Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign

Credit to Author: Microsoft Security Threat Intelligence – Editor| Date: Tue, 11 Apr 2023 17:00:00 +0000

This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.

The post Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign appeared first on Microsoft Security Blog.

Read more

Guidance for investigating attacks using CVE-2023-23397

Credit to Author: Microsoft Security Threat Intelligence – Editor| Date: Fri, 24 Mar 2023 18:30:00 +0000

This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.

The post Guidance for investigating attacks using CVE-2023-23397 appeared first on Microsoft Security Blog.

Read more

IIS modules: The evolution of web shells and how to detect them 

Credit to Author: Microsoft Security Threat Intelligence – Editor| Date: Mon, 12 Dec 2022 17:00:00 +0000

This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.

The post IIS modules: The evolution of web shells and how to detect them  appeared first on Microsoft Security Blog.

Read more

Token tactics: How to prevent, detect, and respond to cloud token theft

Credit to Author: Paul Oliveria| Date: Wed, 16 Nov 2022 16:00:00 +0000

As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose.

The post Token tactics: How to prevent, detect, and respond to cloud token theft appeared first on Microsoft Security Blog.

Read more

Microsoft Security tips for mitigating risk in mergers and acquisitions

Credit to Author: Christine Barrett| Date: Wed, 02 Nov 2022 16:00:00 +0000

Mergers and acquisitions can be challenging. Microsoft’s Security Experts share what to ask before, during, and after one to secure identity, access control, and communications.

The post Microsoft Security tips for mitigating risk in mergers and acquisitions appeared first on Microsoft Security Blog.

Read more

Defenders beware: A case for post-ransomware investigations

Credit to Author: Paul Oliveria| Date: Tue, 18 Oct 2022 18:00:00 +0000

The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.

The post Defenders beware: A case for post-ransomware investigations appeared first on Microsoft Security Blog.

Read more

The art and science behind Microsoft threat hunting: Part 2

Credit to Author: Matt Thomas| Date: Wed, 21 Sep 2022 16:00:00 +0000

In this follow-up post in our series about threat hunting, we talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence.

The post The art and science behind Microsoft threat hunting: Part 2 appeared first on Microsoft Security Blog.

Read more

Tarrask malware uses scheduled tasks for defense evasion

Credit to Author: Paul Oliveria| Date: Tue, 12 Apr 2022 16:00:00 +0000

Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, and how the malware’s evasion techniques are used to maintain and ensure persistence on systems.

The post Tarrask malware uses scheduled tasks for defense evasion appeared first on Microsoft Security Blog.

Read more