Defender for Endpoint on sentinelchangelog.net

Defender for Endpoint on sentinelchangelog.nethttp://sentinelchangelog.net/tags/defender-for-endpoint/Recent content in Defender for Endpoint on sentinelchangelog.netHugo -- 0.157.0enFri, 29 May 2026 08:24:12 +0000Gentlemen Ransomware Campaign: New Hunting Queries for EtherRAT/TukTuk IOCs and Web3 C2 Infrastructurehttp://sentinelchangelog.net/posts/2026-05-29-pr-14338/Fri, 29 May 2026 08:24:12 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14338/Two hunting queries added targeting Gentlemen ransomware campaign artifacts including payload hashes and decentralized Web3/SaaS C2 infrastructure used by EtherRAT and TukTuk malware.LockBit Hunting Query: ActiveMQ Exploit IoC Detection Addedhttp://sentinelchangelog.net/posts/2026-05-29-pr-14350/Fri, 29 May 2026 05:32:22 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14350/New hunting query provides hash-based detection for LockBit ransomware artifacts deployed via Apache ActiveMQ CVE-2023-46604 exploitation.BadUSB HID Injection Detection: New Hunt for PowerShell via Windows Run Dialoghttp://sentinelchangelog.net/posts/2026-05-27-pr-14336/Wed, 27 May 2026 13:38:59 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14336/Adds hunting query to detect hardware keystroke injectors spawning PowerShell through explorer.exe with evasion patterns.Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detectionhttp://sentinelchangelog.net/posts/2026-05-27-pr-14308/Wed, 27 May 2026 08:59:01 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14308/New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations.Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Deltahttp://sentinelchangelog.net/posts/2026-05-27-pr-14337/Wed, 27 May 2026 08:36:31 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14337/New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams.Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalieshttp://sentinelchangelog.net/posts/2026-05-26-pr-14333/Tue, 26 May 2026 09:05:22 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14333/New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks.LSASS Credential Dumping: Resilient Behavioral Detection Pack Addedhttp://sentinelchangelog.net/posts/2026-05-26-pr-14341/Tue, 26 May 2026 05:29:06 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14341/Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names.Recorded Future Playbooks: Threat Intelligence Integration Discontinued Due to Microsoft API Deprecationhttp://sentinelchangelog.net/posts/2026-03-09-pr-13763/Mon, 09 Mar 2026 07:05:05 +0000http://sentinelchangelog.net/posts/2026-03-09-pr-13763/Microsoft has deprecated the Graph Security tiIndicators API, rendering Recorded Future’s automated threat intelligence ingestion playbooks non-functional.GDPR Compliance Dashboard: New Workbook for Privacy Risk Monitoringhttp://sentinelchangelog.net/posts/2025-10-09-pr-12933/Thu, 09 Oct 2025 12:04:16 +0000http://sentinelchangelog.net/posts/2025-10-09-pr-12933/New GDPR Compliance solution adds workbook consolidating privacy risk signals from Defender XDR, Microsoft Purview, Azure SQL, and Entra ID.Microsoft Defender for Endpoint: Modernized PowerShell SDK Instructionshttp://sentinelchangelog.net/posts/2025-09-25-pr-12858/Thu, 25 Sep 2025 04:12:57 +0000http://sentinelchangelog.net/posts/2025-09-25-pr-12858/Playbook deployment instructions updated to use Microsoft Graph SDK replacing deprecated AzureAD cmdlets.