Select Page
Snippet from Group Policy Object, Microsoft Defender Antivirus Policies

How to Manage Microsoft Defender on Windows Server via Intune

As companies adopt Microsoft Defender, there are certain questions coming from customers in terms of EPP management. These questions are mostly focusing on Microsoft Defender management in Windows Servers. I’d like to touch base on different management options for different ... continue reading
hewagen_0-1671804677570.png

Windows 10 or Windows 11 GPO ADMX – An Update

Hi community,   I am Helmut Wagensonner, a Cloud Solution Architect – Engineer at Microsoft. In a former blog (https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-or-windows-11-gpo-admx-which-one-to-use-for-your/ba-p/3063322), where I did a comparison between Windows 10 and Windows 11 ADMX files, I promised in my comments to do ... continue reading
Screenshot of malware code, a script that is used to download a remote code administration tool

Microsoft research uncovers new Zerobot capabilities

Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue ... continue reading
A geographical map that presents the countries where the devices affected by the botnet are located. Countries with affected devices are highlighted on the map in blue.

MCCrash: Cross-platform DDoS botnet targets private Minecraft servers

Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure ... continue reading
diagram

DEV-0139 launches targeted attacks against the cryptocurrency industry

Over the past several years, the cryptocurrency market has considerably expanded, gaining the interest of investors and threat actors. Cryptocurrency itself has been used by cybercriminals for their operations, notably for ransom payment in ransomware attacks, but we have also ... continue reading
Screenshot of a BATLOADER landing site that poses as a TeamViewer website hosting a fake installer.

DEV-0569 finds new ways to deliver Royal ransomware, various payloads

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed ... continue reading
A human-operated ransomware attack example highlighting C2 usage. The attacker begins with the initial access stage, followed by execution, the initial C2 connection, persistence, a beaconing C2 connection, a post-exploitation C2 connection that continues throughout the attack, leading to lateral movement, and the final impact stage.

Stopping C2 communications in human-operated ransomware through network protection

Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization ... continue reading
This diagram shows the linear progression of earlier Raspberry Robin infections.

Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity

Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to ... continue reading
DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector

DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector

In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from BlackCat, ... continue reading
Timeline of events for a recent ransomware incident.

Defenders beware: A case for post-ransomware investigations

Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase ... continue reading