www.microsoft.com
Open in
urlscan Pro
2a02:26f0:6c00:28f::356e
Public Scan
URL:
https://www.microsoft.com/en-us/security/blog/2022/11/09/microsoft-defender-experts-for-hunting-demonstrates-industry-lead...
Submission: On November 18 via api from US — Scanned from DE
Submission: On November 18 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft Security" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
</ul>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Skip to main content
Microsoft Edge is the only browser optimized for Windows. Maximize your PC
performance with features like Sleeping Tabs and Startup Boost.
Close Switch now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Frontline workers
* Identity & access
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* SIEM & XDR
* Small & medium business
* Zero Trust
* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Intune
* Microsoft Priva
* Microsoft Purview
* Microsoft Sentinel
* Identity & access Identity & access
* Azure Active Directory part of Microsoft Entra
* Microsoft Entra Identity Governance
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Microsoft Entra Workload Identities
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender Cloud Security Posture Mgmt
* Microsoft Defender for DevOps
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security Endpoint security
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Endpoint management Endpoint management
* Microsoft Intune
* Services
* Microsoft Security Experts
* Microsoft Defender Experts for Hunting
* Microsoft Security Services for Enterprise
* Microsoft Security Services for Incident Response
* Microsoft Security Services for Modernization
* Partners
* Resources
* Get started Get started
* Cybersecurity awareness
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal
* Contact sales
* More
* Start free trial
* All Microsoft
* GLOBAL
* Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
* No results
Cancel
November 9, 2022 • 4 min read
MICROSOFT DEFENDER EXPERTS FOR HUNTING DEMONSTRATES INDUSTRY-LEADING PROTECTION
IN THE 2022 MITRE ENGENUITY ATT&CK® EVALUATIONS FOR MANAGED SERVICES
* Ryan Kivett Partner Director, Microsoft Defender Experts
Share
* Twitter
* LinkedIn
* Facebook
* Email
* Print
Microsoft Defender Experts for Hunting, our newest managed threat hunting
service, delivered industry-leading results during the inaugural MITRE Engenuity
ATT&CK® Evaluations for Managed Services.
We provided a seamless, comprehensive, and rapid response to the simulated
attack using expert-led threat hunting and an industry-leading extended
detection and response (XDR) platform—Microsoft 365 Defender. This evaluation
showcased our service’s strength in the following areas:
* In-depth visibility and analytics across all stages of the attack chain.
* Comprehensive managed hunting.
* Seamless alert prioritization and consolidation into notifications for the
security operations center (SOC).
* Tailored hunting guidance and advanced hunting queries (AHQ) to optimize
investigations.
* Frequently updated and customized recommendations for rapid containment and
remediation.
* Threat actor attribution with tactics, techniques, and procedures (TTP)
context.
* Technology powered by a team of expert hunters and customer-centric approach.
* Commitment to managed extended detection and response (MXDR) partners running
on Microsoft 365 Defender.
IN-DEPTH VISIBILITY AND ANALYTICS ACROSS ALL STAGES OF THE ATTACK CHAIN
Figure 1. Microsoft Defender Experts for Hunting coverage. Fully reported—
including initial access, execution, persistence, credential access, lateral
movement, and collection—reflects 100 percent acceptance of evidence submission.
Majority reported—including defense evasion, discovery, exfiltration, and
command and control—reflects some gaps in evidence acceptance.
COMPREHENSIVE MANAGED HUNTING
Microsoft Defender Experts for Hunting team identified all threats and provided
a cohesive attack timeline with remediation guidance.
From the early stages of the intrusion, our hunters alerted the customer that a
malicious archive masquerading as marketing materials was potentially part of a
targeted attack. After a user opened the archive, a threat actor, which we
attributed with high confidence as EUROPIUM, gained access to the environment.
Over the next few days, the threat actor used this foothold to steal
credentials, move laterally in the network, deploy a web shell on an Exchange
Server, and escalate privileges in the domain. The threat actor ultimately used
their access to target sensitive data on an SQL server. Based on available
telemetry, we reported that the threat actor staged sensitive data and may have
successfully exfiltrated the data through email using a malicious RDAT utility.
Microsoft threat hunters discovered and investigated all of the essential and
impactful TTPs used in this evaluation.
SEAMLESS ALERT PRIORITIZATION AND CONSOLIDATION INTO NOTIFICATIONS FOR THE SOC
From initial malware execution to data theft, Microsoft 365 Defender seamlessly
detected and correlated alerts from all stages of the attack chain into two
overarching incidents that provided end-to-end attack stories (see Figure 2).
Microsoft 365 Defender’s incident correlation technology helps SOC analysts to
counter alert fatigue, and our hunters then enrich these incidents by finding
new attacks with the existing deep signals and custom alerting.
Figure 2. Consolidated incidents enriched by Defender Experts for Hunting as
illustrated in the above tags.
Our hunters followed up on automated alerting with Defender Expert notifications
(DENs) to provide additional context on the threat activity with an executive
summary, threat actor attribution, detailed scope of impact, recommendations,
and advanced hunting queries to self-serve investigations and response actions.
This human enrichment helps the customer prioritize their time and focused
actions in the SOC.
Figure 3. Beginning of incident executive summary provided by Defender Experts.
TAILORED HUNTING GUIDANCE AND AHQ TO OPTIMIZE INVESTIGATIONS
Within the DENs, our hunters additionally provided tailored hunting guidance and
AHQs to enable investigators to hunt for and identify relevant attack activity
in each incident. Figure 4 shows one example where we directly flagged to the
customer that a series of file modification events were consistent with data
exfiltration attempts.
Figure 4. Example of running provided AHQs to surface activity of interest.
FREQUENTLY UPDATED AND CUSTOMIZED RECOMMENDATIONS FOR CONTAINMENT AND
REMEDIATION
Throughout the attack, our hunters regularly shared remediation guidance to aid
the customer in a rapid response (Figure 5). As the incident developed, using
the Recommendation Summary, we kept the customer apprised of the scope of the
attack and the efforts needed to contain it.
Figure 5. Excerpt of custom recommendations in the Microsoft 365 Defender
portal.
THREAT ACTOR ATTRIBUTION WITH TTP CONTEXT
Microsoft Defender Experts for Hunting provided the customer with nation-state
attribution based on observed TTPs and behaviors. We identified the activity was
consistent with the threat actor EUROPIUM, also known as APT34 and OilRig, which
Microsoft has observed as far back as 2015. EUROPIUM is a well-resourced actor
capable of multiple types of attacks—from spear phishing and social engineering
to remote exploitation of internet-facing devices.
We leveraged this attribution to provide valuable incident context, such as
potential intrusion goals and relevant TTP, to the customer.
Figure 6. Incident attribution in Microsoft 365 Defender portal.
TECHNOLOGY POWERED BY A TEAM OF EXPERT HUNTERS
The Microsoft philosophy in this evaluation was to represent product truth and
real-world service delivery for our customers. We participated in the evaluation
using our Defender Experts for Hunting team and product capabilities and
configurations that we expect customers to use. As you review evaluation
results, you should consider additional aspects including depth and durability
of protection, completeness of signals, actionable insights, and the quality of
what our hunters provided to enrich both the incidents and component alerts. All
of these factors are critical in delivering a world-class hunting service to
protect real customer production environments.
COMMITMENT TO MXDR PARTNERS RUNNING ON MICROSOFT 365 DEFENDER
Microsoft supported several of our verified MXDR partners in this evaluation.
Our collaborative efforts reinforce our commitment to our partners’ success in
building managed services to meet growing demand and support our joint
customers.
We thank MITRE Engenuity for the opportunity to contribute to and participate in
this year’s evaluation.
Read more about the MITRE Managed Services Evaluations.
LEARN MORE
Learn more about Microsoft Defender Experts for Hunting.
To learn more about Microsoft Security solutions, visit our website. Bookmark
the Security blog to keep up with our expert coverage on security matters. Also,
follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
--------------------------------------------------------------------------------
© November 2022 The MITRE Corporation. This work is reproduced and distributed
with the permission of The MITRE Corporation.
FILED UNDER:
* Cybersecurity
YOU MAY ALSO LIKE THESE ARTICLES
Featured image for DEV-0569 finds new ways to deliver Royal ransomware, various
payloads
November 17, 2022 • 7 min read
DEV-0569 FINDS NEW WAYS TO DELIVER ROYAL RANSOMWARE, VARIOUS PAYLOADS
DEV-0569’s recent activity shows their reliance on malvertising and phishing in
delivering malicious payloads. The group’s changes and updates in delivery and
payload led to distribution of info stealers and Royal ransomware.
Read more DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Featured image for Microsoft contributes S2C2F to OpenSSF to improve supply
chain security
November 16, 2022 • 3 min read
MICROSOFT CONTRIBUTES S2C2F TO OPENSSF TO IMPROVE SUPPLY CHAIN SECURITY
We are pleased to announce that the S2C2F has been adopted by the OpenSSF under
the Supply Chain Integrity Working Group and formed into its own Special
Initiative Group. Our peers at the OpenSSF and across the globe agree with
Microsoft when it comes to how fundamental this work is to improving supply
chain security for everyone.
Read more Microsoft contributes S2C2F to OpenSSF to improve supply chain
security
Featured image for Token tactics: How to prevent, detect, and respond to cloud
token theft
November 16, 2022 • 9 min read
TOKEN TACTICS: HOW TO PREVENT, DETECT, AND RESPOND TO CLOUD TOKEN THEFT
As organizations increase their coverage of multifactor authentication (MFA),
threat actors have begun to move to more sophisticated techniques to allow them
to compromise corporate resources without needing to satisfy MFA. Recently, the
Microsoft Detection and Response Team (DART) has seen an increase in attackers
utilizing token theft for this purpose.
Read more Token tactics: How to prevent, detect, and respond to cloud token
theft
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more Get started with Microsoft Security
Get all the news, updates, and more at
@MSFTSecurity twitter
What's new
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Surface Laptop Go 2
* Surface Laptop Studio
* Surface Duo 2
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Personal shopping appointments
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* Education consultation appointment
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States)
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* About our ads
* © Microsoft 2022