Select Page
Timeline of events for a recent ransomware incident.

Defenders beware: A case for post-ransomware investigations

Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase ... continue reading
Table showing the AV-Comparatives test cases and the corresponding results for Microsoft Defender for Endpoint (rows) in the following areas (columns): LSASS dumping was possible, Extracting credentials (offline) from respective minidump file was possible, Prevention by AV module, and Detection by EDR module.

Detecting and preventing LSASS credential dumping attacks

Obtaining user operating system (OS) credentials from a targeted device is among threat actors’ primary goals when launching attacks because these credentials serve as a gateway to various objectives they can achieve in their target organization’s environment, such as lateral ... continue reading
LEDBAT Background Data Transfer for Windows

LEDBAT Background Data Transfer for Windows

LEDBAT is the background data transfer product built into the Windows networking stack and recommended by the Windows Data Transport team for moving bulk data without interfering with foreground traffic. LEDBAT has a couple of advantages that make it our ... continue reading
Infection chain describing the usual tactics and techniques used by DEV-0270 actor group.

Profiling DEV-0270: PHOSPHORUS’ ransomware operations

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including ... continue reading
fbinotto_0-1662504725093.png

Fun with Azure VPN

Introduction   Hi folks! My name is Felipe Binotto, Cloud Solution Architect, based in Australia. I decided to make this post for a couple reasons. The first reason is to demonstrate how you can quickly build a hub between your ... continue reading
MERCURY attack chain throughout the initial access, execution, discovery, persistence, credential theft, lateral movement, and communications stages.

MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence ... continue reading
Setting up DNS in a Hybrid Environment.

Setting up DNS in a Hybrid Environment.

Hello Folks, I’m not sure when this became a series, but it’s looking like it’s going to be ongoing. I’m hoping it can give the community a sense of how you can slowly adopt cloud services to enhance your on-prem ... continue reading
AndrewCoughlin_1-1658489043469.png

Accessing Key Vault from Another Subscription Over Private Endpoint

Introduction Hello everyone, Andrew Coughlin here and I am a Cloud Solutions Architect at Microsoft focusing on Azure IaaS. I recently received questions from a few of my customers about access to a key vault from a different subscription. In ... continue reading
Connect to your on-prem server from anywhere!

Connect to your on-prem server from anywhere!

Hello Folks, A few weeks ago, I wrote about upgrading my local network edge device with one capable of connecting to my Azure virtual network using a site-to-site VPN. I also mentioned that I would cover many other services and ... continue reading
Screenshot 2022-06-30 064051.jpg

Accessing Key Vault from another Subscription over public endpoint

Introduction Hello everyone, it has been a while, Andrew Coughlin here and I am a Customer Engineer at Microsoft focusing on Azure IaaS. I recently received questions from a few of my customers about access a key vault from a ... continue reading