IIS modules: The evolution of web shells and how to detect them
This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.
-
-
Token tactics: How to prevent, detect, and respond to cloud token theft
As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. -
Microsoft Security tips for mitigating risk in mergers and acquisitions
Mergers and acquisitions can be challenging. -
Defenders beware: A case for post-ransomware investigations
The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. -
The art and science behind Microsoft threat hunting: Part 2
In this follow-up post in our series about threat hunting, we talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence. -
The art and science behind Microsoft threat hunting: Part 1
At Microsoft, we define threat hunting as the practice of actively looking for cyberthreats that have covertly (or not so covertly) penetrated an environment. -
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. -
Tarrask malware uses scheduled tasks for defense evasion
Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. -
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. -
Destructive malware targeting Ukrainian organizations
Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. -
How to investigate service provider trust chains in the cloud
This blog outlines DART’s recommendations for incident responders to investigate potential abuse of these delegated admin permissions, independent of the threat actor. -
Protect your business from password sprays with Microsoft DART recommendations
This blog discusses DART’s investigation techniques and approach to responding to password spray attacks while outlining recommendations for protecting against them.
