tldrdailynews.com logo
Tag

Lateral Movement

All articles tagged with #lateral movement

Defender for Endpoint Tests Auto-Isolation to Stop Lateral Movement
cybersecurity3 days ago

Defender for Endpoint Tests Auto-Isolation to Stop Lateral Movement

Microsoft Defender for Endpoint is previewing automatic isolation as part of Automatic Attack Disruption, automatically isolating suspected-compromised onboarded endpoints to limit attacker lateral movement and data exfiltration while keeping the device monitored; security operators can release the device after investigation, with the feature expanding prior isolation capabilities across Windows and Linux devices and user accounts.

via BleepingComputer|
#automatic-isolation#cybersecurity#defender-for-endpoint
UNC6692 leverages Teams impersonations to deploy Snow malware for credential theft and domain takeover
technology1 month ago

UNC6692 leverages Teams impersonations to deploy Snow malware for credential theft and domain takeover

Researchers say the threat group UNC6692 uses email bombing to pressure targets and then contacts them via Microsoft Teams, posing as IT helpdesk to induce installation of a patched patch that drops Snow, a custom malware suite (SnowBelt browser extension, SnowGlaze tunneler, SnowBasin backdoor). SnowBelt provides persistence and relays commands to SnowBasin through a headless Edge session, with SnowGlaze establishing a WebSocket tunnel and SOCKS proxy for C2 communication. SnowBasin can execute attacker commands, perform remote shell access, and exfiltrate data, while LSASS memory dumps and pass-the-hash techniques enable internal reconnaissance and lateral movement to domain controllers; the attackers even exfiltrate Active Directory data using FTK Imager via LimeWire. The report includes IoCs and YARA rules to detect Snow.

via BleepingComputer|
#credential-dumping#lateral-movement#snow-malware
Microsoft Defender: Enhanced Auto-Isolation and Autonomous Protection
technology2 years ago

Microsoft Defender: Enhanced Auto-Isolation and Autonomous Protection

Microsoft Defender for Endpoint has introduced an automatic attack disruption feature that isolates compromised user accounts to prevent lateral movement in hands-on-keyboard attacks. This capability temporarily contains suspicious identities, preventing attackers from using them to escalate privileges, move laterally, perform credential theft, data exfiltration, or encrypt remotely. When an initial stage of a human-operated attack is detected, the feature blocks the attack on the affected device and inoculates other devices within the organization by blocking incoming malicious traffic. Since its introduction, over 6,500 devices have been protected from ransomware campaigns. Defender for Endpoint can also isolate hacked and unmanaged Windows devices, preventing lateral movement within networks.

via BleepingComputer|
#attack-disruption#compromised-accounts#endpoint-security