diff --git a/_posts/2019-08-08-text-and-typography.md b/_posts/2019-08-08-text-and-typography.md
new file mode 100644
index 00000000000..1c6b748643c
--- /dev/null
+++ b/_posts/2019-08-08-text-and-typography.md
@@ -0,0 +1,184 @@
+---
+title: Text and Typography
+author: cotes
+date: 2019-08-08 11:33:00 +0800
+categories: [Blogging, Demo]
+tags: [typography]
+pin: true
+math: true
+mermaid: true
+image:
+ path: /commons/devices-mockup.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Responsive rendering of Chirpy theme on multiple devices.
+---
+
+This post is to show Markdown syntax rendering on [**Chirpy**](https://github.com/cotes2020/jekyll-theme-chirpy/fork), you can also use it as an example of writing. Now, let's start looking at text and typography.
+
+## Headings
+
+
H1 - heading
+
+
H2 - heading
+
+
H3 - heading
+
+
H4 - heading
+
+## Paragraph
+
+Quisque egestas convallis ipsum, ut sollicitudin risus tincidunt a. Maecenas interdum malesuada egestas. Duis consectetur porta risus, sit amet vulputate urna facilisis ac. Phasellus semper dui non purus ultrices sodales. Aliquam ante lorem, ornare a feugiat ac, finibus nec mauris. Vivamus ut tristique nisi. Sed vel leo vulputate, efficitur risus non, posuere mi. Nullam tincidunt bibendum rutrum. Proin commodo ornare sapien. Vivamus interdum diam sed sapien blandit, sit amet aliquam risus mattis. Nullam arcu turpis, mollis quis laoreet at, placerat id nibh. Suspendisse venenatis eros eros.
+
+## Lists
+
+### Ordered list
+
+1. Firstly
+2. Secondly
+3. Thirdly
+
+### Unordered list
+
+- Chapter
+ + Section
+ * Paragraph
+
+### ToDo list
+
+- [ ] Job
+ + [x] Step 1
+ + [x] Step 2
+ + [x] Step 3
+
+### Description list
+
+Sun
+: the star around which the earth orbits
+
+Moon
+: the natural satellite of the earth, visible by reflected light from the sun
+
+## Block Quote
+
+> This line shows the _block quote_.
+
+## Prompts
+
+> An example showing the `tip` type prompt.
+{: .prompt-tip }
+
+> An example showing the `info` type prompt.
+{: .prompt-info }
+
+> An example showing the `warning` type prompt.
+{: .prompt-warning }
+
+> An example showing the `danger` type prompt.
+{: .prompt-danger }
+
+## Tables
+
+| Company | Contact | Country |
+|:-----------------------------|:-----------------|--------:|
+| Alfreds Futterkiste | Maria Anders | Germany |
+| Island Trading | Helen Bennett | UK |
+| xyz | Giovanni Rovelli | Italy |
+
+## Links
+
+
+
+## Footnote
+
+Click the hook will locate the footnote[^footnote], and here is another footnote[^fn-nth-2].
+
+## Inline code
+
+This is an example of `Inline Code`.
+
+## Filepath
+
+Here is the `/path/to/the/file.extend`{: .filepath}.
+
+## Code blocks
+
+### Common
+
+```
+This is a common code snippet, without syntax highlight and line number.
+```
+
+### Specific Language
+
+```bash
+if [ $? -ne 0 ]; then
+ echo "The command was not successful.";
+ #do the needful / exit
+fi;
+```
+
+### Specific filename
+
+```sass
+@import
+ "colors/light-typography",
+ "colors/dark-typography";
+```
+{: file='_sass/jekyll-theme-chirpy.scss'}
+
+## Mathematics
+
+The mathematics powered by [**MathJax**](https://www.mathjax.org/):
+
+$$ \sum_{n=1}^\infty 1/n^2 = \frac{\pi^2}{6} $$
+
+When $a \ne 0$, there are two solutions to $ax^2 + bx + c = 0$ and they are
+
+$$ x = {-b \pm \sqrt{b^2-4ac} \over 2a} $$
+
+## Mermaid SVG
+
+```mermaid
+ gantt
+ title Adding GANTT diagram functionality to mermaid
+ apple :a, 2017-07-20, 1w
+ banana :crit, b, 2017-07-23, 1d
+ cherry :active, c, after b a, 1d
+```
+
+## Images
+
+### Default (with caption)
+
+{: width="972" height="589" }
+_Full screen width and center alignment_
+
+### Left aligned
+
+{: width="972" height="589" .w-75 .normal}
+
+### Float to left
+
+{: width="972" height="589" .w-50 .left}
+Praesent maximus aliquam sapien. Sed vel neque in dolor pulvinar auctor. Maecenas pharetra, sem sit amet interdum posuere, tellus lacus eleifend magna, ac lobortis felis ipsum id sapien. Proin ornare rutrum metus, ac convallis diam volutpat sit amet. Phasellus volutpat, elit sit amet tincidunt mollis, felis mi scelerisque mauris, ut facilisis leo magna accumsan sapien. In rutrum vehicula nisl eget tempor. Nullam maximus ullamcorper libero non maximus. Integer ultricies velit id convallis varius. Praesent eu nisl eu urna finibus ultrices id nec ex. Mauris ac mattis quam. Fusce aliquam est nec sapien bibendum, vitae malesuada ligula condimentum.
+
+### Float to right
+
+{: width="972" height="589" .w-50 .right}
+Praesent maximus aliquam sapien. Sed vel neque in dolor pulvinar auctor. Maecenas pharetra, sem sit amet interdum posuere, tellus lacus eleifend magna, ac lobortis felis ipsum id sapien. Proin ornare rutrum metus, ac convallis diam volutpat sit amet. Phasellus volutpat, elit sit amet tincidunt mollis, felis mi scelerisque mauris, ut facilisis leo magna accumsan sapien. In rutrum vehicula nisl eget tempor. Nullam maximus ullamcorper libero non maximus. Integer ultricies velit id convallis varius. Praesent eu nisl eu urna finibus ultrices id nec ex. Mauris ac mattis quam. Fusce aliquam est nec sapien bibendum, vitae malesuada ligula condimentum.
+
+### Dark/Light mode & Shadow
+
+The image below will toggle dark/light mode based on theme preference, notice it has shadows.
+
+{: .light .w-75 .shadow .rounded-10 w='1212' h='668' }
+{: .dark .w-75 .shadow .rounded-10 w='1212' h='668' }
+
+## Video
+
+{% include embed/youtube.html id='Balreaj8Yqs' %}
+
+## Reverse Footnote
+
+[^footnote]: The footnote source
+[^fn-nth-2]: The 2nd footnote source
diff --git a/_posts/3CX Defender for Endpoint Hunting Queries.md b/_posts/3CX Defender for Endpoint Hunting Queries.md
new file mode 100644
index 00000000000..6d84c982914
--- /dev/null
+++ b/_posts/3CX Defender for Endpoint Hunting Queries.md
@@ -0,0 +1,107 @@
+---
+title: 3CX Defender for Endpoint Hunting Queries
+author: LJ
+date: 2019-08-08 11:33:00 +0800
+categories: [Blogging, Demo]
+tags: [typography]
+pin: true
+math: true
+mermaid: true
+image:
+ path: /commons/devices-mockup.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Responsive rendering of Chirpy theme on multiple devices.
+---
+# Introduction
+
+3CX is a software development company with a large outreach, over 600,000 companies worldwide and around 12 million daily users. 3CX provide desktop applications which allows users to control voice calls from various different platforms.
+
+On 29th of March 2023, CrowdStrike observed malicious activity originating from signed files in their clients' environments, the files were 3CX desktop application. Crowstrike claim that the MacOS (version 18.11.1213) and Windows (versions 18.12.407 18.12.416) platforms have currently been identified as infected.
+
+The word signed here is particularly important. Without going on too much of a tangent, file signing is technique software vendors utilise to prove the authenticity of files. If a file is signed by a particular vendor, it *should* be safe. Malicious actors often try to imitate genuine software to evade detection but can't provide the signature of authenticity to go with it. They become unstuck here, as any keen eyed security analyst will notice the absence of such a signature.
+
+So, why is a signed file exhibiting signs of malicious activity?
+
+Pierre Jourdan, CISO of 3CX states in a blog post that a library bundled into their Windows Electron App has caused the issue but it is unclear at this stage as to what this library is, and as to how exactly this caused their desktop applications to become infected. We just know that this is how the attackers were able to embed malware into the genuine software.
+
+Does it really matter anyway? Yeah it does, it matters hugely but we won't know until 3CX say so lets focus on what we do know. The attack vector:
+
+1. The attack starts when the MSI file is downloaded from the 3CX website or an update is pushed to an already installed application.
+2. MSI installer extracts two malicious files ffmpeg.dll and d3dcompiler.dll
+3. Sophos state that ffmpeg is sideloaded and used to extract and decrypt a payload from d3dcomiler.
+4. The decrypted shell code is executed and in-turn downloads icon files from a GitHub repository (I've left this out of the detection as the repo has long been taken down).
+5. Base64 encoded strings attached to the end of these icon files are used to download a final DLL file which is used to steal information from the infected device.
+
+---
+
+# Detection
+
+Onto the juicy bit. I work with the MS security stack so this detection logic is going to written in KQL. We are primarily going to be using the Device tables of Microsoft Defender for Endpoint here, so the device needs to have a Defender for Endpoint agent installed in order to see this activity.
+
+In my mind, the first stage in detecting this is to detect if any of the computers in the organisation are running 3CX desktop applications:
+
+```sql
+DeviceProcessEvents
+| where FileName contains "3CX" or InitiatingProcessFileName contains "3CX"
+//Software version specific tailoring - Comment out lines 5 and 7 to search for all versions of the software
+//Comment out the line below if trying to discover devices on Windows - Line below is for Mac
+| where ProcessVersionInfoProductVersion contains "18.11.1213"
+ //Comment out the line below if trying to discover devices on Mac - Line below iqf for Windows versions affected
+| where ProcessVersionInfoProductVersion has_any ("18.12.407","18.12.416")
+| distinct DeviceName, FileName, SHA256
+```
+
+With the KQL above you can search for any mention of 3CX in file names by commenting out lines detailed in the query you can search for specific windows versions, specific mac versions or (as I would recommend) do a flat search for 3CX despite what version it's on.
+
+This first step allows you to identify any shadow IT you have by looking for where 3CX processes are running on your devices. If you don't have any results, good for you you can go relax.
+
+If you have identified 3CX desktop apps running on your endpoints, uninstall them at your discretion. The infected 3CX versions side load two malicious dll files - **ffmpeg.dll** and **d3dcompiler.dll.** Lets detect them.
+
+```
+DeviceFileEvents
+| where ActionType == "FileCreated" or ActionType == "FileModified"
+| where InitiatingProcessFileName contains "msi"
+| where FileName has_any ("ffmpeg.dll","d3dcompiler.dll")
+```
+
+*Note: I think Jabra use a dll called ffmpeg.dll so don't panic if you see this it might not be malicious. Check the hashes below:*
+
+**Malicious ffmpeg.dll -** c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02
+
+7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
+
+**Malicious d3dcompiler.dll -**
+
+11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03
+
+Still with me?
+
+Okay, lets try and identify some malicious behaviours of the application. We know that it beacons out to C2 instances. Crowdstrike have provided us with some domains that the infected software is known to be connecting to. Going forward these will be pretty futile (as the domains will likely get shut down, or the attackers will switch to avoid detection) but this could be handy if you want to detect whether any data has already been exfiltrated out of your network.
+
+```
+let maliciousDomains = dynamic(["akamaicontainer.com", "akamaitechcloudservices.com", "azuredeploystore.com","azureonlinecloud.com","azureonlinestorage.com","dunamistrd.com","glcloudservice.com","journalide.org", "msedgepackageinfo.com","msstorageazure.com","msstorageboxes.com","officeaddons.com","officestoragebox.com","pbxcloudeservices.com","pbxphonenetwork.com","pbxsources.com","qwepoi123098.com","sbmsa.wiki","sourceslabs.com", "visualstudiofactory.com", "zacharryblogs.com"]);
+DeviceNetworkEvents
+| where RemoteUrl has_any (maliciousDomains)
+| where InitiatingProcessFileName contains "3CX"
+```
+
+Finally, here is one for detection going forward let's continue to monitor whether the 3CX application is spawning any suspicious processes:
+
+```
+let susTools = dynamic(["py","bsh","dll","ps1","psh","cmd","bat", "bash"]);
+DeviceProcessEvents
+| where InitiatingProcessFileName contains "3CX"
+| where ProcessCommandLine has_any (susTools) oThey need to move to Arcr FileName has_any (susTools)
+```
+
+I hope this can help some people out there. Remember, Keep Calm and KQL.
+
+## Resources
+
+Some resources I used to help me write this article:
+
+[Bleeping Computer](https://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/)
+
+[CrowdStrike](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/)
+
+[TrendMicro](https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html)
\ No newline at end of file
diff --git a/_posts/Demystifying Defender for Cloud.md b/_posts/Demystifying Defender for Cloud.md
new file mode 100644
index 00000000000..84d2714c1cd
--- /dev/null
+++ b/_posts/Demystifying Defender for Cloud.md
@@ -0,0 +1,87 @@
+---
+title: Demystifying Defender for Cloud
+author: cotes
+date: 2019-08-08 11:33:00 +0800
+categories: [Blogging, Demo]
+tags: [typography]
+pin: true
+math: true
+mermaid: true
+image:
+ path: /commons/devices-mockup.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Responsive rendering of Chirpy theme on multiple devices.
+---
+
+# Introduction
+
+Defender for Cloud (DfC) is a cloud-native platform designed to protect multiple workloads, across several environments, by utilising a plethora of capabilities. Defender for Cloud isn’t new, it’s been available to the public since 2019, so why make a blog post on it now?
+
+Since the start of 2023 Defender for Cloud has cropped up multiple times during my day-to-day, and it seems to hold an air of mystery. During this article we will expand on why I think companies are (wisely) starting to pay more attention to defender for cloud, and dive a little deeper into the architecture. We will look at how all the pieces fit together in the Defender for Cloud puzzle and also how this materialises across multiple environments.
+
+# The Rise in Popularity
+
+This section talks about why I think DfC has seen rise in popularity during the start of this year. I think it’s important to highlight these points before we get into the meat of the product itself.
+
+Firstly, changes to Microsoft’s licensing model has influenced a change which creates a need for servers to be onboarded to Defender for Servers, one of Defender for Clouds capabilities.
+
+Microsoft have now deprecated Microsoft Defender for Endpoint for Servers licensing model. This licensing model allowed organisations to onboard servers directly to Defender for Endpoint and remain compliant by purchasing a licence for the onboarded server. When the renewal date arrives, defender for endpoint for servers licensing will not be available to companies using this licensing. This means companies with more than sixty servers need to start utilising Azure-Arc and Defender for Servers.
+
+
+
+The second point is that significant developments in recent releases of the Defender for Cloud connectors for AWS and GCP have made it much easier to connect and protect resources in multi-cloud environments.
+
+# Architecture Overview
+
+Part of the confusion around DfC I think is attributed to not necessarily complex architecture but a large one. Depending on the number of environments, onboarding can become overwhelming due to DfC’s requirement of connecting workloads in different environments via different methods. We will cover these in the next sections but let’s try and visualise the product’s coverage first.
+
+
+
+As you can see Defender for Cloud provides security for a lot of different resources. In the sections below we will pick apart each how each of the environments are connected, but before we do that we need to pick apart Defender for Cloud itself.
+
+Defender for Cloud is like a wrapper, containing within it individual products to protect specific workload types. For example, virtual machines and other server like resources are protected by a capability within Defender for Cloud called Defender for Servers. On the other hand, containers onboarded to Defender for Cloud are protected by Defender for Containers. We can digest this easier by looking at the visual below.
+
+
+
+# Onboarding Methods
+
+For different environments and workloads, onboarding differs slightly. Let’s assume for the sake of brevity that during this section we are talking about onboarding servers.
+
+## Direct Onboarding
+
+Following recent feedback from the security community (and annoying during the writing of this post) Microsoft have now introduced direct onboarding. Previously you had to onboard non-azure resources to DfC via Azure Arc, a lightweight software agent which is capable of deploying various extensions to connected machines. Direct onboarding no longer makes Azure Arc a requirement.
+
+Direct onboarding allows you to deploy defender for endpoint agents via traditional defender for endpoint onboarding methods, but utilise the Defender for Cloud capabilities* and licensing capabilities without the need for Azure Arc. It’s a great and very well welcomed option for admins with limited time and resource.
+
+*Microsoft does allude to some features of DfS Plan 2 not working correctly without Azure Arc. See the limitations listed in the documentation here.
+
+## Azure Arc
+
+For on-premises Microsoft recommends using Azure Arc, a service which essentially makes your on-premises workloads an Azure resource. Once these resources are joined to Azure, Arc enables simple provisioning of extensions for software such as Defender for Endpoint or the Azure Monitor Agent for log shipping.
+
+
+
+
+
+The onboarding process for Arc is different, and there are a tonne of guides out there showing the setup process, but to be honest the Azure Portal guides you through the setup fine. If you run into issues then I would always start troubleshooting the networking requirements first.
+
+## Third-party Cloud
+
+Third-party cloud services can be connected to Defender for Cloud through the environments tab. They are straightforward to set up and require no real maintenance. However, there are a couple of things to note with third-party services:
+
+1. They also use Azure Arc in the backend to provision the services, so the same network connectivity is required to the target machines in the third-party cloud.
+2. The extent of the coverage is not the same as Azure resources.
+
+
\ No newline at end of file