Trojan:Win32/FoggyWeb.A!dha

Guidance for enterprise administrators

Customers should review their Active Directory Federation Services (AD FS) configuration and implement changes to secure these systems from attacks:

• Best Practices for securing AD FS and Web Application Proxy

Organizations must harden and secure AD FS deployments through the following best practices:

• Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
• Reduce local Administrators’ group membership on all AD FS servers.
• Require all cloud admins to use multi-factor authentication (MFA).
• Ensure minimal administration capability via agents.
• Limit on-network access via host firewall.
• Ensure AD FS Admins use Admin Workstations to protect their credentials.
• Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
• Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
• Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
• Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
• Remove unnecessary protocols and Windows features.

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on attack surface reduction rules, to block activity associated with this threat. To assess the impact of these rules, deploy them in audit mode.
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Educate end users about preventing malware infections. Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access tool (RAT)s and other unwanted applications.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
• Software developers and publishers are advised to maintain secure build and update infrastructure and to establish a response process for supply chain attacks. Updates should always be delivered using SSL connections and signed components.