Welcome to JohnCySA! A site for the Digital Forensics and Incident Response blogs written by John - Cyber Security Analyst. 

'About Me' coming soon... Possibly.

In a malware infection investigation, I identified a high confidence artefact of file opening for Adobe Acrobat Reader.

I carried out some experiments to confirm which implementations of MFA in Azure AD are sufficient to protect against the TeamFiltration Exfil module's MFA bypass capabilities, should a user's credentials have been compromised.

During a single endpoint compromise investigation, I identified a cool use case for conducting forensics with Microsoft's EDR tool 'Defender for Endpoint' - lifting the veil on Incognito browsing sessions.

How attackers are bypassing Multi Factor Authentication with stolen session cookies and what you can look out for in Azure Active Directory Sign-in Logs.

A resource for mapping User Agents observed in Defender for Cloud Apps and Unified Audit Logs to common Microsoft 365 attack tools.

A blog which asks: What does WeTransfer data exfiltration look like to the forensic investigator?

A handy how to guide for creating custom detection rules for F-Secure's event log threat hunting tool 'Chainsaw'.

An in-depth analysis of artefacts left on a host by the Quick Assist remote administration tool.

New blogs coming soon... Probably.