Steven Lim

DefenderXDR - Hunting DKIM replay attacks and Infrastructure On the 6th Feb 2026 Kaseya published the blog “DKIM replay attacks exposed: How cybercriminals abuse Apple and PayPal invoice emails” https://www.kaseya.

𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗗𝗞𝗜𝗠 𝗥𝗲𝗽𝗹𝗮𝘆 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 𝗮𝗻𝗱 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝘂𝘀𝗶𝗻𝗴 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥
www.linkedin.com/pulse/defend...

📚 𝗡𝗼𝘁𝗲𝗽𝗮𝗱++ 𝗛𝗶𝗷𝗮𝗰𝗸𝗲𝗱 𝗯𝘆 𝗦𝘁𝗮𝘁𝗲-𝗦𝗽𝗼𝗻𝘀𝗼𝗿𝗲𝗱 𝗧𝗵𝗿𝗲𝗮𝘁 𝗔𝗰𝘁𝗼𝗿

Heads up, defenders: a supply chain compromise targeting Notepad++ has been linked to state-sponsored activity. Here's a Sentinel KQL to help you hunt for potentially affected endpoints🫡

github.com/SlimKQL/Hunt...

LDAPNightmare POC Detection
www.safebreach.com/blog/ldapnig...

Custom detection code:
github.com/SlimKQL/Hunt...

Custom detection code:
github.com/SlimKQL/Hunt...

𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿𝗫𝗗𝗥 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 - 𝗕𝗹𝗼𝗰𝗸𝗶𝗻𝗴 2️⃣4️⃣ 𝗠𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗖𝗵𝗿𝗼𝗺𝗲 𝗘𝘅𝘁𝗲𝗻𝘀𝗶𝗼𝗻𝘀🛡️
www.extensiontotal.com/cyberhaven-i...

Hunting 16 Malicious Chrome Extension🔥
thehackernews.com/2024/12/16-c...
github.com/SlimKQL/Hunt...

🚨 Reports suggest US authorities may ban TP-Link Wi-Fi routers in 2025. Regulated industries, ensure your end users aren't connected to TP-Link routers. Use MDE discovery and DefenderXDR's SeenBy() to detect connections. 🛡️📡

Advanced Vishing KQL Detection by sending your Teams PSTN call log to ADX 🎯
www.trendmicro.com/en_us/resear...

Thanks! :) The threat actor social engineering attacks are targeting normal business users, uers with role are technical in nature and tend not to follow these type of instruction, hence I exclude this group of privilege roles users.

Clipboard to Compromise: PowerShell Script Self-Pwn | Proofpoint US Proofpoint observed an increase in threat actors directing users to copy and paste malicious Powershell script malware onto their computers. Learn more.

www.proofpoint.com/us/blog/thre...

PowerShell Self-Pwn Detection

Proofpoint highlights a social engineering tactic where users are tricked into running malicious PowerShell scripts, leading to malware infections. Despite needing user interaction, the attack's success relies on clever social engineering.

Detecting Teams Red Team Tool ConvoC2
cybersecuritynews.com/red-team-too...

SentinelLab observed threat actor targeting service providers in Southern Europe abusing Visual Studio Code tunnels to maintain persistent remote access to compromised systems. www.bleepingcomputer.com/news/securit... KQL to detect such abuse.

Detect Black Basta Ransomware Campaign RMMTools Deployment - Social Engineering Attack via Teams where the ransomware operator sends a SharePoint link to user to download portable RMM tools to evade detection from web proxy. www.rapid7.com/blog/post/20...

Thank you! 😄🙏

The KQL Grimoire A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR 🔥 [** Updated: 7th December 2024 **] Hello! Let me share a little about my professional journey. My experience s...

The KQL Grimoire 📖

A collection of the most sought-after KQL spells for Microsoft Sentinel and DefenderXDR
www.linkedin.com/pulse/slims-...

𝗡𝗲𝘄 𝗨𝗥𝗟 𝗙𝗶𝗹𝗲 𝗡𝗧𝗟𝗠 𝗛𝗮𝘀𝗵 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 (0️⃣𝗱𝗮𝘆)
A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day) www.bleepingcomputer.com/news/securit...

github.com/SlimKQL/Hunt...

In AD environments, Timeroasting exploits NTP authentication to request password hashes of computer/trust accounts. If non-standard or legacy passwords are used, offline brute-forcing is possible. I've created a KQL query to detect such activities. #KQL #Timeroast

github.com/SlimKQL/Hunt...

Sharing a Sentinel KQL detection for ShadowHound by Friends-Security, which enhances AD enumeration for security assessments. Beware: it can be misused by threat actors & red teamers for reconnaissance. My KQL rule helps identify and mitigate these risks. #KQL #ShadowHound

Hunting-Queries-Detection-Rules/Sentinel/Hunting Rockstar 2FA.kql at main · SlimKQL/Hunting-Queries-Detection-Rules KQL Queries. Microsoft Defender, Microsoft Sentinel - SlimKQL/Hunting-Queries-Detection-Rules

Hunting Rockstar 2FA:
github.com/SlimKQL/Hunt...

Hunting Rockstar 2FA: A Key Player in Phishing-as-a-Service (PaaS)
www.trustwave.com/en-us/resour...

Hunting-Queries-Detection-Rules/DefenderXDR/Social Engineering Attack Monitor - Teams & Emails.kql at main · SlimKQL/Hunting-Queries-Detection-Rules KQL Queries. Microsoft Defender, Microsoft Sentinel - SlimKQL/Hunting-Queries-Detection-Rules

KQL Code:
github.com/SlimKQL/Hunt...

Social Engineering Attack Alert - Teams & Emails

Kevin Beaumont shared insights on helping orgs recover from ransomware attacks. Key tactic: social engineering. Attackers used phone recon to gather contacts, then flooded users with emails & Teams messages. Custom KQL script for early detection:

CloudApp BEC Defense Policy - Axios

Attackers bypass MFA using a phishing framework with Axios HTTP client. Detect compromise in sign-in logs with user agent axios/1.7.7. Proposing auto-detection & isolation for SecOps assessment.

Sources: Asger Deleuran Strunk / Stephan Berger

𝗧𝗵𝗲 𝗣𝗲𝗿𝗳𝗲𝗰𝘁 𝗖𝘂𝘀𝘁𝗼𝗺 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 ... 😘

Using CloudApp & Behaviour Analytics to detect malicious threat actor Copilot Agent.

#Cybersecurity #DefenderXDR #CloudApp #CopilotAgent #KQL

Copilot Agent: The Good, the Bad, and the Ugly It's been a while since my last LinkedIn article in August, but after attending some of the online sessions from Microsoft Ignite, I felt inspired to write this article about Copilot Agents. This prod...

Copilot Agent: The Good, the Bad, and the Ugly
www.linkedin.com/pulse/copilo...