Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware. Read More →
New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation. Read More →
Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns. Read More →
New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations. Read More →
New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →
New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks. Read More →
Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names. Read More →
Microsoft has deprecated the Graph Security tiIndicators API, rendering Recorded Future’s automated threat intelligence ingestion playbooks non-functional. Read More →
New GDPR Compliance solution adds workbook consolidating privacy risk signals from Defender XDR, Microsoft Purview, Azure SQL, and Entra ID. Read More →
Playbook deployment instructions updated to use Microsoft Graph SDK replacing deprecated AzureAD cmdlets. Read More →