Select Page
Picture1.png

Create Your Own Custom Endpoint Administration Console Using Microsoft Power Apps

I've heard a bit of interest expressed recently in the ability to create a customizable Endpoint Configuration Manager (SCCM/ConfigMgr) console that could either be pruned down or featured up in a way to customize it to fit the specific needs ... continue reading
Analyzing attacks taking advantage of the Exchange Server vulnerabilities

Analyzing attacks taking advantage of the Exchange Server vulnerabilities

Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately ... continue reading
MEM Home

Attack Surface Reduction Rules – Warn Mode with MEM/M365 Defender

Introduction This is John Barbare and I am a Sr Customer Engineer at Microsoft focusing on all things in the Cybersecurity space. In a previous blog back in July, 2020, I walked through a demo of setting up an Attack ... continue reading
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence

Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. As we have shared previously, we have observed ... continue reading

Using Get-Service in PowerShell 7 vs. Windows PowerShell 5.1

Q: How can I get the Username, and StartType for a Windows Service? A: Quick answer is PowerShell 7. Microsoft is doing a great job on PowerShell with each version they release. The simple answer to this question is a ... continue reading

Changing Drive Letters and Labels via PowerShell

Q: I want to change the drive letter and the drive label for a new USB drive. Is there a way with PowerShell? A: Of course. One way is to use WMI and the CIM cmdlets. PowerShell does not have ... continue reading
Graph showing timeline of the Necurs takedown and the staging and operation of StrangeU and RandomU

What tracking an attacker email infrastructure tells us about persistent cybercriminal operations

From March to December 2020, we tracked segments of a dynamically generated email infrastructure that attackers used to send more than a million emails per month, distributing at least seven distinct malware families in dozens of campaigns using a variety ... continue reading
Timeline graph showing developments in the Solorigate attack

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop

More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the ... continue reading
EA.gif

MEM – Endpoint Analytics Setup Operation and Troubleshooting

Hi IT Pros, Microsoft has just released Endpoint Manager – Endpoint Analytics. It is a cool feature, addressing service desk long time need to monitor and identify the devices which have delay sign-in time and performance issue even before Users ... continue reading
Diagram showing BISMUTH attacker techniques across attack stages

Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with ... continue reading