techcommunity.microsoft.com
Open in
urlscan Pro
2600:141b:1c00:2587::207e
Public Scan
URL:
https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/a-blackbyte-ransomware-intrusion-case-study/ba-p/3841810
Submission: On September 10 via api from IN — Scanned from US
Submission: On September 10 via api from IN — Scanned from US
Form analysis
2 forms found in the DOMName: form_394957378ba19 — POST https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form
<form enctype="multipart/form-data" class="lia-form lia-form-inline SearchForm" action="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form" method="post" id="form_394957378ba19" name="form_394957378ba19">
<div class="t-invisible"><input value="blog-id/MicrosoftSecurityExperts/article-id/44" name="t:ac" type="hidden"><input value="search/contributions/page" name="t:cp" type="hidden"><input
value="DAU1URbkOoFHmdNxTFaJxEP3JOapU1EukpSzpQu9m2f9r5WJ9lDig2YAef5gnKnVEF5tgToT851l4g9jeYNd0CtEEWv17ENzySxyrMXYzVOF3SlnIXiSR7LBHPwKW3_MVr0ZEU2_a_16_PSTfAkSCmDA4xhZgVVL8YH1RavINs6WD0kl1ecLevs0SUHYVZpslmGTCrT8fRhVRMNTUKTP39BnYAWCp44vW82BPSxLmmFRUZvHlHEkEwFCxOVEkQAvupiDKKTpiMNOOplR_GNcPhRyunuFrO3gg3OsWSZzOKHOJ4MT_cGSadjB79gXZaLoZOvmp2QPj5O4p9j68F7xJpuQLkkoAVdKt4xZ2a8kMEedXEPcnPZajGF1eIcXFIdvXgrBZ4mZ9LPpQ3wNtbX3DWMAFFqPWcRCOUIfVJlPVuGjwxQ3IusGcA-zra1y0vp1uFbPcBPzdL-v7Ys6TEVGde_syiSrERnY2bXIWybCcIA6_YmTOudA6dM8SJGEsHy0pJLBvXwZuwGoyoHOnZSl1XpjTqTVxQHzWY4cvNLNLCnTrEvozXbN1ukvUDxSVs-uTdGwHldwSTE1cVGTKkmSLtDxypQ28orcRR5rSGQdcYtD_nUDr1ziRLxvQeuD97wKp99JOmtvXaf32KOOcCsQBdB2iMb78QZrZgZLSOaozqhuW8vdN-dLF4_fUTNZyDrFTNlJuynmBtx8UOQ6RPoOoKB0DFjpyeooAWERANi6ZI5bKXL_WKpjgB3IIh6vzjdfZw4ek4SGjrOizJg4BgZmfTDgzP9w_wFXGeN6Y6BbVIAZPXAKqH4h--tVQyueSGbYXA9hAc-Gt49XRVrSljUEGKUe5d_Ca13YWzWFAXSBjvD3NpDAM6nvrKKr8Bx9klO3GN2S127zDc5diDH1vmQZ7ICW03vr1lYn9XsNCCEh3mkMhtyekkrXEtnr_qwtdLCGHUvlknDxFPRWcFrKVOXZhT4p7bFzbayvZbxThi3pFQb4lOaLX21oCnx-a_NoASFBmVq_-SYBTq-keqwYGY0MOjH1AYICN8ZdWbdbcBcXesv6wyOkV3yPTF09QjRyqayfsS8__BVGrm9tXW1olc_SESZ54SI6nvxBvLkOrgpAOaIrRZYg1vVQG2ljN-2SpbFGncarL5IBJah03znl2WIObQAfXJH4LgGCd7vsmBszF_4vARtyHtM0_pG6IkQPzxMvf3yf_6rabaQNKJvgsQeD02i5eiWcGdxRznncFNrt3NstqvbpELFP98z94vtr6rNzP4JyP_lmWWzDFEBKj0Pf7Q.."
name="lia-form-context" type="hidden"><input value="BlogArticlePage:blog-id/MicrosoftSecurityExperts/article-id/44:searchformv32.form:" name="liaFormContentKey" type="hidden"><input
value="yDZKQFNI0U/sd9X4pbUemqvQQZw=:H4sIAAAAAAAAALWSzUrDQBSFr4Wuigiib6DbiajdqAhFUISqweBaZibTNJpk4sxNEzc+ik8gvkQX7nwHH8CtKxfmzxJbwaTUVZhzw/nOmblP79COD+FAC6r40OAyQOWyCF0ZaMOkjtgrJgOp/NHONtER810sP9nfIkGtoCuVQ2hI+VAQpKHQqO67hEslPJcRRrUgPZaKlOOxKzx7wxIYhZtX487b+stnC5b60MnZ0junvkBY7d/QETU8GjiGlUYKnP0kRFguwEcFeAHBe02Dm0pyobWV+Wid0sbP9u7g4/G1BZCE8QWc1U3kpzapWoqZ+S+SvoMHgPQ+ypGVj/IoC2dlqHZ8CWZdV7xljUqszZa43voPYNHkFE7qGkdaqKrl1Pm7wEqmV59gcYjGkQOJP25h6jyJnOlzRv4DUURusIWhknbEsWo5K002vhzNufG1WHmDLwdzh8gDBQAA"
name="t:formdata" type="hidden"></div>
<div class="lia-inline-ajax-feedback">
<div class="AjaxFeedback" id="feedback_394957378ba19"></div>
</div>
<input value="aE6ekDQPM9wJRvI40mmu7thbAIgh5T7M2R6qCiVWWl0." name="lia-action-token" type="hidden">
<input value="form_394957378ba19" id="form_UIDform_394957378ba19" name="form_UID" type="hidden">
<input value="" id="form_instance_keyform_394957378ba19" name="form_instance_key" type="hidden">
<span class="lia-search-input-wrapper">
<span class="lia-search-input-field">
<span class="lia-button-wrapper lia-button-wrapper-secondary lia-button-wrapper-searchForm-action"><input value="searchForm" name="submitContextX" type="hidden"><input class="lia-button lia-button-secondary lia-button-searchForm-action"
value="Search" id="submitContext_394957378ba19" name="submitContext" type="submit" tabindex="-1"></span>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-message" value="" id="messageSearchField_394957378ba19_0" name="messageSearchField"
type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="AtWXvk-hjV5w9EghpDE5_LPGe42PvaT0nt_GgyUZxBk." rel="nofollow" id="disableAutoComplete_3949573987f84" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-tkb-article lia-js-hidden" value="" id="messageSearchField_394957378ba19_1"
name="messageSearchField_0" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="cSdMPgRnzw2f-PEggVhtpLhncxF1z_bWJx1V8DTTTd0." rel="nofollow" id="disableAutoComplete_39495741f6646" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the users" ng-non-bindable="" title="Enter a user name or rank" class="lia-form-type-text UserSearchField lia-search-input-user search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a user name or rank" value="" id="userSearchField_394957378ba19" name="userSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a user name or rank</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="POVmQTrnjfJ199evii69gf_nOCOR2KqZkiWghdi-1bU." rel="nofollow" id="disableAutoComplete_394957450efed" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the private messages" title="Enter a search word" class="lia-form-type-text NoteSearchField lia-search-input-note search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a search word" value="" id="noteSearchField_394957378ba19_0" name="noteSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="wVMz6C5RcKTPOb7HL3I99Gi4mlb9--T_uVeHBb-bcJo." rel="nofollow" id="disableAutoComplete_394957482f1c4" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input title="Enter a search word" class="lia-form-type-text ProductSearchField lia-search-input-product search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="productSearchField_394957378ba19"
name="productSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="M_EL6Ckwm5AgVOozJbCV4b0LUI1NpkOSXSOPCbVnHnA." rel="nofollow" id="disableAutoComplete_3949574b4c208" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input class="lia-as-search-action-id" name="as-search-action-id" type="hidden">
</span>
</span>
<span class="lia-cancel-search" tabindex="0">cancel</span>
</form>
Name: form — POST https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form
<form enctype="multipart/form-data" class="lia-form lia-form-inline SearchForm" action="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form" method="post" id="form" name="form">
<div class="t-invisible"><input value="blog-id/MicrosoftSecurityExperts/article-id/44" name="t:ac" type="hidden"><input value="search/contributions/page" name="t:cp" type="hidden"><input
value="8btBVHYoi62AQRZfof1DHLMenF4yHrUwC8OnHKcOg0kZzKPQimHkTtHetlRtgYGIGCKoXRP8bwxmXH2p8gPHb9zWLJFIayV3lppfAAzvR86FHDJna5WhvRLEXVHsDKZma4ykM0KpXcWieqwuy29GlHEXiSuOabUOfDwJZyAR0LEkijlrY_wwjnDFIp7oMegv3DwE5TpGrHkZCC_CtQ46c3rbrU1Yfdzq6xCuMcMmbSCl-7ezgPGIBLRHN7yYstHzQk2RUHUgphU_Cue1grskQ5p5bx_tZ4Q6KFJvc9YL7MoxWybPzmA6wmG4m1Ftt6ANrB8fc4Lh8rO8I13bYV8_5oLQ9yXGidl8vR7lwiz-Q-cWXCrMKM1pdyAkro9RqBBNwTuYON9AL1cvJ5AoyceSFdRmXdDRsDM9w3zHDUaioNRB-9osvRjCnTlqxT7IBrk7DPhi6rcEdaW7-K7X9eV7ip3pLedNFf9HkvZEwLufZrXhkliUXZHRZ2M3H8eb4cB50jzXtBU6F0ZKvdD_njm-yIARLpk4l4rqi_gMin6yh6cZGtEJ5yi3tgagiCBqn0GLq6S9RQBWuFQjDy24jTH8N1oD9L7Z8L2MW83oQ-wOyudgzivVtJEUQbNMalu2-RN78eyybZkQSeYUyhN7x8oeh9YI87Tf0JwPIG7bivBWvNMshcom-du90tGSIDXeNC3dW-1-hgbbvp8Vo3Rp-EY6da7r__DZ4B7r2ZZsB661gTlK-jl1kaNYdc2ct5LddVxrGD58gfpRnruCmdSEqmqCngGcDZ2Qjsf9VYgYf-egas3B1AuAMjFIEvlFtfnnW65qAoXtpOSgk3swvjs-by8DKag51QKwWQR5-RyA8X9TLhe2yyg-y8F4fqObrZeyCDweFDo-DFq_6qb7Vh-Fv79UjFCJwxS1STkkrjsiFODDdqkmiTSDKXaYjJ1hjbsyWHQVsna557oGSfbG5IMokcKqGo95HjsFQhHsT3EYI0vM-FHZOER_2UKu84WpUR33wwf_OgnPxfionpTv6aWVcN_TvQ3OraZGMg7rGu9G0VNOUYpU-D7LPizfeiSYta1jyr8QhQtYbLYSY-MZ3_vzR4K_WLmxXDwrVXuBoAt0E3IRmFeAEnBmMgQhi045S-sItPW5xWVlaoSuuTbpzablWDTrS_TNhnK8rUABLtxLmss136M."
name="lia-form-context" type="hidden"><input value="BlogArticlePage:blog-id/MicrosoftSecurityExperts/article-id/44:searchformv32.form:" name="liaFormContentKey" type="hidden"><input
value="yDZKQFNI0U/sd9X4pbUemqvQQZw=:H4sIAAAAAAAAALWSzUrDQBSFr4Wuigiib6DbiajdqAhFUISqweBaZibTNJpk4sxNEzc+ik8gvkQX7nwHH8CtKxfmzxJbwaTUVZhzw/nOmblP79COD+FAC6r40OAyQOWyCF0ZaMOkjtgrJgOp/NHONtER810sP9nfIkGtoCuVQ2hI+VAQpKHQqO67hEslPJcRRrUgPZaKlOOxKzx7wxIYhZtX487b+stnC5b60MnZ0junvkBY7d/QETU8GjiGlUYKnP0kRFguwEcFeAHBe02Dm0pyobWV+Wid0sbP9u7g4/G1BZCE8QWc1U3kpzapWoqZ+S+SvoMHgPQ+ypGVj/IoC2dlqHZ8CWZdV7xljUqszZa43voPYNHkFE7qGkdaqKrl1Pm7wEqmV59gcYjGkQOJP25h6jyJnOlzRv4DUURusIWhknbEsWo5K002vhzNufG1WHmDLwdzh8gDBQAA"
name="t:formdata" type="hidden"></div>
<div class="lia-inline-ajax-feedback">
<div class="AjaxFeedback" id="feedback"></div>
</div>
<input value="1uiKxcu03GBcx0Aw7RfpbLPgrddy9GYr-XkUv0b34_0." name="lia-action-token" type="hidden">
<input value="form" id="form_UIDform" name="form_UID" type="hidden">
<input value="" id="form_instance_keyform" name="form_instance_key" type="hidden">
<span class="lia-search-input-wrapper">
<span class="lia-search-input-field">
<span class="lia-button-wrapper lia-button-wrapper-secondary lia-button-wrapper-searchForm-action"><input value="searchForm" name="submitContextX" type="hidden"><input class="lia-button lia-button-secondary lia-button-searchForm-action"
value="Search" id="submitContext" name="submitContext" type="submit" tabindex="-1"></span>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-message" value="" id="messageSearchField_0" name="messageSearchField" type="text"
aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="_g_rQhOg-tZtQ_CdYT-lJinmMX17wiRoYSr8CSMkIWk." rel="nofollow" id="disableAutoComplete_39495752884a2" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Search the community" aria-label="Search" title="Search" class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-tkb-article lia-js-hidden" value="" id="messageSearchField_1"
name="messageSearchField_0" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="f4t1HuUPEJnSeL4E-bNNJWWaZRkSHna7TEOlp4Z-ojY." rel="nofollow" id="disableAutoComplete_394957574aa7b" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the users" ng-non-bindable="" title="Enter a user name or rank" class="lia-form-type-text UserSearchField lia-search-input-user search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a user name or rank" value="" id="userSearchField" name="userSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a user name or rank</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="YpHnGlnl8FIbZ7D7SVOGRxS7Q8BKrU0u7taht0f9mIQ." rel="nofollow" id="disableAutoComplete_3949575be2e6a" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input placeholder="Enter a keyword to search within the private messages" title="Enter a search word" class="lia-form-type-text NoteSearchField lia-search-input-note search-input lia-js-hidden lia-autocomplete-input"
aria-label="Enter a search word" value="" id="noteSearchField_0" name="noteSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="i3p3TyWR12MPcSJtmQXkI5RXr8R0e8FFyHNXK6Ick1g." rel="nofollow" id="disableAutoComplete_3949575ecb387" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input title="Enter a search word" class="lia-form-type-text ProductSearchField lia-search-input-product search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="productSearchField"
name="productSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="8-Z43kDPIFxvJDNB5fMsW737KeeZN7NoCTTFxGSbcWc." rel="nofollow" id="disableAutoComplete_3949576c0d25b" href="https://techcommunity.microsoft.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/MicrosoftSecurityExperts/article-id/44&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input class="lia-as-search-action-id" name="as-search-action-id" type="hidden">
</span>
</span>
<span class="lia-cancel-search">cancel</span>
</form>
Text Content
We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. You may change your selection by clicking “Manage Cookies” at the bottom of the page. Privacy Statement Third-Party Cookies Accept Reject Manage cookies Skip to Main Content Microsoft Tech Community Home Community Hubs Community Hubs * Community Hubs Home * Products * Special Topics * Video Hub Close PRODUCTS (49) SPECIAL TOPICS (28) VIDEO HUB (462) MOST ACTIVE HUBS Microsoft 365 Microsoft Teams Windows Security, Compliance and Identity Outlook Planner Windows Server Azure Exchange Intune and Configuration Manager Content Management SQL Server Microsoft Viva Connect and learn from experts and peers Microsoft FastTrack Best practices and the latest news on Microsoft FastTrack Microsoft Copilot for Sales A role-based copilot designed for sellers MOST ACTIVE HUBS Education Sector AI and Machine Learning ITOps Talk Microsoft Partner Community Microsoft Mechanics Healthcare and Life Sciences Public Sector Internet of Things (IoT) Driving Adoption Small and Medium Business Startups at Microsoft Azure Partner Community Expand your Azure partner-to-partner network Microsoft Tech Talks Bringing IT Pros together through In-Person & Virtual events MVP Award Program Find out more about the Microsoft MVP Award Program. VIDEO HUB Azure Exchange Microsoft 365 Microsoft 365 Business Microsoft 365 Enterprise Microsoft Edge Microsoft Outlook Microsoft Teams Security SharePoint Windows Browse All Community Hubs Blogs Blogs Events Events * Events Home * Microsoft Ignite * Microsoft Build * Community Events Microsoft Learn Microsoft Learn * Home * Community * Blog * Azure * Dynamics 365 * Microsoft 365 * Security, Compliance & Identity * Power Platform * Github * Teams * .NET Lounge Lounge * 1.5M Members * 21.5K Online * 344K Discussions Search Enter a search word Turn off suggestions Enter a search word Turn off suggestions Enter a user name or rank Turn off suggestions Enter a search word Turn off suggestions Enter a search word Turn off suggestions cancel Turn on suggestions Showing results for Show only | Search instead for Did you mean: Sign In Sign In Enter a search word Turn off suggestions Enter a search word Turn off suggestions Enter a user name or rank Turn off suggestions Enter a search word Turn off suggestions Enter a search word Turn off suggestions cancel Turn on suggestions Showing results for Show only | Search instead for Did you mean: * Home * Security, Compliance, and Identity * Microsoft Security Experts Blog * A BlackByte Ransomware intrusion case study * Back to Blog * Newer Article * Older Article A BlackByte Ransomware intrusion case study * Subscribe to RSS Feed * * Mark as New * Mark as Read * * Bookmark * Subscribe * * Printer Friendly Page * Report Inappropriate Content By Pablo Mejias (MICROSOFT IR) Published May 18 2024 08:03 PM 7,320 Views Listen to the article 00:0000:00 00:00 Powered by undefined PabloMejias Microsoft May 18 2024 08:03 PM A BLACKBYTE RANSOMWARE INTRUSION CASE STUDY May 18 2024 08:03 PM INTRODUCTION As ransomware attacks grow in number and sophistication every year, threat actors can quickly impact business operations if organizations are not well prepared. In this blog, we detail an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization. During the investigation, the Microsoft Incident Response team (formerly known as DART) identified the threat actor employing a range of tools & techniques to achieve their objectives, including: * Exploitation of unpatched internet exposed Microsoft Exchange Servers * Web Shell deployment facilitating remote access * Use of living of the land tools for persistence and reconnaissance * Cobalt Strike beacons for command and control * Process Hollowing and the use of vulnerable drivers for defense evasion * Deployment of custom developed backdoors to facilitate persistence * Deployment of a custom developed data collection and exfiltration tool FORENSIC ANALYSIS Initial Access In order to obtain initial access into the victim’s environment, the Threat Actor was observed exploiting known vulnerabilities (ProxyShell) on unpatched Microsoft Exchange Servers: * CVE-2021-34473 * CVE-2021-34523 * CVE-2021-31207 The exploitation of these vulnerabilities allowed the Threat Actor to: * Attain SYSTEM level privileges on the compromised Exchange host * Enumerate LegacyDN of users by sending an Autodiscover requests, including SIDs of users * Construct a valid authentication token and use it against the Exchange Powershell backend * Impersonate domain admin users and creates a web shell by using the New-MailboxExportRequest cmdlet * Create web shells in order to obtain remote control on the affected servers The Threat Actor was observed operating from the following IP to exploit ProxyShell and access the web shell: * 185.225.73[.]244 Persistence Backdoor Microsoft IR identified the creation of Registry Run Keys, a common persistence mechanism employed by threat actors to maintain access to a compromised device, where a payload is executed each time a specific user logs in. Registry Key ValueName ValueData HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsEdgeMsE rundll32 C:\Users\user\Downloads\api-msvc.dll,Default HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsEdgeMsE rundll32 C:\temp\api-msvc.dll,Default HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MsEdgeMsE rundll32 C:\systemtest\api-system.png,Default api-msvc.dll, detected by Microsoft Defender Antivirus as Trojan:Win32/Kovter!MSR, was determined to be a backdoor capable of collecting system information such as installed antivirus products, device name and IP address. This information is then sent via HTTP POST request to a command and control (C2) channel: * hxxps://myvisit[.]alteksecurity[.]org/t FileName SHA-256 api-msvc.dll 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e Unfortunately, the organization was not using Microsoft Defender as the primary AV/EDR solution, preventing to take action against the malicious code. An additional file name, api-system.png, was identified with similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged Run Keys for persistence. Cobalt Strike Beacon The threat actor leveraged Cobalt Strike, a common commercial penetration testing tool, to achieve persistence. The file sys.exe, detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike beacon and was downloaded directly from the file sharing service temp.sh: * hxxps://temp[.]sh/szAyn/sys.exe This beacon was configured to communicate with the following command and control (C2) channel: * 109.206.243[.]59:443 FileName SHA-256 sys.exe 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 AnyDesk Microsoft IR frequently observes threat actors leveraging legitimate remote access during an intrusion, in an effort to blend in on a victim network. In this case, the threat actor utilized AnyDesk, a common remote administration tool to maintain persistence and move laterally within the network. AnyDesk was installed as a Service and was executed from the following paths: * C:\systemtest\anydesk\AnyDesk.exe * C:\Program Files (x86)\AnyDesk\AnyDesk.exe * C:\Scripts\AnyDesk.exe Successful connections were observed in AnyDesk Logs (ad_svc.trace) involving anonymizer service IP addresses linked to TOR and MULLVAD VPN. This is a common technique that actors employ to obscure their source IP ranges. Reconnaissance and Privilege Escalation Microsoft IR found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration, under the following executable names: * netscan.exe * netapp.exe FileName SHA-256 netscan.exe 1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e netapp.exe 1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e In addition, execution of AdFind, an Active Directory reconnaissance tool, was observed in the environment. FileName SHA-256 adfind.exe f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e Credential Access Evidence of likely Mimikatz usage, a credential theft tool commonly used by threat actors, was also uncovered, through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts. Lateral Movement Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol and Powershell Remoting to obtain access to other servers in the environment, including Domain Controllers. Data Staging and Data Exfiltration A suspicious file named “explorer.exe” was identified. The file was recognized by Microsoft Defender Antivirus as “Trojan:Win64/WinGoObfusc.LK!MT” and quarantined, but after disabling Windows Defender Antivirus service, the threat actor was able to execute the file using the following command: * explorer.exe P@$$w0rd FileName SHA-256 explorer.exe 2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 Explorer.exe was reverse engineered by Microsoft IR and determined to be ExByte, a GoLang based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. The binary is capable of enumerating files of interest across the network, and upon execution creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path: * C:\Exchange\MSExchLog.log Analysis of the binary revealed a list of file extensions which are targeted for enumeration. Binary analysis showing file extensions enumerated by explorer.exe Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials which ExByte leveraged to authenticate to the popular file sharing platform Mega NZ, via it’s API at: * hxxps://g.api.mega.co[.]nz Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ Microsoft IR also determined that this tool was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address. Execution Flow Upon execution ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0: * If this check fails, ShellExecuteW is invoked with IpOperation parameter RunAs which runs explorer.exe with elevated privilege. After this access check, explorer.exe attempts to read data.txt file in the current location: * If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory: C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q * If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function and then decrypts the data using the key provided in the command-line. The decrypted data is then parsed as JSON below and fed for login function: { “a”:”us0”, “user”:”<CONTENT FROM data.txt>” } Finally, it then forms an URL for login to the API of file sharing service MEGA NZ: * hxxps://g.api.mega.co[.]nz/cs?id=1674017543 Data Encryption and Destruction MICROSOFT IR found several devices where files had been encrypted and identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names: * wEFT.exe * schillerized.exe The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. This binary requires an 8-digit key number to encrypt files. Two modes of execution were identified: * When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on * When the -a parameter is provided, the ransomware conducts enumeration and uses an UPX packed version of PsExec to deploy across the network. * Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network. Depending on the switch (-s or -a), execution may create below files: * C:\SystemData\M8yl89s7.exe (Random Name – UPX Packed PsExec) * C:\SystemData\wEFT.exe (Additional BlackByte binary) * C:\SystemData\MsExchangeLog1.log (Log file) * C:\SystemData\rENEgOtiAtES * A Vulnerable (CVE-2019-16098) driver RtCore64.sys, used to evade detection by installed AV/EDR software * C:\SystemData\iHu6c4.ico (Random Name – BlackBytes icon) * C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe File) * C:\SystemData\skip_bypass.txt (Unknown) FileName SHA-256 M8yl89s7.exe (RANDOM NAME) ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f rENEgOtiAtES 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd Some capabilities identified for the BlackByte 2.0 ransomware were: AV/EDR Bypass: * The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read/write to arbitrary memory. * The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed AV/EDR software. Process Hollowing * Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command: * cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q Modification / Disabling of Windows Firewall * The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely: * cmd /c netsh advfirewall set allprofiles state off * cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes * cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes Modification of Volume Shadow Copies * The following commands are executed to destroy volume shadow copies on the machine: * cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSuze=401MB * cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED Modification of Registry Keys/Values * The following commands are executed to modify the registry, facilitating elecated execution on the device: * cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f * cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f * cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f Additional Functionality * Ability to terminate running services and processes. * Ability to enumerate and mount volumes and network shares for encryption. * Perform anti-forensics technique time-stomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00) * Ability to perform anti-debugging techniques. RECOMMENDATIONS To guard against BlackByte ransomware attacks, Microsoft IR recommends the following: * Ensure that you have a patch management process in place and that patching for internet exposed devices is prioritized. * Implement an EDR solution like Microsoft Defender for Endpoint to gain visibility of malicious activity in real time across your network * Ensure antivirus signatures are updated regularly and that your AV solution is configured to block threats * Block inbound traffic from Ips specified in the Indicators of Compromise table * Block inbound traffic from TOR Exit Nodes * Block inbound access from unauthorized public VPN services * Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled * Understand and assess your cyber exposure with advanced vulnerability and configuration assessment t... INDICATORS OF COMPROMISE (IOC) The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems. Indicator Type Description api-msvc.dll (Backdoor installed through RunKeys) SHA-256 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e sys.exe (Cobalt Strike Beacon) SHA-256 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103 explorer.exe (Exbyte, file enumeration and exfiltration tool) SHA-256 2d078d18e64c0085278245e284112e01aa64c69a1485bf07a6d649773293faf6 rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary) SHA-256 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd [RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary) SHA-256 ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f “netscan.exe”, “netapp.exe (Netscan network discovery tool) SHA-256 1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e AdFind.exe (Active Directory information gathering tool) SHA-256 f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e hxxps://myvisit[.]alteksecurity[.]org/t URL C2 for backdoor api-msvc.dll hxxps://temp[.]sh/szAyn/sys.exe URL Download URL for sys.exe 109.206.242[.]59 IP Address C2 for Cobalt Strike beacon sys.exe 185.225.73[.]44 IP Address Originating IP address for ProxyShell exploitation and web shell interaction NOTE: These indicators should not be considered exhaustive for this observed activity. DETECTIONS Microsoft 365 Defender Microsoft Defender Antivirus * Trojan:Win32/Kovter!MSR * Trojan:Win64/WinGoObfusc.LK!MT * Trojan:Win64/BlackByte!MSR * HackTool:Win32/AdFind!MSR * Trojan:Win64/CobaltStrike!MSR Microsoft Defender for Endpoint Microsoft Defender for Endpoint customers should watch for these alerts that can detect behavior observed in this campaign. Note however that these alerts are not indicative of threats unique to the campaign or actor groups described in this report. * 'CVE-2021-31207' exploit malware was detected * An active 'NetShDisableFireWall' malware in a command line was prevented from executing. * Suspicious registry modification. * ‘Rtcore64’ hacktool was detected * Possible ongoing hands-on-keyboard activity (Cobalt Strike) * A file or network connection related to a ransomware-linked emerging threat activity group detected * Suspicious sequence of exploration activities * A process was injected with potentially malicious code * Suspicious behavior by cmd.exe was observed * 'Blackbyte' ransomware was detected Microsoft Defender Vulnerability Management Microsoft Defender Vulnerability Management surfaces impacted devices that may be affected by the Exchange (ProxyShell) and drivers vulnerabilities used in the attack: * CVE-2021-34473 * CVE-2021-34523 * CVE-2021-31207 * CVE-2019-16098 ADVANCED HUNTING QUERIES Microsoft 365 Defender and Microsoft Sentinel ProxyShell Web Shell Creation Events DeviceProcessEvents | where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any (("-RequestFile","-FilePath") Suspicious Vssadmin Events DeviceProcessEvents | where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED") CONCLUSIONS BlackByte Ransomware attacks are still targeting organizations having infrastructure with old unpatched vulnerabilities, allowing them to accomplish their objectives with a minimum effort. According to Shodan, at the time this blog was written, there are nearly 3300 public facing servers still affected to ProxyShell vulnerabilities, making this an easy target for threat actors looking to impact organizations around the world. As Microsoft shows in the Microsoft Digital Defense Report, key practices like “Keep up to date” in conjunction to other good practices mentioned from a basic security hygiene strategy, could protect against 98 percent of attacks. As new tools are being developed by threat actors, a modern threat protection solution M365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents. To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR. APPENDIX Encryption Different file extensions are targeted by BlackByte binary for Encryption: .4dd .4dl .accdb .accdc .accde .accdr .accdt .accft .adb .ade .adf .adp .arc .ora .alf .ask .btr .bdf .cat .cdb .ckp .cma .cpd .dacpac .dad .dadiagrams .daschema .db .db-shm .db-wal .db3 .dbc .dbf .dbs .dbt .dbv . dbx . dcb . dct . dcx . ddl . dlis . dp1 . dqy . dsk . dsn . dtsx . dxl . eco . ecx . edb . epim . exb . fcd . fdb . fic . fmp . fmp12 . fmpsl . fol .fp3 . fp4 . fp5 . fp7 . fpt . frm . gdb . grdb . gwi . hdb . his . ib . idb . ihx . itdb . itw . jet . jtx . kdb . kexi . kexic . kexis . lgc . lwx . maf . maq . mar . masmav . mdb . mpd . mrg . mud . mwb . myd . ndf . nnt . nrmlib . ns2 . ns3 . ns4 . nsf . nv . nv2 . nwdb . nyf . odb . ogy . orx . owc . p96 . p97 . pan . pdb . pdm . pnz . qry . qvd . rbf . rctd . rod . rodx . rpd . rsd . sas7bdat . sbf . scx . sdb . sdc . sdf . sis . spg . sql . sqlite . sqlite3 . sqlitedb . te . temx . tmd . tps . trc . trm . udb . udl . usr . v12 . vis . vpd . vvv . wdb . wmdb . wrk . xdb . xld . xmlff . abcddb . abs . abx . accdw . and . db2 . fm5 . hjt . icg . icr . kdb . lut . maw . mdn . mdt File extensions targeted by BlackByte binary for encryption Also, the following Shared Folders are targeted to encrypt: Users Backup Veeam homes home media common Storage Server Public Web Images Downloads BackupData ActiveBackupForBusiness Backups NAS-DC DCBACKUP DirectorFiles share Example: \\IP_Address\Downloads Extensions ignored: .ini .url .msilog .log .ldf .lock .theme .msi .sys .wpx .cpl .adv .msc .scr .key .ico .dll .hta .deskthemepack .nomedia .msu .rtp .msp .idx .ani .386 .diagcfg .bin .mod .ics .com .hlp .spl .nls .cab .exe .diagpkg .icl .ocx .rom .prf .thempack .msstyles .icns .mpa .drv .cur .diagcab .cmd .shs Folders ignored: windows boot program files (x86) windows.old programdata intel bitdefender trend micro windowsapps appdata application data system volume information perflogs msocache Files ignored: bootnxt ntldr bootmgr thumbs.db ntuser.dat bootsect.bak autoexec.bat iconcache.db bootfont.bin Process terminated by BlackByte binary teracopy teamviewer nsservice nsctrl uranium processhacker procmon pestudio procmon64 x32dbg x64dbg cff explorer procexp pslist tcpview tcpvcon dbgview rammap rammap64 vmmap ollydbg autoruns autorunssc filemon regmon idaq idaq64 immunitydebugger wireshark dumpcap hookexplorer importrec petools lordpe sysinspector proc_analyzer sysanalyzer sniff_hit windbg joeboxcontrol joeboxserver resourcehacker fiddler httpdebugger dumpit rammap rammap64 vmmap agntsvc cntaosmgr dbeng50 dbsnmp encsvc infopath isqlplussvc mbamtray msaccess msftesql mspub mydesktopqos mydesktopservice mysqld mysqld-nt mysqld-opt Ntrtscan ocautoupds ocomm ocssd onenote oracle outlook PccNTMon powerpnt sqbcoreservice sql sqlagent sqlbrowser sqlservr sqlwriter steam synctime tbirdconfig thebat thebat64 thunderbird tmlisten visio winword wordpad xfssvccon zoolz Services terminated by BlackByte binary CybereasonRansomFree vnetd bpcd SamSs TeraCopyService msftesql nsService klvssbridge64 vapiendpoint ShMonitor Smcinst SmcService SntpService svcGenericHost Swi_ TmCCSF tmlisten TrueKey TrueKeyScheduler TrueKeyServiceHelper WRSVC McTaskManager OracleClientCache80 mfefire wbengine mfemms RESvc mfevtp sacsvr SAVAdminService SepMasterService PDVFSService ESHASRV SDRSVC FA_Scheduler KAVFS KAVFS_KAVFSGT kavfsslp klnagent macmnsvc masvc MBAMService MBEndpointAgent McShield audioendpointbuilder Antivirus AVP DCAgent bedbg EhttpSrv MMS ekrn EPSecurityService EPUpdateService ntrtscan EsgShKernel msexchangeadtopology AcrSch2Svc MSOLAP$TPSAMA Intel(R) PROSet Monitoring msexchangeimap4 ARSM unistoresvc_1af40a ReportServer$TPS MSOLAP$SYSTEM_BGC W3Svc MSExchangeSRS ReportServer$TPSAMA Zoolz 2 Service MSOLAP$TPS aphidmonitorservice SstpSvc MSExchangeMTA ReportServer$SYSTEM_BGC Symantec System Recovery UI0Detect MSExchangeSA MSExchangeIS ReportServer MsDtsServer110 POP3Svc MSExchangeMGMT SMTPSvc MsDtsServer IisAdmin MSExchangeES EraserSvc11710 Enterprise Client Service MsDtsServer100 NetMsmqActivator stc_raw_agent VSNAPVSS PDVFSService AcrSch2Svc Acronis CASAD2DWebSvc CAARCUpdateSvc McAfee avpsus DLPAgentService mfewc BMR Boot Service DefWatch ccEvtMgr ccSetMgr SavRoam RTVsc screenconnect ransom sqltelemetry msexch vnc teamviewer msolap veeam backup sql memtas vss sophos svc$ mepocs wuauserv EDR/AV drivers Blackbyte can bypass 360avflt.sys 360box.sys 360fsflt.sys 360qpesv.sys 5nine.cbt.sys a2acc.sys a2acc64.sys a2ertpx64.sys a2ertpx86.sys a2gffi64.sys a2gffx64.sys a2gffx86.sys aaf.sys aalprotect.sys abrpmon.sys accessvalidator.sys acdriver.sys acdrv.sys adaptivaclientcache32.sys adaptivaclientcache64.sys adcvcsnt.sys adspiderdoc.sys aefilter.sys agentrtm64.sys agfsmon.sys agseclock.sys agsyslock.sys ahkamflt.sys ahksvpro.sys ahkusbfw.sys ahnrghlh.sys aictracedrv_am.sys airship-filter.sys ajfsprot.sys alcapture.sys alfaff.sys altcbt.sys amfd.sys amfsm.sys amm6460.sys amm8660.sys amsfilter.sys amznmon.sys antileakfilter.sys antispyfilter.sys anvfsm.sys apexsqlfilterdriver.sys appcheckd.sys appguard.sys appvmon.sys arfmonnt.sys arta.sys arwflt.sys asgard.sys ashavscan.sys asiofms.sys aswfsblk.sys aswmonflt.sys aswsnx.sys aswsp.sys aszfltnt.sys atamptnt.sys atc.sys atdragent.sys atdragent64.sys aternityregistryhook.sys atflt.sys atrsdfw.sys auditflt.sys aupdrv.sys avapsfd.sys avc3.sys avckf.sys avfsmn.sys avgmfi64.sys avgmfrs.sys avgmfx64.sys avgmfx86.sys avgntflt.sys avgtpx64.sys avgtpx86.sys avipbb.sys avkmgr.sys avmf.sys awarecore.sys axfltdrv.sys axfsysmon.sys ayfilter.sys b9kernel.sys backupreader.sys bamfltr.sys bapfecpt.sys bbfilter.sys bd0003.sys bddevflt.sys bdfiledefend.sys bdfilespy.sys bdfm.sys bdfsfltr.sys bdprivmon.sys bdrdfolder.sys bdsdkit.sys bdsfilter.sys bdsflt.sys bdsvm.sys bdsysmon.sys bedaisy.sys bemk.sys bfaccess.sys bfilter.sys bfmon.sys bhdrvx64.sys bhdrvx86.sys bhkavka.sys bhkavki.sys bkavautoflt.sys bkavsdflt.sys blackbirdfsa.sys blackcat.sys bmfsdrv.sys bmregdrv.sys boscmflt.sys bosfsfltr.sys bouncer.sys boxifier.sys brcow_x_x_x_x.sys brfilter.sys brnfilelock.sys brnseclock.sys browsermon.sys bsrfsflt.sys bssaudit.sys bsyaed.sys bsyar.sys bsydf.sys bsyirmf.sys bsyrtm.sys bsysp.sys bsywl.sys bwfsdrv.sys bzsenspdrv.sys bzsenth.sys bzsenyaradrv.sys caadflt.sys caavfltr.sys cancelsafe.sys carbonblackk.sys catflt.sys catmf.sys cbelam.sys cbfilter20.sys cbfltfs4.sys cbfsfilter2017.sys cbfsfilter2020.sys cbsampledrv.sys cdo.sys cdrrsflt.sys cdsgfsfilter.sys centrifyfsf.sys cfrmd.sys cfsfdrv cgwmf.sys change.sys changelog.sys chemometecfilter.sys ciscoampcefwdriver.sys ciscoampheurdriver.sys ciscosam.sys clumiochangeblockmf.sys cmdccav.sys cmdcwagt.sys cmdguard.sys cmdmnefs.sys cmflt.sys code42filter.sys codex.sys conduantfsfltr.sys containermonitor.sys cpavfilter.sys cpavkernel.sys cpepmon.sys crexecprev.sys crncache32.sys crncache64.sys crnsysm.sys cruncopy.sys csaam.sys csaav.sys csacentr.sys csaenh.sys csagent.sys csareg.sys csascr.sys csbfilter.sys csdevicecontrol.sys csfirmwareanalysis.sys csflt.sys csmon.sys cssdlp.sys ctamflt.sys ctifile.sys ctinet.sys ctrpamon.sys ctx.sys cvcbt.sys cvofflineflt32.sys cvofflineflt64.sys cvsflt.sys cwdriver.sys cwmem2k64.sys cybkerneltracker.sys cylancedrv64.sys cyoptics.sys cyprotectdrv32.sys cyprotectdrv64.sys cytmon.sys cyverak.sys cyvrfsfd.sys cyvrlpc.sys cyvrmtgn.sys datanow_driver.sys dattofsf.sys da_ctl.sys dcfafilter.sys dcfsgrd.sys dcsnaprestore.sys deepinsfs.sys delete_flt.sys devmonminifilter.sys dfmfilter.sys dgedriver.sys dgfilter.sys dgsafe.sys dhwatchdog.sys diflt.sys diskactmon.sys dkdrv.sys dkrtwrt.sys dktlfsmf.sys dnafsmonitor.sys docvmonk.sys docvmonk64.sys dpmfilter.sys drbdlock.sys drivesentryfilterdriver2lite.sys drsfile.sys drvhookcsmf.sys drvhookcsmf_amd64.sys drwebfwflt.sys drwebfwft.sys dsark.sys dsdriver.sys dsfemon.sys dsflt.sys dsfltfs.sys dskmn.sys dtdsel.sys dtpl.sys dwprot.sys dwshield.sys dwshield64.sys eamonm.sys easeflt.sys easyanticheat.sys eaw.sys ecatdriver.sys edevmon.sys ednemfsfilter.sys edrdrv.sys edrsensor.sys edsigk.sys eectrl.sys eetd32.sys eetd64.sys eeyehv.sys eeyehv64.sys egambit.sys egfilterk.sys egminflt.sys egnfsflt.sys ehdrv.sys elock2fsctldriver.sys emxdrv2.sys enigmafilemondriver.sys enmon.sys epdrv.sys epfw.sys epfwwfp.sys epicfilter.sys epklib.sys epp64.sys epregflt.sys eps.sys epsmn.sys equ8_helper.sys eraser.sys esensor.sys esprobe.sys estprmon.sys estprp.sys estregmon.sys estregp.sys estrkmon.sys estrkr.sys eventmon.sys evmf.sys evscase.sys excfs.sys exprevdriver.sys failattach.sys failmount.sys fam.sys fangcloud_autolock_driver.sys fapmonitor.sys farflt.sys farwflt.sys fasdriver fcnotify.sys fcontrol.sys fdrtrace.sys fekern.sys fencry.sys ffcfilt.sys ffdriver.sys fildds.sys filefilter.sys fileflt.sys fileguard.sys filehubagent.sys filemon.sys filemonitor.sys filenamevalidator.sys filescan.sys filesharemon.sys filesightmf.sys filesystemcbt.sys filetrace.sys file_monitor.sys file_protector.sys file_tracker.sys filrdriver.sys fim.sys fiometer.sys fiopolicyfilter.sys fjgsdis2.sys fjseparettifilterredirect.sys flashaccelfs.sys flightrecorder.sys fltrs329.sys flyfs.sys fmdrive.sys fmkkc.sys fmm.sys fortiaptfilter.sys fortimon2.sys fortirmon.sys fortishield.sys fpav_rtp.sys fpepflt.sys fsafilter.sys fsatp.sys fsfilter.sys fsgk.sys fshs.sys fsmon.sys fsmonitor.sys fsnk.sys fsrfilter.sys fstrace.sys fsulgk.sys fsw31rj1.sys gagsecurity.sys gbpkm.sys gcffilter.sys gddcv.sys gefcmp.sys gemma.sys geprotection.sys ggc.sys gibepcore.sys gkff.sys gkff64.sys gkpfcb.sys gkpfcb64.sys gofsmf.sys gpminifilter.sys groundling32.sys groundling64.sys gtkdrv.sys gumhfilter.sys gzflt.sys hafsnk.sys hbflt.sys hbfsfltr.sys hcp_kernel_acq.sys hdcorrelatefdrv.sys hdfilemon.sys hdransomoffdrv.sys hdrfs.sys heimdall.sys hexisfsmonitor.sys hfileflt.sys hiofs.sys hmpalert.sys hookcentre.sys hooksys.sys hpreg.sys hsmltmon.sys hsmltwhl.sys hssfwhl.sys hvlminifilter.sys ibr2fsk.sys iccfileioad.sys iccfilteraudit.sys iccfiltersc.sys icfclientflt.sys icrlmonitor.sys iderafilterdriver.sys ielcp.sys ieslp.sys ifs64.sys ignis.sys iguard.sys iiscache.sys ikfilesec.sys im.sys imffilter.sys imfilter.sys imgguard.sys immflex.sys immunetprotect.sys immunetselfprotect.sys inisbdrv64.sys ino_fltr.sys intelcas.sys intmfs.sys inuse.sys invprotectdrv.sys invprotectdrv64.sys ionmonwdrv.sys iothorfs.sys ipcomfltr.sys ipfilter.sys iprotect.sys iridiumswitch.sys irongatefd.sys isafekrnl.sys isafekrnlmon.sys isafermon isecureflt.sys isedrv.sys isfpdrv.sys isirmfmon.sys isregflt.sys isregflt64.sys issfltr.sys issregistry.sys it2drv.sys it2reg.sys ivappmon.sys iwdmfs.sys iwhlp.sys iwhlp2.sys iwhlpxp.sys jdppsf.sys jdppwf.sys jkppob.sys jkppok.sys jkpppf.sys jkppxk.sys k7sentry.sys kavnsi.sys kawachfsminifilter.sys kc3.sys kconv.sys kernelagent32.sys kewf.sys kfac.sys kfileflt.sys kisknl.sys klam.sys klbg.sys klboot.sys kldback.sys kldlinf.sys kldtool.sys klfdefsf.sys klflt.sys klgse.sys klhk.sys klif.sys klifaa.sys klifks.sys klifsm.sys klrsps.sys klsnsr.sys klupd_klif_arkmon.sys kmkuflt.sys kmnwch.sys kmxagent.sys kmxfile.sys kmxsbx.sys ksfsflt.sys ktfsfilter.sys ktsyncfsflt.sys kubwksp.sys lafs.sys lbd.sys lbprotect.sys lcgadmon.sys lcgfile.sys lcgfilemon.sys lcmadmon.sys lcmfile.sys lcmfilemon.sys lcmprintmon.sys ldsecdrv.sys libwamf.sys livedrivefilter.sys llfilter.sys lmdriver.sys lnvscenter.sys locksmith.sys lragentmf.sys lrtp.sys magicbackupmonitor.sys magicprotect.sys majoradvapi.sys marspy.sys maxcryptmon.sys maxproc64.sys maxprotector.sys mbae64.sys mbam.sys mbamchameleon.sys mbamshuriken.sys mbamswissarmy.sys mbamwatchdog.sys mblmon.sys mcfilemon32.sys mcfilemon64.sys mcstrg.sys mearwfltdriver.sys message.sys mfdriver.sys mfeaack.sys mfeaskm.sys mfeavfk.sys mfeclnrk.sys mfeelamk.sys mfefirek.sys mfehidk.sys mfencbdc.sys mfencfilter.sys mfencoas.sys mfencrk.sys mfeplk.sys mfewfpk.sys miniicpt.sys minispy.sys minitrc.sys mlsaff.sys mmpsy32.sys mmpsy64.sys monsterk.sys mozycorpfilter.sys mozyenterprisefilter.sys mozyentfilter.sys mozyhomefilter.sys mozynextfilter.sys mozyoemfilter.sys mozyprofilter.sys mpfilter.sys mpkernel.sys mpksldrv.sys mpxmon.sys mracdrv.sys mrxgoogle.sys mscan-rt.sys msiodrv4.sys msixpackagingtoolmonitor.sys msnfsflt.sys mspy.sys mssecflt.sys mtsvcdf.sys mumdi.sys mwac.sys mwatcher.sys mwfsmfltr.sys mydlpmf.sys namechanger.sys nanoavmf.sys naswsp.sys ndgdmk.sys neokerbyfilter netaccctrl.sys netaccctrl64.sys netguard.sys netpeeker.sys ngscan.sys nlcbhelpi64.sys nlcbhelpx64.sys nlcbhelpx86.sys nlxff.sys nmlhssrv01.sys nmpfilter.sys nntinfo.sys novashield.sys nowonmf.sys npetw.sys nprosec.sys npxgd.sys npxgd64.sys nravwka.sys nrcomgrdka.sys nrcomgrdki.sys nregsec.sys nrpmonka.sys nrpmonki.sys nsminflt.sys nsminflt64.sys ntest.sys ntfsf.sys ntguard.sys ntps_fa.sys nullfilter.sys nvcmflt.sys nvmon.sys nwedriver.sys nxfsmon.sys nxrmflt.sys oadevice.sys oavfm.sys oczminifilter.sys odfsfilter.sys odfsfimfilter.sys odfstokenfilter.sys offsm.sys omfltlh.sys osiris.sys ospfile_mini.sys ospmon.sys parity.sys passthrough.sys path8flt.sys pavdrv.sys pcpifd.sys pctcore.sys pctcore64.sys pdgenfam.sys pecfilter.sys perfectworldanticheatsys.sys pervac.sys pfkrnl.sys pfracdrv.sys pgpfs.sys pgpwdefs.sys phantomd.sys phdcbtdrv.sys pkgfilter.sys pkticpt.sys plgfltr.sys plpoffdrv.sys pointguardvista64f.sys pointguardvistaf.sys pointguardvistar32.sys pointguardvistar64.sys procmon11.sys proggerdriver.sys psacfileaccessfilter.sys pscff.sys psgdflt.sys psgfoctrl.sys psinfile.sys psinproc.sys psisolator.sys pwipf6.sys pwprotect.sys pzdrvxp.sys qdocumentref.sys qfapflt.sys qfilter.sys qfimdvr.sys qfmon.sys qminspec.sys qmon.sys qqprotect.sys qqprotectx64.sys qqsysmon.sys qqsysmonx64.sys qutmdrv.sys ranpodfs.sys ransomdefensexxx.sys ransomdetect.sys reaqtor.sys redlight.sys regguard.sys reghook.sys regmonex.sys repdrv.sys repmon.sys revefltmgr.sys reveprocprotection.sys revonetdriver.sys rflog.sys rgnt.sys rmdiskmon.sys rmphvmonitor.sys rpwatcher.sys rrmon32.sys rrmon64.sys rsfdrv.sys rsflt.sys rspcrtw.sys rsrtw.sys rswctrl.sys rswmon.sys rtologon.sys rtw.sys ruaff.sys rubrikfileaudit.sys ruidiskfs.sys ruieye.sys ruifileaccess.sys ruimachine.sys ruiminispy.sys rvsavd.sys rvsmon.sys rw7fsflt.sys rwchangedrv.sys ryfilter.sys ryguard.sys safe-agent.sys safsfilter.sys sagntflt.sys sahara.sys sakfile.sys sakmfile.sys samflt.sys samsungrapidfsfltr.sys sanddriver.sys santa.sys sascan.sys savant.sys savonaccess.sys scaegis.sys scauthfsflt.sys scauthiodrv.sys scensemon.sys scfltr.sys scifsflt.sys sciptflt.sys sconnect.sys scred.sys sdactmon.sys sddrvldr.sys sdvfilter.sys se46filter.sys secdodriver.sys secone_filemon10.sys secone_proc10.sys secone_reg10.sys secone_usb.sys secrmm.sys secufile.sys secure_os.sys secure_os_mf.sys securofsd_x64.sys sefo.sys segf.sys segiraflt.sys segmd.sys segmp.sys sentinelmonitor.sys serdr.sys serfs.sys sfac.sys sfavflt.sys sfdfilter.sys sfpmonitor.sys sgresflt.sys shdlpmedia.sys shdlpsf.sys sheedantivirusfilterdriver.sys sheedselfprotection.sys shldflt.sys si32_file.sys si64_file.sys sieflt.sys simrep.sys sisipsfilefilter sk.sys skyamdrv.sys skyrgdrv.sys skywpdrv.sys slb_guard.sys sld.sys smbresilfilter.sys smdrvnt.sys sndacs.sys snexequota.sys snilog.sys snimg.sys snscore.sys snsrflt.sys sodatpfl.sys softfilterxxx.sys soidriver.sys solitkm.sys sonar.sys sophosdt2.sys sophosed.sys sophosntplwf.sys sophossupport.sys spbbcdrv.sys spellmon.sys spider3g.sys spiderg3.sys spiminifilter.sys spotlight.sys sprtdrv.sys sqlsafefilterdriver.sys srminifilterdrv.sys srtsp.sys srtsp64.sys srtspit.sys ssfmonm.sys ssrfsf.sys ssvhook.sys stcvsm.sys stegoprotect.sys stest.sys stflt.sys stkrnl64.sys storagedrv.sys strapvista.sys strapvista64.sys svcbt.sys swcommfltr.sys swfsfltr.sys swfsfltrv2.sys swin.sys symafr.sys symefa.sys symefa64.sys symefasi.sys symevent.sys symevent64x86.sys symevnt.sys symevnt32.sys symhsm.sys symrg.sys sysdiag.sys sysmon.sys sysmondrv.sys sysplant.sys szardrv.sys szdfmdrv.sys szdfmdrv_usb.sys szedrdrv.sys szpcmdrv.sys taniumrecorderdrv.sys taobserveflt.sys tbfsfilt.sys tbmninifilter.sys tbrdrv.sys tdevflt.sys tedrdrv.sys tenrsafe2.sys tesmon.sys tesxnginx.sys tesxporter.sys tffregnt.sys tfsflt.sys tgfsmf.sys thetta.sys thfilter.sys threatstackfim.sys tkdac2k.sys tkdacxp.sys tkdacxp64.sys tkfsavxp.sys tkfsavxp64.sys tkfsft.sys tkfsft64.sys tkpcftcb.sys tkpcftcb64.sys tkpl2k.sys tkpl2k64.sys tksp2k.sys tkspxp.sys tkspxp64.sys tmactmon.sys tmcomm.sys tmesflt.sys tmevtmgr.sys tmeyes.sys tmfsdrv2.sys tmkmsnsr.sys tmnciesc.sys tmpreflt.sys tmumh.sys tmums.sys tmusa.sys tmxpflt.sys topdogfsfilt.sys trace.sys trfsfilter.sys tritiumfltr.sys trpmnflt.sys trufos.sys trustededgeffd.sys tsifilemon.sys tss.sys tstfilter.sys tstfsredir.sys tstregredir.sys tsyscare.sys tvdriver.sys tvfiltr.sys tvmfltr.sys tvptfile.sys tvspfltr.sys twbdcfilter.sys txfilefilter.sys txregmon.sys uamflt.sys ucafltdriver.sys ufdfilter.sys uncheater.sys upguardrealtime.sys usbl_ifsfltr.sys usbpdh.sys usbtest.sys uvmcifsf.sys uwfreg.sys uwfs.sys v3flt2k.sys v3flu2k.sys v3ift2k.sys v3iftmnt.sys v3mifint.sys varpffmon.sys vast.sys vcdriv.sys vchle.sys vcmfilter.sys vcreg.sys veeamfct.sys vfdrv.sys vfilefilter.sys vfpd.sys vfsenc.sys vhddelta.sys vhdtrack.sys vidderfs.sys vintmfs.sys virtfile.sys virtualagent.sys vk_fsf.sys vlflt.sys vmwvvpfsd.sys vollock.sys vpdrvnt.sys vradfil2.sys vraptdef.sys vraptflt.sys vrarnflt.sys vrbbdflt.sys vrexpdrv.sys vrfsftm.sys vrfsftmx.sys vrnsfilter.sys vrsdam.sys vrsdcore.sys vrsdetri.sys vrsdetrix.sys vrsdfmx.sys vrvbrfsfilter.sys vsepflt.sys vsscanner.sys vtsysflt.sys vxfsrep.sys wats_se.sys wbfilter.sys wcsdriver.sys wdcfilter.sys wdfilter.sys wdocsafe.sys wfp_mrt.sys wgfile.sys whiteshield.sys windbdrv.sys windd.sys winfladrv.sys winflahdrv.sys winfldrv.sys winfpdrv.sys winload.sys winteonminifilter.sys wiper.sys wlminisecmod.sys wntgpdrv.sys wraekernel.sys wrcore.sys wrcore.x64.sys wrdwizfileprot.sys wrdwizregprot.sys wrdwizscanner.sys wrdwizsecure64.sys wrkrn.sys wrpfv.sys wsafefilter.sys wscm.sys xcpl.sys xendowflt.sys xfsgk.sys xhunter1.sys xhunter64.sys xiaobaifs.sys xiaobaifsr.sys xkfsfd.sys xoiv8x64.sys xomfcbt8x64.sys yahoostorage.sys yfsd.sys yfsd2.sys yfsdr.sys yfsrd.sys zampit_ml.sys zesfsmf.sys zqfilter.sys zsfprt.sys zwasatom.sys zwpxesvr.sys zxfsfilt.sys zyfm.sys zzpensys.sys Pablo Mejias (MICROSOFT IR) 3 Likes Like You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in. * Comment Co-Authors PabloMejias Version history Last update: Jun 19 2023 08:20 AM Updated by: PabloMejias Labels * Microsoft Incident Response (IR) 9 SHARE * Share to LinkedIn * Share to Facebook * Share to Twitter * Share to Reddit * Share to Email Browse Skip to Primary Navigation What's new * Surface Pro 9 * Surface Laptop 5 * Surface Studio 2+ * Surface Laptop Go 2 * Surface Laptop Studio * Surface Duo 2 * Microsoft 365 * Windows 11 apps Microsoft Store * Account profile * Download Center * Microsoft Store support * Returns * Order tracking * Virtual workshops and training * Microsoft Store Promise * Flexible Payments Education * Microsoft in education * Devices for education * Microsoft Teams for Education * Microsoft 365 Education * Education consultation appointment * Educator training and development * Deals for students and parents * Azure for students Business * Microsoft Cloud * Microsoft Security * Dynamics 365 * Microsoft 365 * Microsoft Power Platform * Microsoft Teams * Microsoft Industry * Small Business Developer & IT * Azure * Developer Center * Documentation * Microsoft Learn * Microsoft Tech Community * Azure Marketplace * AppSource * Visual Studio Company * Careers * About Microsoft * Company news * Privacy at Microsoft * Investors * Diversity and inclusion * Accessibility * Sustainability California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices * Sitemap * Contact Microsoft * Privacy * Manage cookies * Terms of use * Trademarks * Safety & eco * About our ads * © Microsoft 2024 Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.