Reading Configuration Manager Status Messages With PowerShell
Q: I can read Configuration Manager status messages using the Monitoring tab. Can I do it using PowerShell? A: Yes you can! We can accomplish this using SQL/WQL queries, plus the Win32 function FormatMessage. Better understanding Status Messages Before we ... continue reading

Improving AI-based defenses to disrupt human-operated ransomware
Microsoft’s deep understanding of human-operated ransomware attacks, which are powered by a thriving cybercrime gig economy, continuously informs the solutions we deliver to protect customers. Our expert monitoring of threat actors, investigations into real-world ransomware attacks, and the intelligence we ... continue reading

Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
As announced today, Microsoft took action against the ZLoader trojan by working with telecommunications providers around the world to disrupt key ZLoader infrastructure. We used our research into this threat to enrich our protection technologies and ensure this infrastructure could ... continue reading

A closer look at Qakbot’s latest building blocks (and how to knock them down)
Multiple Qakbot campaigns that are active at any given time prove that the decade-old malware continues to be many attackers’ tool of choice, a customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize ... continue reading

Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
Windows 10 and Windows 11 have continued to raise the security bar for drivers running in the kernel. Kernel-mode driver publishers must pass the Hardware Lab Kit (HLK) compatibility tests, malware scanning, and prove their identity through extended validation (EV) ... continue reading
Application Guard Deployment by MECM
Introduction This is John Barbare and I am a Sr Customer Engineer at Microsoft focusing on all things in the Cybersecurity space. In this blog I will be focusing on Application Guard and the correct configuration/deployment for Microsoft Endpoint Configuration ... continue reading
How can I be notified any time a service goes down?
Q: How can I be notified any time a service goes down? A: The short quick answer to utilizing WMI and PowerShell 7. You use PowerShell to create temporary event monitoring using WMI. Then WMI monitors any service changes and generates an alert once it detects a change. Basic Requirement To achieve this, you need Windows ... continue reading
How to Update or Add a Registry Key Value with PowerShell
Q: I am having a problem trying to update the registry. I am using the New-ItemProperty cmdlet, but it fails if the registry key does not exist. I added the –Force parameter, but it still does not create the registry ... continue reading

When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covered the evolution of the threat, how it spreads, and how it impacts ... continue reading

Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771). Private-sector offensive actors are ... continue reading