Moonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors over the last several years, highlighting the overlap among these groups. While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.

This blog describes several notable TTPs used by this threat actor as well as recommendations to defend against related attacks. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their environments.

Who is Moonstone Sleet?

Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.

Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.

Moonstone Sleet tradecraft

Microsoft has observed Moonstone Sleet using the TTPs discussed in the following sections in various campaigns.

Trojanized PuTTY

In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. Notably, before Moonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method – trojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022:

The trojanized PuTTY executable drops a custom installer which kicks off execution of a series of stages of malware, as described below:

1. Stage 1 – Trojanized PuTTY: Decrypts, decompresses, and then executes the embedded stage 2 payload.
2. Stage 2 – SplitLoader installer/dropper: Decrypts, decompresses, and writes the Stage 3 payload, the SplitLoader DLL file, to disk. The installer also drops two encrypted files to disk, then executes SplitLoader via a scheduled task or registry run key.
3. Stage 3 – SplitLoader:Decrypts and decompresses the two encrypted files dropped by the stage 2 payload, then combines them to create the next-stage, another portable executable (PE) file.
4. Stage 4 – Trojan loader: Expects a compressed and encrypted PE file from the C2. Once received, the trojan loader decompresses, decrypts, and executes this file.

Microsoft has also observed Moonstone Sleet using other custom malware loaders delivered by PuTTY that behaved similarly and had argument overlap with previously observed Diamond Sleet malware artifacts, such as the following:

Malicious npm packages

Microsoft has observed Moonstone Sleet targeting potential victims with projects that used malicious npm packages. Often, the threat actor delivered these projects through freelancing websites or other platforms like LinkedIn. In one example, the threat actor used a fake company to send .zip files invoking a malicious npm package under the guise of a technical skills assessment. When loaded, the malicious package used curl to connect to an actor-controlled IP and drop additional malicious payloads like SplitLoader. In another incident, Moonstone Sleet delivered a malicious npm loader which led to credential theft from LSASS. Microsoft collaborated with GitHub to identify and remove repositories associated with this activity.

Malicious tank game

Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar[.]com and defitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.

Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:

When targeted users launch the game, delfi-tank-unity.exe, additional included malicious DLLs are also loaded. The payload is a custom malware loader that Microsoft tracks as YouieLoad. Similarly to SplitLoader, YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft.

Ransomware

In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny against a company it previously compromised in February. FakePenny includes a loader and an encryptor. Although North Korean threat actor groups have previously developed custom ransomware, this is the first time we have observed this threat actor deploying ransomware.

Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation. Of note, the ransomware note dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its malware NotPetya. The ransom demand was $6.6M USD in BTC. This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st.

Fake companies

Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.

StarGlow Ventures

From January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software development company. The group used a custom domain, fake employee personas, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI.

These emails also contained a 1×1 tracking pixel, which likely enabled Moonstone Sleet to track which targets engaged with the emails, and a link to a dummy unsubscribe page hosted on the StarGlow Ventures domain. While the emails did not contain any malicious links, Microsoft assesses Moonstone Sleet likely used this campaign to establish a relationship with target organizations. Although the purpose of these relationships is unclear, they may afford the actor access to organizations of interest or be used as revenue generation opportunities. Microsoft notified customers who were impacted by this Moonstone Sleet campaign.

C.C. Waterfall

In a similar campaign, Moonstone Sleet sent emails using its fake company C.C. Waterfall, a purported IT consulting organization.

In this campaign, Moonstone Sleet emailed higher education organizations, claiming the company was either hiring new developers or looking for business collaboration opportunities. This campaign likely had similar goals to the StarGlow Ventures campaign: to build relationships with organizations which could be leveraged for revenue generation or malicious access.  

As previously mentioned, Moonstone Sleet also used C.C. Waterfall to contact targets and invite them to download the actor’s tank game, highlighting that this is a coordinated and concerted effort for which Moonstone Sleet can leverage multiple facets of its operations in overlapping campaigns.

Work-for-hire

In addition to creating fake companies, Microsoft has observed Moonstone Sleet pursuing employment in software development positions at multiple legitimate companies. This activity could be consistent with previous reporting from the United States Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue. On the other hand, this Moonstone Sleet activity may also be another approach to gaining access to organizations.

Moonstone Sleet targets

Moonstone Sleet’s primary goals appear to be espionage and revenue generation. Targeted sectors to date include both individuals and organizations in the software and information technology, education, and defense industrial base sectors.

Software companies and developers

Since early January 2024, Moonstone Sleet has used the above fake software development companies to solicit work or cooperation. This actor has also targeted individuals looking for work in software development, sending candidates a “skills test” that instead delivers malware via a malicious NPM package.

Aerospace

In early December 2023, we observed Moonstone Sleet compromising a defense technology company to steal credentials and intellectual property. In April 2024, the actor ransomed the organization using FakePenny. The same month, we observed Moonstone Sleet compromise a company that makes drone technology. In May 2024, the threat actor compromised a company that makes aircraft parts.

Fitting into the North Korean threat actor landscape

Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives. For example, North Korea has for many years maintained a cadre of remote IT workers to generate revenue in support of the country’s objectives. Moonstone Sleet’s pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain. Additionally, Moonstone Sleet’s addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations. Microsoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in 2022.

Moonstone Sleet’s ability to conduct concurrent operations across multiple campaigns, the robustness of the malicious game, and the use of a custom new ransomware variant are strong indications that this threat actor may be well-resourced. Moreover, given that Moonstone Sleet’s initial attacks mirrored Diamond Sleet methodologies and heavily reused Diamond Sleet’s code in their payloads, Microsoft assesses this actor is equipped with capabilities from prior cyber operations conducted by other North Korean actors.

Microsoft has identified several techniques used by Moonstone Sleet that have previously been used by other North Korean threat actors. For example, since late 2023, an actor that Microsoft tracks as Storm-1877 used malicious npm packages in a campaign targeting software developers with JavaScript-based malware. This campaign was reported publicly by PaloAlto as Contagious Interview. Additionally, in 2023, GitHub reported that Jade Sleet used malicious npm packages in a campaign consisting of fake developer and recruiter personas that operated on LinkedIn, Slack, and Telegram. This shared use of a relatively uncommon tactic across multiple distinct North Korean groups may suggest sharing of expertise and TTPs among North Korean threat actors.

In recent months, Microsoft and other security researchers have reported on North Korean threat actors’ use of software supply chain attacks to conduct widespread malicious operations. In November 2023, Microsoft reported on Diamond Sleet’s supply chain compromise of CyberLink, a multimedia application. While Microsoft has not yet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development firms in its campaigns. Large-scale access to software companies would pose a particularly high risk for future supply chain attacks against those organizations.

Moonstone Sleet’s appearance is an interesting development considering that North Korea has carried out a series of changes in its foreign relations and security apparatus. In November 2023, North Korea closed embassies in several countries, and in March 2024, may have dissolved the United Front Department (UFD), an agency believed to be responsible for reunification and propaganda.

Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.

Recommendations

Microsoft recommends the following mitigations defend against attacks by Moonstone Sleet:

• Detect human-operated ransomware attacks with Microsoft Defender XDR. 
• Enable controlled folder access. 
• Ensure that tamper protection is enabled in Microsoft Dender for Endpoint. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used by Moonstone Sleet.

• Block executable content from email client and webmail 
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
• Use advanced protection against ransomware 
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• Behavior:Win64/PennyCrypt
• HackTool:Win32/Mimikatz
• HackTool:Win64/Mimikatz
• TrojanDropper:Win32/SplitLoader
• TrojanDropper:Win64/YouieLoad

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network: 

• Moonstone Sleet actor activity detected
• Suspicious activity linked to a North Korean state-sponsored threat actor has been detected
• Diamond Sleet Actor activity detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity: 

• Malicious credential theft tool execution detected  
• Mimikatz credential theft tool 
• Ransomware-linked threat actor detected
• Suspicious access to LSASS service

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Detect Procdump dumping LSASS credentials:

DeviceProcessEvents
| where (FileName has_any ("procdump.exe",
"procdump64.exe") and ProcessCommandLine has "lsass") or  
(ProcessCommandLine
has "lsass.exe" and (ProcessCommandLine has "-accepteula"
or ProcessCommandLine contains "-ma"))

Detect connectivity with C2 infrastructure:

let c2servers = dynamic(['mingeloem.com','matrixane.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (c2servers)
| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp

Detect connectivity to DeTank websites:

let c2servers = dynamic(['detankwar.com','defitankzone.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (c2servers)
| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel customers can also use the queries below to detect activity detailed in this blog.

This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz:

• Credential Dumping Tools – Service Installation

This query detects the use of Procdump to dump credentials from LSASS memory:

• Dump credential using procdump

Microsoft Sentinel customers can also use the following query, which looks for Microsoft Defender AV detections related to the Moonstone Sleet. In Microsoft Sentinel, the SecurityAlerts table includes only the DeviceName of the affected device. This query joins the DeviceInfo table to connect other information such as device group, IP, signed-in users, etc., allowing analysts to have more context related to the alert, if available:

let MoonStoneSleet_threats = dynamic(["Behavior:Win64/PennyCrypt", "HackTool:Win32/Mimikatz", "HackTool:Win64/Mimikatz ", "TrojanDropper:Win32/SplitLoader", "TrojanDropper:Win64/YouieLoad" ]);
SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (MoonStoneSleet_threats) or ThreatFamilyName in~ (MoonStoneSleet_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
| join kind=inner (
    DeviceInfo
    | extend DeviceName = tolower(DeviceName)
) on $left.CompromisedEntity == $right.DeviceName
| summarize arg_max(TimeGenerated, *) by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
| project TimeGenerated, DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, CompromisedEntity, ProductName, Entities, HostName, HostNameDomain

Indicators of compromise

Malicious files

Moonstone Sleet domains

References

• Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors (Palo Alto Unit 42)
• Security alert: social engineering campaign targets technology industry employees (Github)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks appeared first on Microsoft Security Blog.

Are you a regular user of Microsoft Sentinel? Review your experience on Gartner Peer Insights™ and get a $25 gift card. 

Microsoft Sentinel is enriched by AI, automation, and Microsoft’s deep understanding of the threat landscape, empowering defenders to hunt and resolve critical threats at machine speed. Our comprehensive solution works seamlessly across multiple clouds, platforms, and security stacks offering many out-of-the-box connectors and customizable content to effectively protect the entire digital estate at scale. Leveraging our capabilities, customers have seen up to 234% return on investment (ROI) over a three-year period and have reduced costs as much as 44% by discontinuing legacy SIEM solutions.² 

Microsoft is on a mission to modernize security operations, enabling analysts to act swiftly and more efficiently with a robust, cost-optimized, and intuitive solution.

Microsoft Sentinel

Build next-generation security operations powered by the cloud and AI.

Try for free

Transforming Security Operations 

Tens of thousands of customers trust Microsoft Sentinel to accelerate protection of their organizations with a simplified, scalable, and comprehensive approach. Over the last year, our engineering team has been hard at work delivering new innovations in several key areas, including:    

• A comprehensive and unified security operations platform: The platform blends the best of SIEM, XDR, AI, Threat Intelligence, and extended posture management into a single experience offering end-to-end protection by consolidating various security operations tools into a single, coherent experience, powered by generative AI. In the unified security operations platform, features are unified across Microsoft Sentinel and Microsoft Defender XDR, with embedded Copilot for Security, to deliver more comprehensive protection, speeding up time to respond and reducing the workload on analysts. 

• Robust out-of-the-box content: To effectively protect all clouds and platforms, Microsoft Sentinel offers pre-built content and solution packages that can be customized enabling detection, response, and defensive capabilities in the SOC. Over the last few months, we have enhanced our multicloud data collection (AWS and GCP), updated codeless connectors, expanded data coverage to more third-party sources, and extended protection to various critical business applications (SAP, Microsoft Dynamics 365, and Power Platform) among many more innovations. 

• Splunk SIEM migration tool: We announced the general availability of the new SIEM Migration tool to simplify and accelerate SIEM migrations to Microsoft with automated assistance. Today, the experience supports conversion of Splunk detections to Microsoft Sentinel analytics rules with more capabilities coming in the months ahead. 

• SOC efficiency: SOC optimization capability enables security teams to customize and manage their SIEM more efficiently for specific business and security requirements. With dynamic, research backed recommendations to optimize data usage, costs, and coverage against relevant threats, analysts can confidently identify opportunities to reduce costs, improve security posture, and see value more quickly. 

• Copilot for Security: Copilot empowers security teams to make informed decisions in the SOC to protect at the speed and scale of AI. It offers skills to translate natural language to Kusto Query Language (KQL), accelerate incident investigation and response by automating manual tasks with customizable promptbooks, summarizes incidents with full context, helps prevent breaches with dynamic insights from Microsoft Threat Intelligence, and more. 

• Enhanced incident experience: The new incidents page experience provides more context for SOC analysts to efficiently triage, investigate, and respond quickly to incidents. Many new investigation, response, and incident management features offer the analysts the information and tools necessary to understand the incident and full scope of the breach while making navigation easy and context switching less frequent. New features include top insights, a new activity log for incident audits, a Log Analytics query window to investigate logs and more. 

Download the complimentary report to get more details on our positioning as a Leader. Our customers and partners have been an invaluable part of this multiyear journey. We owe our immense gratitude to you. 

Microsoft is here to help customers who may be re-evaluating their SIEM due to vendor acquisition and are looking to move to a market leader with an ongoing commitment to innovation.

Looking forward 

In 2024 we’ll continue to listen to customer needs and further enhance Microsoft Sentinel’s advanced threat-protection capabilities to empower defenders and drive efficiencies for SOC teams.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity

¹Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, Mitchell Schneider, Rustam Malik, Eric Ahlm, May 8 2024.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

²The Total Economic Impact™ of Microsoft Sentinel, a commissioned study conducted by Forrester Consulting on behalf of Microsoft. Results are for a composite organization based on interviewed customers. 

The post Microsoft is again named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management​​ appeared first on Microsoft Security Blog.

Security is our top priority at Microsoft—above all else—and our expanded Secure Future Initiative underscores our company-wide commitment to making the world a safer place for everyone. I am proud that Microsoft is prioritizing security in the age of AI as we continue to innovate with a security-first mindset. 

Today, new capabilities are now available in Microsoft Defender and Microsoft Purview to help organizations secure and govern generative AI applications at work. These releases deliver purpose-built policy tools and better visibility to help you secure and govern generative AI apps and their data. We are also delivering a new unified experience for the security analyst and integrating Microsoft Copilot for Security across our security product portfolio.  

You’ll be able to see firsthand these innovations and more across the Microsoft Security portfolio at RSA Conference (RSAC). I also hope you will also join me on Tuesday, May 7, 2024, for “Securing AI: What We’ve Learned and What Comes Next,” to explore the strategies that every organization can implement to securely design, deploy, and govern AI.

Secure your AI transformation with Microsoft Security

Wherever your organization is in your AI transformation, you will need comprehensive security controls to secure govern your AI applications and data throughout their lifecycle—development, deployment, and runtime.  

With the new capabilities announced today, Microsoft becomes the first security provider to deliver end-to-end AI security posture management, threat protection, data security, and governance for AI.

Discover new AI attack surfaces, strengthen your AI security posture, and protect AI apps against threats with Microsoft Defender for Cloud. Now security teams can identify their entire AI infrastructure—such as plugins, SDKs, and other AI technologies—with AI security posture management capabilities across platforms like Microsoft Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock. You can continuously identify risks, map attack paths, and use built-in security best practices to prevent direct and indirect attacks on AI applications, from development to runtime.

Integrated with Microsoft Azure AI services, including Microsoft Azure AI Content Safety and Azure OpenAI, Defender for Cloud will continuously monitor AI applications for anomalous activity, correlate findings, and enrich security alerts with supporting evidence. Defender for Cloud is the first cloud-native application protection platform (CNAPP) to deliver threat protection for AI workloads at runtime, providing security operations center (SOC) analysts with new detections that alert to malicious activity and active threats, such as jailbreak attacks, credential theft, and sensitive data leakage. Additionally, SOC analysts will be able facilitate incident response with native integration of these signals into Microsoft Defender XDR.

Identify and mitigate data security and data compliance risks with Microsoft Purview. Give your security teams greater visibility into and understanding of which AI applications are being used and how to help you safeguard your data effectively in the age of AI. The Microsoft Purview AI Hub, now in preview, delivers insights such as sensitive data shared with AI applications, total number of users interacting with AI apps and their associated risk level, and more. To prevent potential oversharing of sensitive data, new insights help organizations identify unlabeled files that Copilot references and prioritize mitigation of oversharing risks. Additionally, we are excited to announce the preview of non-compliant usage insights in the AI Hub to help customers discover potential AI interactions that violate enterprise and regulatory policies in areas like hate and discrimination, corporate sabotage, money laundering, and more.

Govern AI usage to comply with regulatory policies with new AI compliance assessments in Microsoft Purview. We understand how important it is to comply with regulations, and how complicated it can be when deploying new technology. Four new Compliance Manager assessment templates, now in preview, are available to help you assess, implement, and strengthen compliance with AI regulations and standards, including EU AI Act, NIST AI RMF, ISO/IEC 23894:2023, and ISO/IEC 42001. The new assessment insights will also be surfaced within the Purview AI Hub, providing recommended actions to support compliance as you onboard and deploy AI solutions.

Together we can help everyone pursue the benefits of AI, by thoughtfully addressing the new risks. The new capabilities in Microsoft Defender for Cloud and Microsoft Purview, which build on top of the innovations we shared at Microsoft Ignite 2023 and Microsoft Secure 2024, are important advancements in empowering security teams to discover, protect, and govern AI—whether you’re adopting software as a service (SaaS) AI solutions or building your own.

Read more about all of the new capabilities and features that help you secure and govern AI.

Strengthening end-to-end security with a unified security operations platform

We continue investing in our long-standing commitment to providing you with the most complete end-to-end protection for your entire digital estate. There is an immediate need for tool consolidation and AI to gain the speed and scale required to defend against these new digital threats. Microsoft integrates all of the foundational SOC tools—cloud-native security information and event management (SIEM), comprehensive native extended detection and response (XDR), unified security posture management, and generative AI—to deliver true end-to-end threat protection in a single platform, with a common data model, and a unified analyst experience.  

The new unified security operations platform experience, in preview, transforms the real-world analyst experience with a simple, approachable user experience that brings together all the security signals and threat intelligence currently stuck in other tools. Analysts will have more context at every stage, with helpful recommendations and suggestions for automation that make investigation and response easier than ever before. We are also introducing new features across Microsoft Sentinel and Defender XDR, including global search, custom detections, and automation rules.

We are also pleased to announce a number of additional new features and capabilities that will empower your security operations center (SOC) to work across Microsoft security products for stronger end-to-end security.

• Microsoft Security Exposure Management initiatives help your security team identify risky exposures and instances of insufficient implementation of essential security controls, to find opportunities for improvement.
• SOC analysts can now use insider risk information as part of their investigation in Microsoft Defender XDR.
• Microsoft Defender XDR expands to include native operational technology (OT) protection, enabling automatic correlation of OT threat signal into cross-workload incidents and the ability to manage OT and industrial control system vulnerabilities directly within Defender XDR.
• Expanded attack disruption in Microsoft Defender XDR, powered by AI, machine learning, and threat intelligence, will cover new attack scenarios like disabling malicious OAuth apps and will significantly broaden compromised user disruption, such as leaked credentials, stuffing, and guessing.
• Microsoft Sentinel launches SOC Optimizations to provide tailored guidance to help manage costs, increase the value of data ingested, and improve coverage against common attack techniques.

Expanded Microsoft Copilot for Security integrations

When it comes to supporting security teams and relieving complexity, Microsoft Copilot for Security offers a great advantage. Greater integration of Copilot across the Microsoft security portfolio and beyond provides richer embedded experiences and Copilot capabilities from familiar and trusted products. We are proud to announce new Microsoft Copilot for Security integrations, including Purview, new partner plugins, Azure Firewall, and Azure Web Application Firewall. These integrations provide your security teams with real-time guidance, deeper investigative insights, and expanded access to data from across your environment.  

Security for the era of AI

An end-to-end security platform will be a determining factor in every organization’s transformation and will play a critical role in the durability of AI-powered innovation. Organizations that focus on securing AI and invest in using AI to strengthen security will be the lasting leaders in their industries and markets. Microsoft is committed to empowering these industry and market leaders with security solutions that can help them achieve more. We bring together four critical advantages: large-scale data and threat intelligence; the most complete end-to-end platform; industry leading, responsible AI; and tools to help you secure and govern AI.

With the general availability of Copilot for Security, Microsoft has delivered on our promise to put industry-leading generative AI into the hands of IT and security professionals of all levels of experience. Now, with today’s release of new capabilities in Defender for Cloud and Microsoft Purview, we are also delivering on our commitment to empower IT and security teams with the tools they need to take advantage of AI safely, responsibly, and securely.

Lastly and importantly, security is a team sport. We look forward to working together with the industry and our partners on advancing cyber security for all. 

I do hope you’ll connect with us at RSAC this week, where we will be demonstrating our comprehensive security portfolio and how it helps you protect your environment from every angle to prepare for and confidently adopt and deploy AI. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post New capabilities to help you secure your AI transformation appeared first on Microsoft Security Blog.

Forest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397. Linked to the Russian General Staff Main Intelligence Directorate (GRU) by the United States and United Kingdom governments, Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586). Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply the CVE-2022-38028 security update to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Who is Forest Blizzard?

Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology, sports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been to collect intelligence in support of Russian government foreign policy initiatives. The United States and United Kingdom governments have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related activities.

GooseEgg

Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can change at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures (TTPs) in past compromises.

Launch, persistence, and privilege escalation

Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat.

The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.

The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the whoami command.

Microsoft has observed that the name of an embedded malicious DLL file typically includes the phrase “wayzgoose”; for example, wayzgoose23.dll. This DLL, as well as other components of the malware, are deployed to one of the following installation subdirectories, which is created under C:\ProgramData. A subdirectory name is selected from the list below:

• Microsoft
• Adobe
• Comms
• Intel
• Kaspersky Lab
• Bitdefender
• ESET
• NVIDIA
• UbiSoft
• Steam

A specially crafted subdirectory with randomly generated numbers and the format string \v%u.%02u.%04u is also created and serves as the install directory. For example, a directory that looks like C:\ProgramData\Adobe\v2.116.4405 may be created. The binary then copies the following driver stores to this directory:

• C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*
• C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*

Next, registry keys are created, effectively generating a custom protocol handler and registering a new CLSID to serve as the COM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.

The “MPDW-constraints.js” stored within the actor-controlled directory has the following patch applied to the convertDevModeToPrintTicket function:

function convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket)
{try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {}

The above patch to the convertDevModeToPrintTicket function invokes the “rogue” search protocol handler’s CLSID during the call to RpcEndDocPrinter. This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.

Recommendations

Microsoft recommends the following mitigations defend against attacks that use GooseEgg.

Reduce the Print Spooler vulnerability

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Be proactively defensive

• For customers, follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.

•  Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Detecting, hunting, and responding to GooseEgg

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• HackTool:Win64/GooseEgg

Microsoft Defender for Endpoint

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Possible exploitation of CVE-2021-34527
• Possible source of PrintNightmare exploitation
• Possible target of PrintNightmare exploitation attempt
• Potential elevation of privilege using print filter pipeline service
• Suspicious behavior by spoolsv.exe
• Forest Blizzard Actor activity detected

Microsoft Defender for Identity

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation)

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Actor Profile: Forest Blizzard
• Abuse of Windows Print Spooler for privilege escalation and persistence

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Hunt for filenames, file extensions in ProgramData folder and file hash

let filenames = dynamic(["execute.bat","doit.bat","servtask.bat"]);
DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath == "C:\\ProgramData\\"
  | where FileName in~ (filenames) or FileName endswith ".save" or FileName endswith ".zip" or ( FileName startswith "wayzgoose" and FileName endswith ".dll") or SHA256 == "7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9" // hash value of execute.bat/doit.bat/servtask.bat
  | project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessAccountName,InitiatingProcessAccountUpn

Hunt for processes creating scheduled task creation

DeviceProcessEvents
| where TimeGenerated > ago(60d) // change the duration according to your requirement
| where InitiatingProcessSHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" //hash value of justice.exe
or InitiatingProcessSHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" or SHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" //hash value of DefragmentSrv.exe
or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv"
| project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName

Hunt for JavaScript constrained file

DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\"
  | where FileName endswith ".js" or FileName == "MPDW-constraints.js"

Hunt for creation of registry key / value events

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server"
  | where RegistryValueName has "(Default)"
  | where RegistryValueData has "wayzgoose.dll" or RegistryValueData contains ".dll"

 Hunt for custom protocol handler

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue"
  | where RegistryValueName has "CLSID"
  | where RegistryValueData contains "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}"

Indicators of compromise

Batch script artifacts:

• execute.bat
• doit.bat
• servtask.bat
• 7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9

GooseEgg artifacts:

• justice.pdb
• wayzgoose.pdb

References

• https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials appeared first on Microsoft Security Blog.

Today, I am excited to announce the public preview of our unified security operations platform. When we announced a limited preview in November 2023, it was one of the first security operations center platforms that brought together the full capabilities of an industry-leading cloud-native security information and event management (SIEM), comprehensive extended detection and response (XDR), and generative AI built specifically for cybersecurity. This powerful combination of capabilities delivers a truly unified analyst experience in the security operations center (SOC).

And last month at Microsoft Secure, we added unified exposure management capabilities that provide continuous, proactive end-to-end visibility of assets and cyberattack paths. Together, these fully integrated, comprehensive capabilities give security leaders and SOC teams what they need to manage cyberthreats across their organization—from prevention to detection and response.

After gaining insights from the initial customer feedback, we are excited to expand the platform’s availability to public preview. Customers with a single Microsoft Sentinel workspace and at least one Defender XDR workload deployed can start enjoying the benefits of a unified experience, in a production environment, now. Onboarding a Microsoft Sentinel workspace only takes a few minutes, and customers can continue to use their Microsoft Sentinel in Azure. Need another reason to get started today? Microsoft Sentinel customers using Microsoft Copilot for Security can now leverage the embedded experience in the Defender portal, helping them to level up their security practice further.

Unified security operations platform

The new platform brings together the capabilities of XDR and SIEM. Learn how to onboard your Microsoft Sentinel workspace to the Microsoft Defender portal.

Get started today

Knock down security silos and drive better security outcomes

SOCs are buried under mountains of alerts, security signals, and initiatives. Analysts are spending too much time sifting through low-level alerts, jumping between portals, and navigating complex workflows to understand what happened, how to resolve it, and how to prevent it from happening again. This leaves little time for analysts to focus on high-value tasks—like remediating multistage incidents fully or even decreasing the likelihood of future attacks by reducing the attack surface. With an ever-growing gap in supply and demand of talent—in fact, there are only enough cybersecurity professionals to meet 82% of the United States demand—something must change.¹ 

At the heart of this challenge is siloed data—SOCs have too much security data stored in too many places and most SOC teams lack the tools to effectively bring it all together, normalize it, apply advanced analytics, enrich with threat intelligence, and act on the insights across the entire digital estate. This is why we built the security operations platform—by bringing together the full capabilities of SIEM, XDR, exposure management, generative AI, and threat intelligence together, security teams will be empowered with unified, comprehensive features that work across use cases, not security tool siloes.

The new analyst experience is built to create a more intuitive workflow for the SOC, with unified views of incidents, exposure, threat intelligence, assets, and security reporting. This is a true single pane of glass for security across your entire digital estate. Beyond delivering a single experience, unifying these features all on one platform delivers more robust capabilities across the entire cyberattack lifecycle.

“Security teams need a single pane of glass to manage today’s IT environments. Long gone are the days when teams could operate in silos and protect their environments. With today’s announcement Microsoft is moving another step forward in helping businesses protect their systems, customers and reputations,” said Chris Kissel, IDC Research Vice President, Security and Trust. “Microsoft combining the full capabilities of an industry-leading cloud-native SIEM and XDR with the first generative AI built specifically for cybersecurity is a game changer for the industry.”  

Capabilities across Microsoft Sentinel and Microsoft Defender XDR products are now extending, making both Microsoft Sentinel and Defender XDR more valuable. XDR customers can now enjoy more flexibility in their reporting, their ability to deploy automations, and greater insight across data sources. With the new ability to run custom security orchestration, automation, and response (SOAR) playbooks on an incident provided by Microsoft Sentinel, Defender XDR customers can reduce repetitive processes and further optimize the SOC. They can also now hunt across their XDR and SIEM data in one place. Further, XDR detection and incident creation will now open to data from SIEM. SIEM customers can now get more out of the box value, improving their ability to focus on the tasks at hand and gain more proactive protection against threats, freeing them to spend more time on novel threats and the unique needs of their environment.

Prevent breaches with end-to-end visibility of your attack surface

During the past 10 years, the enterprise attack surfaces have expanded exponentially with the adoption of cloud services, bring-your-own device, increasingly complex supply chains, Internet of Things (IoT), and more. Approximately 98% of attacks can be prevented with basic cybersecurity hygiene, highlighting the importance of hardening all systems.² Security silos make it more difficult and time-consuming to uncover, prioritize, and eliminate exposures.

Fortunately, the Microsoft Security Exposure Management solution, built right into the new unified platform experience, consolidates silos into a contextual and risk-based view. Within the unified platform, security teams gain comprehensive visibility across a myriad of exposures, including software vulnerabilities, control misconfigurations, overprivileged access, and evolving threats leading to sensitive data exposure. Organizations can leverage a single source of truth with unified exposure insights to proactively manage their asset risk across the entire digital estate. In addition, attack path modeling helps security professionals of all skill levels predict the potential steps adversaries may take to infiltrate your critical assets and reach your sensitive data.

Shut down in-progress attacks with automatic attack disruption

In today’s threat landscape, where multistage attacks are the new normal, automation is no longer optional, but a necessity. We’ve seen entire ransomware campaigns that only needed two hours to complete, with attackers moving laterally in as little as five minutes after initial compromise—the median time for attackers to access sensitive data is only 72 minutes.³ This capability is essential to counter the rapid, persistent attack methods like an AKIRA ransomware attack. Even the best security teams need to take breaks and with mere seconds separating thousands versus millions of dollars spent on an attack, the speed of response becomes critical.

This platform harnesses the power of XDR and AI to disrupt advanced attacks like ransomware, business email compromise, and adversary-in-the-middle attacks at machine speed with automatic attack disruption, a game-changing technology for the SOC that remains exclusive to Microsoft Security. Attack disruption is a powerful, out-of-the-box capability that automatically stops the progression and limits the impact of the most sophisticated attacks in near real-time. By stopping the attack progression, precious time is given back to the SOC to triage and resolve the incident.

Attack disruption works by taking a wide breadth of signals across endpoints and IoT, hybrid identities, email and collaboration tools, software as a service (SaaS) apps, data, and cloud workloads and applying AI-driven, researcher-backed analytics to detect and disrupt in-progress attacks with 99% confidence.³ With more than 78 trillion signals fueling our AI and machine learning models, we can rapidly detect and disrupt prominent attacks like ransomware in only three minutes, saving thousands of devices from encryption and recovery costs. Using our unique ability to recognize the intention of the attacker, meaning accurately predict their next move, Microsoft Defender XDR takes an automated response such as disabling a user account or isolating a device from connecting to any other resource in the network. 

Built on the attack disruption technology in our Defender XDR solution, our unified platform now extends this dynamic protection to new solutions through Microsoft Sentinel—starting with SAP. When an SAP account attack is detected, our platform will automatically respond to cut off access in SAP. This means unprecedented protection for a platform that houses incredibly sensitive data, making it a prime target for attackers.

Investigate and respond faster

Multiple dashboards and siloed hunting experiences can really slow down the meantime to acknowledge and respond. The effectiveness of the SOC is measured by these critical metrics. Microsoft delivers a single incident queue, equipped with robust out-of-the-box rules, that saves time, reduces alert noise, and improves alert correlation, ultimately delivering a full view of an attack. During our private preview, customers saw up to an 80% reduction in incidents, with improved correlation of alerts to incidents across Microsoft Sentinel data sources, accelerating triage and response.⁴ Further, unified hunting helps customers to reduce investigation time by eliminating the need to know where data is stored or to run multiple queries on different tables.

We’re not stopping at automatic attack disruption and unified incident queues—we’re on a mission to uplevel analysts of all experience levels. Microsoft Copilot for Security helps security analysts accelerate their triage with comprehensive incident summaries that map to the MITRE framework, reverse-engineer malware, translate complex code to native language insights, and even complete multistage attack remediation actions with a single click.

Copilot for Security is embedded in the analyst experience, providing analysts with an intuitive, intelligent assistant than can guide response and even create incident reports automatically—saving analysts significant time. Early adopters are seeing their analysts move an average of 22% faster and accelerate time to resolution.⁵ Copilot for Security is more than a chatbot—it’s a true intelligent assistant built right into their workflow, helping them use their tools better, level up their skills, and get recommendations relevant to their work at hand.

If you’d like to join the public preview, view the prerequisites and how to connect your Microsoft Sentinel workplace.

Learn more

Learn more about Microsoft SIEM and XDR solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cybersecurity Supply and Demand Heat Map, CyberSeek. 2024.

²Microsoft Digital Defense Report, Microsoft. 2023.

³Microsoft Digital Defense Report, Microsoft. 2022.

⁴Microsoft Internal Research.

⁵Microsoft Copilot for Security randomized controlled trial (RCT) with experienced security analysts conducted by Microsoft Office of the Chief Economist, January 2024. 

The post Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview appeared first on Microsoft Security Blog.

To protect your entire multicloud, multiplatform digital estate, consider Microsoft Sentinel, a modern, comprehensive SIEM solution built on the cloud and enriched by AI to rapidly uncover sophisticated cyberthreats and respond at machine speed. Microsoft Sentinel offers a complete security operations solution that is powerful, highly efficient and economic than other SIEM solutions.

To evaluate the benefits of Microsoft Sentinel, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study. Using the methodology of the TEI framework, Forrester consultants evaluated the cost, benefits, and flexibility of Microsoft Sentinel and developed a framework that organizations can use to evaluate the potential financial impact on their organizations.

In this study, Forrester found that interviewees achieved some notable advantages from their investment in Microsoft Sentinel, including increasing the productivity of their security teams, simplifying operations, decreasing their total cost of ownership, and realizing a return on investment (ROI) of 234%. Here are some other major findings for a composite organization based on what interviewed organizations reported.

1. Reducing time-to-value compared to other SIEM solutions 

Deploying Microsoft Sentinel—and finessing it after implementation—is faster because of the solution’s prebuilt playbooks, automation, and other SIEM tools. Microsoft Sentinel reduced the time to configure and deploy new connections by 93%, with time saved in configuration valued at $618,000 during the three-year period Forrester analyzed.  

“It took us about five years to get to be a six terabyte on-prem customer [with out previous solution]. It took us two months to set up Microsoft Sentinel and another two months to be at data-ingestion parity. It was insane.”

—CISO, financial services

This out-of-the-box functionality also includes simplified data connections and integrations that make it easier and faster to connect Microsoft Sentinel with your non-Microsoft systems, saving the time that employees might otherwise spend doing integration work. Valuable connections can be made across users, devices, apps, and infrastructure. Find even more integrations with Copilot for Security. 

2. Increasing the efficiency of the SOC 

Microsoft Sentinel makes it easier for security practitioners at all levels of expertise to detect, investigate, and respond effectively to cyberthreats. The solution harnesses an AI-driven correlation engine and offers a unified set of tools to more easily monitor, manage, and respond to incidents. Those interviewed praised Microsoft Sentinel’s interface for being easy to use (no specialized security expertise necessary). Because of Sentinel’s process automation, security professionals with less IT knowledge can effectively use the platform to detect and respond to cyberthreats.  

The total value of efficiency improvements to the security operations center of a composite organization was $1.5 million over three years. The solution is intuitive enough to use that junior analysts can tackle investigation basics while senior analytics tackle higher-priority tasks, according to Forrester findings. A prebuilt playbook helps further.  

Microsoft Sentinel capabilities, including its behavior-based analytics, enable you to boost the mean time to respond (MTTR) as you decrease false positives and minimize the work required of advanced investigations. In fact, Forrester found that Microsoft Sentinel helped to reduce false positives by up to 79% and decrease the work required for advanced, multitouch investigations by 85%. These are critical metrics when every second counts in triage and response.

“The reason we have Microsoft Sentinel is because of its proactive predictive abilities. It is able to respond to threats faster than a human can. We actually were able to stop significant threats that hit other organizations and keep our organization running. Microsoft Sentinel was one of the tools in our Microsoft tool bag that really kept us running as an organization. It kept our operations running.”

—CISO, healthcare

3. Reduce total cost of operation 

Implementing Microsoft Sentinel offers several cost savings opportunities, according to interviewees. One quantified benefit from the study found that the composite organization’s potential cost savings gained by discounting their current legacy SIEM solution and switching to Microsoft Sentinel could account for realized savings of up to $5.1 million over three years. This is attributed to Microsoft Sentinel’s lower per-GB data ingestion and licensing costs that enables customers to avoid the capital investments necessary to store logs on-premises. 

Microsoft Sentinel offers smoother deployment because of its prebuilt playbooks, queries, data connections, and free ingestion for certain Microsoft logs including Office 365 audit logs, Azure activity logs, and Microsoft Threat Protection alerts. The more intuitive nature of Microsoft Sentinel makes it easier to onboard employees to the technology.  

“Compared to [our on-premises solution] when we were paying for infrastructure, the savings are significant. Essentially one year of [legacy solution] costs are three years of Microsoft Sentinel costs.”

—CISO, financial services

Interviewees also shared that Microsoft Sentinel helped them decrease compliance costs. They did this by streamlining compliance reporting through the automation capabilities of Sentinel for security data collection and analysis. The alternative option would likely have been to bring in external consultants.  

4. Minimizing management effort 

In interviews with management teams at the organizations, they reported saving time on planning and maintenance, allowing for more time on other critical projects. That’s due to the way the solution decreased the size and complexity of their on-premises infrastructure. The value of this reduced management amounts to $1.1 million for a composite organization over three years and enabled the redeployment of 50% of infrastructure services professionals and 16% of legacy SIEM specialists. Automatic updates and the platform’s intuitive and centralized nature contribute to lessening the demand for labor.  

“In the raw maintenance of the SIEM, it’s pretty hands off. When there is an issue, we open up a case with Microsoft and they assume the burden of trying to fix the issue. I don’t have to maintain staff for that anymore.”

—CISO, financial services

The advantages of Microsoft Sentinel 

With its modern, cloud-native features and innovations, Microsoft Sentinel has helped organizations like yours deploy faster, increase the efficiency of their threat investigations, save on deployment and training, and gain efficiency in security management. Explore the Total Economic Impact™ Of Microsoft Sentinel Study for more analyst findings as well as to read the perspectives of Sentinel users interviewed in the study.

And to learn more about Microsoft Security, see:

• Unified security operations center platform.
• Microsoft Secure announcements.
• Microsoft Sentinel innovations.

Microsoft Sentinel

See and stop cyberthreats across your entire enterprise with intelligent security analytics.

Learn more

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders. 

The post Microsoft Sentinel delivered 234% ROI, according to new Forrester study appeared first on Microsoft Security Blog.

Software as a service (SaaS) adoption has accelerated at a lightning speed, enabling collaboration, automation, and innovation for businesses large and small across every industry vertical—from government, education, financial service to tech companies. Every SaaS application is now expanding its offering to allow better integration with the enterprise ecosystem and advanced collaboration features, becoming more of a “platform” than an “application.” To further complicate the security landscape, business users are managing these SaaS applications with little to no security oversight, creating a decentralized administration model. All this is leading to a growing risk surface with complex misconfigurations that can expose organization’s identities, sensitive data, and business processes to malicious actors. 

To combat this challenge, Valence and Microsoft Security work together to ensure that SaaS applications are configured according to the best security practices and improve the security posture of identities configured in each individual SaaS application. Together, Valence and Microsoft:  

• Centrally manage SaaS identities permissions and access.
• Enforce strong authentication by ensuring proper MFA (multi-factor authentication) and SSO (single sign-on) enrollment and managing local SaaS users.
• Detect and revoke unauthorized non-human SaaS identities such as APIs, service accounts, and tokens.
• Incorporate SaaS threat detection capabilities to improve SaaS incident response.

As most of the sensitive corporate data shifted from on-prem devices to the cloud, security teams need to ensure they manage the risks of how this data is being accessed and managed. Integrating Valence’s SaaS Security with the Microsoft Security ecosystem now provides a winning solution. 

SaaS applications are prime targets  

Recent high profile breaches have shown that attackers are targeting SaaS applications and are leveraging misconfigurations and human errors to gain high privilege access to sensitive applications and data. While many organizations have implemented SSO and MFA as their main line of defense when it comes to SaaS, recent major breaches have proven otherwise. Attackers have identified that MFA fatigue, social engineering and targeting the SaaS providers themselves can bypass many of the existing mechanisms that security teams have put in place. These add to high-profile breaches where attackers leveraged legitimate third-party open authorization (OAuth) tokens to gain unauthorized access to SaaS applications, and many more attack examples. 

State of SaaS security risks 

According to our 2023 SaaS Security Report which analyzed real SaaS environments to measure their security posture before they implemented an effective SaaS security program. The results showed that every organization didn’t enforce MFA on 100% of their identities—there are some exceptions, such as service accounts, contractors, and shared accounts, or simply lack of effective monitoring of drift. In addition, one out of eight SaaS accounts are dormant and not actively used. Offboarding users is not only important to save costs, but attackers also like to target these accounts for account takeover attacks since they are typically less monitored. Other key stats were that 90% of externally shared files haven’t been used by external collaborators for at least 90 days and that every organization has granted multiple third-party vendors organization-wide access to their emails, files, and calendars. 

Figure 1. Top SaaS Security gaps identified in the 2023 State of SaaS Security Report.

Holistic SaaS security strategy 

Establishing a holistic SaaS security strategy requires to bring together many elements—from shadow SaaS discovery, through strong authentication, identity management of both humans and non-humans, managing and remediating SaaS misconfigurations, enforcing data leakage prevention policies, and finally, establishing scalable incident response. Valence and Microsoft take security teams one step further toward a more holistic approach. 

Valence joined the Microsoft Intelligence Security Association (MISA) and integrated with Microsoft security products—Microsoft Entra ID and ​​​​Microsoft Sentinel—to enhance customers’ capabilities to manage their SaaS risks, effectively remediate them, and respond to SaaS breaches. The Valence SaaS Security Platform provides insight and context on SaaS risks such as misconfigurations, identities, data shares, and SaaS-to-SaaS integrations. Extending existing controls with SaaS Security Posture Management (SSPM) capabilities and SaaS risk remediation capabilities. Valence is also a proud participant of the Partner Private Preview of Microsoft Copilot for Security. This involves working with Microsoft product teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security’s extensibility. 

Figure 2. Illustrative data: The Valence Platform provides a single pane of glass to find and fix SaaS risk across four core use cases: data protection, SaaS to SaaS governance, identity security, and configuration management. 

Secure SaaS human and non-human identities

In the modern identity-first environment, most attackers focus on targeting high privilege users, dormant accounts, and other risks. Enforcing zero trust access has become a core strategy for many security teams. Security teams need to identify all the identities they need to secure. Microsoft Entra SSO management combined with Valence’s SaaS application monitoring—to detect accounts created—provides a holistic view into human identities and non-human (Enterprise Applications, service accounts, APIs, OAuth and 3rd party apps).  

Microsoft Entra ID centrally enforces strong authentication such as MFA and Valence discovers enforcement gaps or users that are not managed by the central SSO. Valence also monitors the SaaS applications themselves to discover the privileges granted to each identity and provides recommendations on how to enforce least privilege with minimal administrative access. To continuously validate verification based on risks, the final piece of zero trust strategy, Valence leverages the risky users and service principals signals from Microsoft Entra ID and combines them with signals from other SaaS applications for a holistic view into identity risks. 

Protect SaaS applications 

Microsoft has a wide SaaS offering that is fueling enterprise innovation. These services are central to core business functions and employee collaboration, cover many use cases, and are spread across multiple business units, but are tied together in many cases such as identity and access management, and therefore their security posture is often related as well. Managing the security posture of SaaS services can be complex because of the multiple configurations and the potential cross service effects that require security teams to build their expertise across a wide range of SaaS.  

Many security teams view SaaS apps as part of their more holistic view into SaaS security posture management and would like to create cross-SaaS security policies and enforce them. Valence’s platform integrates with Microsoft Entra ID and other SaaS services using Microsoft via Microsoft Graph to normalize the complex data sets and enable security teams to closely monitor the security posture of their SaaS applications in Microsoft alongside the rest of their SaaS environment. 

Enhance SaaS threat detection and incident response 

Improving SaaS security posture proactively reduces the chances of a breach, but unfortunately SaaS breaches can still occur, and organizations need to prepare their threat detection coverage and incident response plans. The built in human and non-human identity threat detection capabilities of Microsoft Entra ID, combined with Microsoft Sentinel log correlation and security automation, and Microsoft Copilot for Security’s advanced AI capabilities, create a powerful combination to detect and respond to threats. Valence expands existing detections from compromised endpoint and identity with important SaaS context—for example, did the compromise device belong to a SaaS admin user? Did the compromised identity perform suspicious activities in other SaaS applications? The expanded detections provide critical insights to prioritize and assess the blast radius of breaches. Additionally, Valence’s SaaS threat detection can trigger threat detection workflows in Microsoft products based on its unique indicator of compromise monitoring. 

Together, Valence and Microsoft combine the best of all worlds when it comes to SaaS security. From SaaS discovery, through SaaS security posture management, remediating risks, and detecting threats—Valence and Microsoft enable secure adoption of SaaS applications. Modern SaaS risks and security challenges require a holistic view into SaaS risk management and remediation. Get started today. 

About Valence Security 

Valence is a leading SaaS security company that combines SSPM and advanced remediation with business user collaboration to find and fix SaaS security risks. SaaS applications are becoming decentrally managed and more complex, which is introducing misconfiguration, identity, data, and SaaS-to-SaaS integration risks. The Valence SaaS Security Platform provides visibility and remediation capabilities for business-critical SaaS applications. With Valence, security teams can empower their business to securely adopt SaaS. Valence is backed by leading cybersecurity investors like Microsoft’s M12 and YL Ventures, and is trusted by leading organizations. Valence is available for purchase through Azure Marketplace. For more information, visit their website. 

Be among the first to hear about new products, capabilities, and offerings at Microsoft Secure digital event on March 13, 2024.​ Learn from industry luminaries and influencers. Register today.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​Secure SaaS applications with Valence Security and Microsoft Security​​ appeared first on Microsoft Security Blog.

Prompt engineering is a way to “program” generative AI models in natural language, without requiring coding experience or deep knowledge of datasets, statistics, and modeling techniques. Prompt engineers play a pivotal role in crafting queries that help generative AI models learn not just the language, but also the nuance and intent behind the query. A high-quality, thorough, and knowledgeable prompt in turn influences the quality of AI-generated content, whether it’s images, code, data summaries, or text.

Prompt engineering is important because it allows AI models to produce more accurate and relevant outputs. By creating precise and comprehensive prompts, an AI model is better able to synthesize the task it is performing and generate responses that are more useful to humans.

The benefits of prompt engineering include:

Improving the speed and efficiency of generative AI tasks, such as writing complex queries, summarizing data, and generating content.

Enhancing the skills and confidence of generative AI users—especially novices—by providing guidance and feedback in natural language.

Leveraging the power of foundation models, which are large language models built on transformer architecture and packed with information, to produce optimal outputs with few revisions.

Helping mitigate biases, confusion, and errors in generative AI outputs by fine-tuning effective prompts.

Helping bridge the gap between raw queries and meaningful AI-generated responses—and reduce the need for manual review and post-generation editing.

Why good prompts are important

Prompt engineering is a skill that can be learned and improved over time by experimenting with different prompts and observing the results. There are also tools and resources that can help people with prompt engineering, such as prompt libraries, prompt generators, or prompt evaluators.

The following examples demonstrate the importance of clarity, specificity, and context in crafting effective prompts for generative AI.

How to use prompts in security

Prompting is very important in Copilot, as it is the main way to query the generative AI system and get the desired outputs. Prompting is the process of writing, refining, and optimizing inputs—or “prompts”—to encourage Copilot for Security to create specific, high-quality outputs.

Effective prompts give Copilot for Security adequate and useful parameters to generate valuable responses. Security analysts or researchers should include the following elements when writing a prompt:

• Goal: Specific, security-related information that you need.
• Context: Why you need this information or how you’ll use it.
• Expectations: Format or target audience you want the response tailored to.
• Source: Known information, data source(s), or plugins Copilot for Security should use.

By creating precise and comprehensive prompts, Copilot for Security can better understand the task it is performing and generate responses that are more useful to humans. Prompting also helps mitigate biases, confusion, and errors in Copilot for Security outputs by fine-tuning effective prompts.

Save time with top prompts

Featured prompts are a set of predefined prompts that are designed to help you accomplish common security-related tasks with Copilot for Security. They are based on best practices and feedback from security experts and customers.

Featured prompts are a set of predefined prompts that are designed to help you accomplish common security-related tasks with Copilot for Security. They are based on best practices and feedback from security experts and customers.

You can also access the featured prompts by typing a forward slash (/) in the prompt bar and selecting the one that matches your objective. For example, you can use the featured prompt “Analyze a script or command” to get information on a suspicious script or command.

Some of the featured prompts available in Copilot for Security are:

• Analyze a script or command: This prompt helps you analyze and interpret a command or script. It identifies the script language, the purpose of the script, the potential risks, and the recommended actions.
• Summarize a security article: This prompt helps you summarize a security article or blog post. It extracts the main points, the key takeaways, and the implications for your organization.
• Generate a security query: This prompt helps you generate a security query for a specific data source, such as Microsoft Sentinel, Microsoft Defender XDR, or Microsoft Azure Monitor. It converts your natural language request into a query language, such as Kusto Query Language (KQL) or Microsoft Graph API.
• Generate a security report: This prompt helps you generate a security report for a specific audience, such as executives, managers, or analysts. It uses the information from your previous prompts and responses to create a concise and informative report.

Use promptbooks to save time

A promptbook is a collection of prompts that have been put together to accomplish a specific security-related task—such as incident investigation, threat actor profile, suspicious script analysis, or vulnerability impact assessment. You can use the existing promptbooks as templates or examples and modify them to suit your needs.

Using promptbooks in Copilot is a way to accomplish specific security-related tasks with a series of prompts that run in sequence. Each promptbook requires a specific input—such as an incident number, a threat actor name, or a script string—and then generates a response based on the input and the previous prompts. For example, the incident investigation promptbook can help you summarize an incident, assess its impact, and provide remediation steps.

Some of the promptbooks available in Copilot for Security are:

• Incident investigation: This promptbook helps you investigate an incident by using either the Microsoft Sentinel or Microsoft Defender XDR plugin. It generates an executive report for a nontechnical audience that summarizes the investigation.
• Threat actor profile: This promptbook helps you get an executive summary about a specific threat actor. It searches for any existing threat intelligence articles about the actor, including known tools, tactics, and procedures (TTPs) and indicators, and provides remediation suggestions.
• Suspicious script analysis: This promptbook helps you analyze and interpret a command or script. It identifies the script language, the purpose of the script, the potential risks, and the recommended actions.
• Vulnerability impact assessment: This promptbook helps you assess the impact of a publicly disclosed vulnerability on your organization. It provides information on the vulnerability, the affected products, the exploitation status, and the mitigation steps.

To use a promptbook, you can either type an asterisk (*) in the prompt bar and select the promptbook you want to use or select the Promptbooks button above the prompt area. Then you can provide the required input and wait for Copilot for Security to generate the response. You can also ask follow-up questions or provide feedback in the same session.

Common Copilot prompts

The following list of prompts is an excerpt of the Top 10 prompts infographic, which provides prompts utilized and recommended by customers and partners with great success. Use them to spark ideas for creating your own prompts.

Get started with prompts in Copilot

We know creating precise and comprehensive prompts produces accurate, relevant responses. By understanding the fundamentals of good prompt engineering, security analysts can improve the speed and efficiency of generative AI tasks, mitigate biases, reduce output errors, and more—all without requiring coding experience or deep knowledge of datasets, statistics, and modeling techniques. The prompt engineering best practices described here, along with featured prompts and promptbooks included in Copilot for Security, can help security teams utilize the power of generative AI to improve their workflow, focus on higher-level tasks, and minimize tedious work.

Learn more about Microsoft Copilot for Security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Get the most out of Microsoft Copilot for Security with good prompt engineering appeared first on Microsoft Security Blog.

Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures. Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.

Mint Sandstorm (which overlaps with the threat actor tracked by other researchers as APT35 and Charming Kitten) is a composite name used to describe several subgroups of activity with ties to the Islamic Revolutionary Guard Corps (IRGC), an intelligence arm of Iran’s military. Microsoft attributes the activity detailed in this blog to a technically and operationally mature subgroup of Mint Sandstorm that specializes in gaining access to and stealing sensitive information from high-value targets. This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran.

These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran. Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum.

In this blog, we share our analysis of the new Mint Sandstorm tradecraft and provide detection, hunting, and protection information. Organizations can also use the mitigations included in this blog to harden their attack surfaces against the tradecraft observed in this and other Mint Sandstorm campaigns. These mitigations are high-value measures that are effective ways to defend organizations from multiple threats, including Mint Sandstorm, and are useful to any organization regardless of their threat model.

New Mint Sandstorm tradecraft

Microsoft observed new tactics, techniques, and procedures (TTPs) in this Mint Sandstorm campaign, notably the use of legitimate but compromised email accounts to send phishing lures, use of the Client for URL (curl) command to connect to Mint Sandstorm’s command-and-control (C2) server and download malicious files, and delivery of a new custom backdoor, MediaPl.

Social engineering

In this campaign, Mint Sandstorm masqueraded as high-profile individuals including as a journalist at a reputable news outlet. In some cases, the threat actor used an email address spoofed to resemble a personal email account belonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on an article about the Israel-Hamas war. In other cases, Mint Sandstorm used legitimate but compromised email accounts belonging to the individuals they sought to impersonate. Initial email messages did not contain any malicious content.

This tradecraft, namely the impersonation of a known individual, the use of highly bespoke phishing lures, and the use of wholly benign messages in the initial stages of the campaign, is likely an attempt to build rapport with targets and establish a level of trust before attempting to deliver malicious content to targets. Additionally, it’s likely that the use of legitimate but compromised email accounts, observed in a subset of this campaign, further bolstered Mint Sandstorm’s credibility, and might have played a role in the success of this campaign.

Delivery

If targets agreed to review the article or document referenced in the initial email, Mint Sandstorm followed up with an email containing a link to a malicious domain. In this campaign, follow up messages directed targets to sites such as cloud-document-edit[.]onrender[.]com, a domain hosting a RAR archive (.rar) file that purported to contain the draft document targets were asked to review. If opened, this .rar file decompressed into a double extension file (.pdf.lnk) with the same name. When launched, the .pdf.lnk file ran a curl command to retrieve a series of malicious files from attacker-controlled subdomains of glitch[.]me and supabase[.]co.

Microsoft observed multiple files downloaded to targets’ devices in this campaign, notably several .vbs scripts. In several instances, Microsoft observed a renamed version of NirCmd, a legitimate command line tool that allows a user to carry out a number of actions on a device without displaying a user interface, on a target’s device.

Persistence

In some cases, the threat actor used a malicious file, Persistence.vbs, to persist in targets’ environments. When run, Persistence.vbs added a file, typically named a.vbs, to the CurrentVersion\Run registry key. In other cases, Mint Sandstorm created a scheduled task to reach out to an attacker-controlled supabase[.]co domain and download a .txt file.

Collection

Activity observed in this campaign suggests that Mint Sandstorm wrote activity from targets’ devices to a series of text files, notably one named documentLoger.txt.

In addition to the activity detailed above, in some cases, Mint Sandstorm dropped MischiefTut or MediaPl, custom backdoors.

MediaPl backdoor

MediaPl is a custom backdoor capable of sending encrypted communications to its C2 server. MediaPl is configured to masquerade as Windows Media Player, an application used to store and play audio and video files. To this end, Mint Sandstorm typically drops this file in C:\\Users\\[REDACTED] \\AppData\\Local\\Microsoft\\Media Player\\MediaPl.dll. When MediaPl.dll is run with the path of an image file provided as an argument, it launches the image in Windows Photo application and also parses the image for C2 information. Communications to and from MediaPl’s C2 server are AES CBC encrypted and Base64 encoded. As of this writing, MediaPl can terminate itself, can pause and retry communications with its C2 server, and launch command(s) it has received from the C2 using the _popen function.

MischiefTut

MischiefTut is a custom backdoor implemented in PowerShell with a set of basic capabilities. MischiefTut can run reconnaissance commands, write outputs to a text file and, ostensibly, send outputs back to adversary-controlled infrastructure. MischiefTut can also be used to download additional tools on a compromised system.

Implications

The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system. Compromise of a targeted system can also create legal and reputational risks for organizations affected by this campaign. In light of the patience, resources, and skills observed in campaigns attributed to this subgroup of Mint Sandstorm, Microsoft continues to update and augment our detection capabilities to help customers defend against this threat.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of activity associated with recent Mint Sandstorm campaigns.

• Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end-users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos and domain URLs appearing to originate from legitimate applications or companies. Note that Attack Simulator testing only supports phishing emails containing links at this time.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can also turn on attack surface reduction rules to harden their environments against techniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant protection against the tradecraft discussed in this report.

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
• Block JavaScript or VBScript from launching downloaded executable content.
• Block execution of potentially obfuscated scripts.

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects activity associated with the MediaPl backdoor as the following malware:

• Backdoor:Win64/Eyeglass.A

Microsoft Defender Antivirus detects activity associated with the MischiefTut backdoor as the following malware:

• Behavior:Win32/MischiefTut

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint provides customers with detections and alerts. Alerts with the following titles in the Security Center can indicate threat activity related to Mint Sandstorm.

• Possible Mint Sandstorm activity
• Anomaly detected in ASEP registry

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
• Mint Sandstorm delivers MischiefTut to researchers in tailored phishing campaigns

Microsoft Defender XDR Threat analytics 

• Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets

Indicators of compromise

Organizations who fit the targeting model discussed in this report can hunt for the following indicators of compromise in their environments.

Domains

• east-healthy-dress[.]glitch[.]me
• coral-polydactyl-dragonfruit[.]glitch[.]me
• kwhfibejjyxregxmnpcs[.]supabase[.]co
• epibvgvoszemkwjnplyc[.]supabase[.]co
• ndrrftqrlblfecpupppp[.]supabase[.]co
• cloud-document-edit[.]onrender[.]com

Files

• MediaPl.dll (SHA-256: f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f)

Advanced hunting

Microsoft Defender XDR

Curl command used to retrieve malicious files

Use this query to locate the curl command Mint Sandstorm used to pull down malicious files in this campaign.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('id=',
'&Prog') and InitiatingProcessCommandLine has_any('vbs', '--ssl')

Creation of log files

Use this query to identify files created by Mint Sandstorm, ostensibly for exfiltration.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('powershell', '$pnt', 'Get-Content', 'gcm') and InitiatingProcessCommandLine has_any('documentLog', 'documentLoger', 'Logdocument')

Files with double file name extensions

Use this query to find files with double extension, e.g., .pdf.lnk.

DeviceFileEvents
| where FileName endswith ".pdf.lnk"

Registry keys with VBScript

Use this query to find registry run keys entry with VBScript in value

DeviceRegistryEvents
| where ActionType == "RegistryValueSet" or ActionType == "RegistryKeyCreated"
| where RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Run" or 
RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\RunOnce" or
RegistryKey endswith @"\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
| where RegistryValueData has_any ("vbscript",".vbs")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

• Email delivered to inbox
• Delivered bad emails from top bad IPv4 addresses
• Phishing link execution observed
• Successful sign-in from phishing link
• Suspicious URL clicked
• Scheduled task creation update from user writable directory
• Remote Scheduled Task creation update via Schtasks

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs appeared first on Microsoft Security Blog.