Had this saved in the WIP folder forever
KQL for anti-forensics activities
https://github.com/AttacktheSOC/Azure-SecOps/blob/main/KQL/Endpoint/AntiForensicsActivityOnEndpoint.md
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this😶updates to come! https://github.com/MikeHorn-git/WAFS/tree/main
KQL for anti-forensics activities
https://github.com/AttacktheSOC/Azure-SecOps/blob/main/KQL/Endpoint/AntiForensicsActivityOnEndpoint.md
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this😶updates to come! https://github.com/MikeHorn-git/WAFS/tree/main
Comments
Also asked GPT to clean it up and consolidate it as it was a mess
@wietzebeukema.nl ArgFuscator really comes to mind on this one
🤔Could look at the InitiatingProcess + the InitiatingAccount