You asked, and we delivered! Check out the new Microsoft Incident Response Ninja Hub for a compilation of the research and guides that the Microsoft IR team has developed over the years on threat hunting, case studies, and more.

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/welcome-to-the-microsoft-incident-response-ninja-hub/ba-p/4243594

#MicrosoftIR #DART #ThreatHunting

Microsoft Graph logs store a wealth of information that could prove to be crucial in your cloud investigations.

To help you navigate and interpret this data in your investigations, Microsoft IR has developed a blog on threat hunting in Microsoft Graph activity logs, providing an overview, real-world examples, and pre-built KQL queries: https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/hunting-with-microsoft-graph-activity-logs/ba-p/4234632

#MicrosoftIR #ThreatHunting #MSGraph #KQLtotherescue

Imagine you have been the victim of a cybersecurity incident. And you suspect that a large number of accounts, or possibly the entire Active Directory, may have been compromised.

How would you proceed? In such cases, we usually recommend a mass password reset of all user accounts. But are you prepared for this?

Read the article bellow published on our Microsoft Security Experts blog, which I co-authored, to learn in what cases you should do a mass password reset of user accounts and how best to prepare for such a scenario. #microsoftir #microsoftincidentresponse #passwordreset #dart

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/effective-strategies-for-conducting-mass-password-resets-during/ba-p/4159408

Microsoft IR’s new blog details a BlackByte ransomware incident through the full attack chain, from initial access to impact. We cover tools, techniques, and IOCs identified during our investigation, as well as detections and recommendations to defend against BlackByte ransomware attacks. #CyberSecurity #BlackByteRansomware #microsoftincidentresponse #microsoftIR

Full details shared: https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/

Microsoft Incident Response examines how threat actors trigger Net-NTLMv2 hash leak using CVE-2023-23397 to gain unauthorized access to an organization’s environment #microsoftincidentresponse #microsoftIR: https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/