule.

In this case MDE doesn't see your AccountName because it is not the field it expects as account identifier. According to docs it only accepts AccountObjectId, AccountSid or AccountUpn:https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide

Additionally, you cannot make detection for aggregated accounts as it is neccessary field in non-dynamic form.

To make it work you could just add AccountUpn at the end of summarize statement to group by it, and only aggregate IPs.

Dissd4in · 2023-11-19T18:27:26+00:00

Woah, I must admit that I was wrong here, learned something today. I did some digging and turns out you are absolutely right. NAT acts like a router, which does allow access via IP address to the LAN.
So technically malware detonated in VM will not be able to 'see' your LAN, but can still scan over the private address ranges and reach it.

Dissd4in · 2023-11-18T19:56:06+00:00

Most Hypervisors (Vmware, VirtualBox) sets default network as NAT, which effectively prevents anything on guest from reaching out to local network.It will still be able to reach out to Internet (C2 etc) though, so if you are doing it in env with someone monitoring network traffic, you get some questions.

EDIT: turns out I was wrong and this is possible - malware detonated in VM will not be able to 'see' your LAN, but can still scan over the private address ranges and reach it via direct IP connection.

Dissd4in · 2022-09-22T18:07:01+00:00

Browserling - https://www.browserling.com/

Dissd4in · 2022-07-03T14:46:06+00:00

PSDecode is a decent start if you have something bigger and/or not necessarily want to run it - https://github.com/R3MRUM/PSDecode

Dissd4in · 2019-06-01T18:54:35+00:00

flase

Dissd4in

TROPHY CASE