Tracking historical IP assignments with Defender for Endpoint logs

A new incident comes in. The CEO’s laptop shows possible Cobalt Strike activity. Your host investigation shows that the attacker likely gained privileged access to her host and the initial activity is from two days ago. You contain the host in your EDR agent. But now you must determine if the attacker moved laterally inside … Continue reading Tracking historical IP assignments with Defender for Endpoint logs →

Detecting Teams Chat Phishing Attacks (Black Basta)

A person in a suit is overwhelmed by a pile of envelopes while typing on a keyboard, with a computer screen displaying "Help Desk" nearby. Another individual in a hooded jacket is reaching towards the person, symbolizing a phishing threat. The background is filled with binary code.

For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user's mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing access. This social engineering tactic is being attributed to the ransomware group "Black Basta".

Validate your Windows Audit Policy Configuration with KQL

We provide a KQL query that will help you validate your defined Windows audit security policy configuration. Defining a Windows audit policy is an important step in establishing a robust security posture. Ensuring that the audit policy is applied consistently across your environment is just as important as defining that policy and quality controls should be in place.