Ops Centre | Fezzan

AccessOps Centre

Thought Process

Operational Workflow

step type

SIEM

OSINT

Logic

Manual

Don't just clear the alert queue; own the incident from the first telemetry blip to the final client debrief. Before even touching a log, establish the business context: Is it the end of the financial quarter? Did the CFO just return from PTO? Attackers know the business rhythm—to catch them, you have to understand it better.

⚠

Common miss: Treating an alert as isolated telemetry. If an EDR sensor suddenly goes dark right before an impossible travel alert fires for the same user, that's not two tickets. That's a coordinated intrusion.

TA0001TA0043

SIEMDefender XDREntra ID

PHASE_01 · ANALYST

query_logic

KQL

1// Baseline: concurrent alerts on same entity

2SecurityAlert

3| where TimeGenerated > ago(30d)

4| where Entities has '<UPN>'

5| summarize AlertCount=count(),

6 Severities=make_set(AlertSeverity)

7 by AlertName, ProductName

8| order by AlertCount desc

011 / 8

Work

Incident Reports

Read All→

INCIDENT REPORTS

10 active reports

T1204.002T1566.002T1098.001

Writing

Analyst Notes

Read All→

ANALYST NOTES

12 analyst notes

RansomwareEntraSentinel

Incident Reports · Active

HIGHT1204.002

Malware — Trojan Dropper Masquerading as PDF Utility

Defender quarantined dropper signed with revoked cert before execution. No C2 observed.

30/72 VT engines — strong malicious consensus
RED ROOT LTD cert — known malicious signer
Estate-wide hash hunt — single endpoint

MalwareEndpoint

MEDT1566.002

Phishing — LOTS Platform Abuse with KYC Lure

Threat actor abused legitimate SaaS doc platform to target two named employees.

Legitimate sender domain — LOTS pattern
Per-recipient tracking tokens embedded
RF Score 15 on attacker infrastructure

PhishingLOTS

MEDT1098.001

OAuth Consent — Persistent Mailbox Access Granted

User granted Mail.Read + Offline_access to third-party AI app. MFA-bypassing refresh token created.

Offline_access = MFA-bypassing refresh token
Consent IP confirmed as Microsoft OAuth infra
Tenant-wide consent audit triggered

OAuthIdentity

Analyst Notes · Blue Team

NOTEBlue Team

Ransomware Precursor Detection: Pre-Encryption Kill Chain

Identifying the 4-phase pre-encryption operational pattern: discovery, credential harvesting, staging, and inhibit recovery.

RansomwareEDRKill Chain

NOTEBlue Team

Identity Analytical Pivots: Session & Token Integrity

Beyond simple MFA verification. Auditing Token Theft (AitM) and Session Authority through orthogonal telemetry pivots.

EntraToken TheftAitM

NOTEBlue Team

Sentinel Workspace Hygiene & Ingestion Cost Governance

Auditing table-level ingestion volumes, identifying verbose data sources, and implementing transformation-based cost controls.

SentinelCostGovernance

SOC Operations

Impact

Total Tickets0+All time

Threats Remediated0+Confirmed incidents

Total Escalated0+Escalated tickets

Ticket Severity Breakdown

Medium2.30K

Low2.20K

High0.20K

Medium2.30K

Low2.20K

High0.20K

HUNT · CONTAIN · IMPROVE

Hunt

TH-0001Credential Dumping via Qilin-Affiliated Tooling

Privilege Escalation↗︎

TH-0002COLDRIVER (UNC4057) — NOROBOT DLL Loader via rundll32

Initial Access↗︎

TH-0003Qilin BYOVD — eskle.sys Vulnerable Driver Load

Defense Evasion↗︎

TH-0004Xdebug Remote Session Abuse — phpstorm Debug Interface

Initial Access↗︎

TH-0005Malicious npm Package — Obfuscated Payload via node.exe

Execution↗︎

TH-0006Exfiltration Over C2 Channel — IOC 195.133.79.43

Exfiltration↗︎

TH-0007UNC6040 & UNC6395 — Salesforce Single-Factor Auth Abuse

Initial Access↗︎

TH-0008CVE-2026-21519 — Desktop Window Manager LPE (Zero-Day, Actively Exploited)

Privilege Escalation↗︎

TH-0009AnyDesk Revoked Code-Signing Certificate — C2 Alert Pivot

Execution↗︎

Contain

HIGH⏱︎ 3d containment→︎

Trojan Dropper — PDF Utility Updater

Quarantined before execution. No C2 callback. Single endpoint — estate clean.

MED⏱︎ 5h containment→︎

Phishing — LOTS Platform KYC Lure

Both emails hard-deleted. Zero clicks confirmed across tenant.

MED⏱︎ ~21h containment→︎

OAuth Consent — Persistent Mailbox Access

Refresh token revoked. MFA-bypassing access channel closed.

All 10 incident reports →︎

Improve

TN-0001Suspicious Resource Deployment — Service Principal IP Rotation

SentinelKQL Filter↗︎

TN-0002Service Principal Login from New Country — Non-Critical Failure Loop

SentinelKQL Filter↗︎

TN-0003Sophos Firewall Threat Signature — Email Tracking Link Noise

SentinelKQL Filter↗︎

Tools & Stack

Capabilities

SIEM / Detection0

Endpoint0

Identity0

Operational Workflow

Receive

Enrich

Analyze

Map

Contain

Resolve

Hunt

Tune

Incident Reports

10 active reports

Analyst Notes

12 analyst notes

Malware — Trojan Dropper Masquerading as PDF Utility

Phishing — LOTS Platform Abuse with KYC Lure

OAuth Consent — Persistent Mailbox Access Granted

Ransomware Precursor Detection: Pre-Encryption Kill Chain

Identity Analytical Pivots: Session & Token Integrity

Sentinel Workspace Hygiene & Ingestion Cost Governance

Impact

Capabilities