
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run ... continue reading

Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 ... continue reading

Monitor Azure Virtual Network Manager changes with event logging
Today, our customers establish and manage their Azure virtual networks at scale. As their number of network resources grows, the question of how to maintain connectivity and security among their scale of resources arises. This is where Microsoft Azure Virtual ... continue reading
How To Automate The Hybrid World Part Two Of Two
Hi, Jonas here! Or as we say in the north of Germany: "Moin Moin!"I’m a Microsoft Senior Cloud Solution Architect – Engineering (or short Sr. CSA-E) and in this article I want to talk about how to automate the hybrid world. Over ... continue reading

IIS modules: The evolution of web shells and how to detect them
Web exploitation and web shells are some of the most common entry points in the current threat landscape. Web servers provide an external avenue directly into your corporate network, which often results in web servers being an initial intrusion vector ... continue reading

Defenders beware: A case for post-ransomware investigations
Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase ... continue reading
How to troubleshoot applications on Windows Containers with the Log Monitor tool
In my previous blog post, I showed how to manually troubleshoot Windows Containers by opening an interactive session to a container, running a PowerShell session, and using the Get-WinEvent cmdlet to view the application logs on the container instance. While ... continue reading
How to manually troubleshoot applications on Windows containers
Developers are more and more creating applications on containers, and guess what? It’s still up to us – ITPros – to troubleshoot anything that happens in production. Containers are not VMs, so where to even start, you might ask. We’ll ... continue reading

Azure Monitor: Audit your Azure and non-Azure SQL Server
Hi everyone, time passed since my last post. Hope you missed me Today I am going to cover an interesting aspect on how to capture security audit events from both Azure and non-Azure SQL Server machines. Most of you probably ... continue reading
Forward On-Premises Windows Security Event Logs to Microsoft Sentinel
Hello, It has been a while since Raven, and I have blogged on security. My little buddy Raven (miniature Schnauzer) has been dealing with genetic back problems that have made it difficult to run or jump, so her days of ... continue reading