Welcome to the Microsoft Incident Response Ninja Hub

We’re excited to announce the Microsoft Incident Response Ninja Hub. This page includes a compilation of guides and resources that the Microsoft Incident Response team has developed on threat hunting, case studies, incident response guides, and more. Many of these pieces were also developed in collaboration with Microsoft’s partners across Microsoft Security, providing a unique view into how the Microsoft Security ecosystem leans on cross-team collaboration to protect our customers.

This page will be continually updated as the team develops and publishes more resources, so be sure to bookmark our Ninja Hub and stay up to date: https://aka.ms/MicrosoftIRNinjaHub

Incident Response (IR) best practices for security teams and leaders

• Navigating the Maze of Incident Response: Microsoft IR guide shares best practices for security teams and leaders
• Creating a proactive incident response plan | How to boost your incident response readiness
• The art and science behind Microsoft threat hunting: Part 1
• The art and science behind Microsoft threat hunting: Part 2
• The art and science behind Microsoft threat hunting: Part 3
• Microsoft Security tips to reduce risk in mergers and acquisitions

Deep dives and threat hunting guides

• One-page guides
  • Download the new Microsoft IR one-page guides on investigating suspicious activity in Microsoft 365 and Microsoft Entra
  • Download the Microsoft IR guides on using Windows Internals for digital forensic investigations
• Cloud hunting and Microsoft Entra
  • Threat hunting with Microsoft Graph activity logs
  • Hunting for MFA manipulations in Entra ID tenants using KQL
  • Hunting in Azure subscriptions
  • Good UAL Hunting
  • Investigating malicious OAuth applications using the Unified Audit Log
  • Forensic artifacts in Office 365 and where to find them
  • Follow the Breadcrumbs with Microsoft IR & MDI: Working Together to Fight Identity-based Attacks
  • How to investigate service provider trust chains in the cloud
• Techniques for threat hunting
  • Fuzzy hashing logs to find malicious activity
  • Leveraging the Power of KQL in Incident Response

Attacker tactics, techniques, and procedures explained

• Proactive Measures: Safeguarding Against Vulnerable Driver Attacks with Effective Monitoring and Prevention Strategies
• Defenders beware: A case for post-ransomware investigations
• Token tactics: How to prevent, detect, and respond to cloud token theft
• Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
• Guidance for investigating attacks using CVE-2023-23397
• Protect against CVE-2019-0708: BlueKeep
• IIS modules: The evolution of web shells and how to detect them 
• Web shell attacks continue to rise
• Ghost in the shell: Investigating web shell attacks
• Tarrask malware uses scheduled tasks for defense evasion

Case studies

• Cyberattack Series
  • Report 1: Solving one of NOBELIUM's most novel attacks
  • Report 2: Healthy security habits to fight credential breaches
  • Report 3: Patch me if you can: Cyberattack Series
  • Report 4: Protecting credentials against social engineering
• Advanced Persistent Threats (APTs) and named Threat Actor groups
  • Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction | Microsoft Security Blog
  • A guide to combatting human-operated ransomware: Part 1
  • A guide to combatting human-operated ransomware: Part 2
  • MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
  • Destructive malware targeting Ukrainian organizations
  • DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
• Ransomware and case studies
  • The five-day job: A BlackByte ransomware intrusion case study
  • LockBit 2.0 ransomware bugs and database recovery attempt: Part 1
  • LockBit 2.0 ransomware bugs and database recovery attempts: Part 2  
  • Facing the cold chills: A case study of a targeted compromise

Lessons from the field and compromise recovery how-to

• Compromise recovery
  • Octo Tempest: Hybrid identity compromise recovery
  • Recover ADCS from Compromise
  • Advice for incident responders on recovery from systemic identity compromises
• Lessons from the field on securing your cloud
  • Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory
  • Microsoft Incident Response lessons on preventing cloud identity compromise
  • Protect your business from password sprays with Microsoft DART recommendations
  • Microsoft Incident Response tips for managing a mass password reset
  • Effective strategies and technical recommendations for conducting Mass Password Resets during cybersecurity incidents
  • How Microsoft Incident Response and Microsoft Defender for Identity work together
  • A "quick wins" approach to securing Azure Active Directory and Office 365 and improving your security posture
  • Using Microsoft Security APIs for Incident Response - Part 1
  • Using Microsoft Security APIs for Incident Response - Part 2
  • Microsoft Office 365—Do you have a false sense of cloud security?
• Lessons from the field on ransomware response

Long-form resources and books

• Microsoft Defender for Endpoint in Depth: Take any organization's endpoint security to the next level
• The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting (1^st Edition)

Learn more about the Microsoft Incident Response team

• DART: the Microsoft cybersecurity team we hope you never meet
• How the Microsoft Incident Response team helps customers remediate threats
• Microsoft Incident Response Retainer is generally available
• An integrated incident response solution with Microsoft and PwC

To stay up to date, follow blogs published to the Security Experts Tech Community Blog and to Microsoft Security Blog.