This article is contributed. See the original author and article here.
Although most migrations between on-premises Exchange Server and Microsoft 365 are performed using the Migration Service’s batching functionality, a few stalwart admins have held onto the more granular control given by using the MoveRequest cmdlets directly. But as time goes on even the hardiest and most proven of tools need to be sharpened or have components replaced, and it is now time for the MoveRequest cmdlets to be refreshed a little.
We are taking this opportunity to bring these cmdlets more in line with some of our other cmdlets. Most admins who use these cmdlets will notice little to no difference in how these cmdlets function, which is intentional on our part. But some may have scripts break if they aren’t updated before the cmdlets are updated. We plan to release the updated cmdlets starting April 25th, 2022.
New-MoveRequest will change from returning a MoveRequestStatistics object to returning a MoveRequest object. Most New-* cmdlets are expected to return a data object matching their noun, which New-MoveRequest didn’t historically follow. The MoveRequest object contains less data than the MoveRequestStatistics object, but that is desirable in this case because most of the extra data is only relevant or interesting after the request has made progress.
The MoveRequest data object that is returned from Get-MoveRequest (and now New-MoveRequest) will have a slightly smaller set of properties. Compared to the old data object, it will remove several generic user properties that are not relevant to move requests in particular, which could lead to confusion. Each of those properties should remain available as output from the Get-Recipient, Get-Mailbox, Get-MailUser, etc. cmdlets instead.
The rest of the cmdlet behavior should remain the same.
There may be some other pieces deprecated in the future, such as removing SuspendWhenReadyToComplete behavior in favor of CompleteAfter, but a timeline for that will be determined at a later time.
This article is contributed. See the original author and article here.
The challenges of the past few years have highlighted that no business is immune to sudden changes. Embracing mixed reality as a strategic initiative is key to ensuring business continuity and solidifying future stability and resiliency. Microsoft’s comprehensive ecosystem of mixed reality solutions, including Microsoft HoloLens 2, Dynamics 365 Remote Assist, and Dynamics 365 Guides, help manufacturing organizations navigate complex situations, empower frontline workers, and create new customer experiences.
The benefits of adopting mixed reality today are significant. Based on the Microsoft-commissioned Forrester Total Economic Impact (TEI) report (“HoloLens 2 TEI study”), HoloLens 2 is delivering 177 percent return on investment (ROI) and a net present value (NPV) of $7.6 million over three years with a payback of 13 months. According to the HoloLens 2 TEI study, manufacturing organizations that have deployed mixed reality solutions on HoloLens 2 have:
Reduced training time by 75 percent, at an average savings of $30 per labor hour.
Saved an average of $3,500 per avoided expert trip.
Avoided 240 to 320 hours of average lost throughput per year.
Increase productivity with remote inspection and audits
Dynamics 365 mixed reality is reducing the requirement to fly in an expert technician and/or an auditor on site to conduct an inspection. With Dynamics 365 Remote Assist on HoloLens 2, manufacturing companies can conduct routine inspections and audits with remote experts from any place in the world at any time. Manufacturers can deliver real-time, interactive guidance from experts located anywhere in the world right to their employees on the factory floor. This solution allows onsite workers to collaborate with remote leaders and experts to solve business problems in real-time, using 3D annotations to access, share, and bring critical information into view. With accurate real-world overlay of 3D assets, instructions, and collaborative markup, workers are free to see their surroundings and use both hands during inspections.
Dynamics 365 Remote Assist on HoloLens 2 enables manufacturer organizations to conduct site visits, inspections, maintenance, and repairs remotelyboosting efficiency and reducing costs. According to the HoloLens 2 TEI study, manufacturers saved an average of $3,500 per avoided expert trip.
Eaton, a multinational power management company, sought a solution to enable the company to conduct audits remotely. Traditionally, auditors had to travel to plants to conduct audits but during the COVID-19 pandemic travel was brought to a standstill and travel was restricted. With Dynamics 365 Remote Assist on HoloLens 2, employees can walk through the audit checklist with the remote auditor and ensure that employees are following safety guidelines. Since launching Dynamics 365 Remote Assist on HoloLens 2, Eaton is averaging more than 50 remote sessions per month across all global sites saving hundreds of thousands of dollars on travel-related expenses and empowering Eaton to pay-off its mixed-reality investment within five months.
“Using Remote Assist on HoloLens, we’re bringing the outside viewer perspective into the plant. Let’s say they are checking a quality dimension. If someone on the call has been on another Gemba walk in another site, they can say, ‘You should contact plant XYZ, because they do a similar measurement, but they’re using an automated process.”Alexandre Georgetti, Director of Eaton’s Vehicle Group Manufacturing Strategy. Read more about Eaton’s story here.
Address manufacturing skills gap with guided assembly and training
Dynamics 365 mixed reality is reducing the knowledge gap and helping enterprises adapt at the speed of change. Using Dynamics 365 Guides on HoloLens 2, manufacturing companies are accelerating learning, standardizing processes, and reducing errors with step-by-step instructions. Simply use your PC and the Microsoft HoloLens app to author instructions and easily place 2D and 3D content in the real-world environment, showing users how and where to complete tasks.
Dynamics 365 Guides on HoloLens 2 empowers manufacturing organizations to offer expansive training programs that teach skills and processes that are specific to their offerings and production needs. Furthermore, manufacturers see direct improvements in learning and retention, quality of work and downtime, and training costs savings. According to the HoloLens 2 TEI study, manufacturers reduced training time by 75 percent, at an average savings of $30 per labor hour.
Toyota, a multinational automobile manufacturer, produces over a million vehicles each year in North America and depends on solid training programs that ensure team members are building every car to precise specifications. Traditionally, trainers worked one-on-one with team members, demonstrating a process, and then watching them replicate it. Toyota found this approach to be inefficient and susceptible to bottlenecks. With Dynamics 365 Guides on HoloLens 2, trainers create training materials and allow team members to train independently and understand the steps involved and repeating any necessary motions numerous times to develop muscle memory while allowing for one trainer supervisor to supervise multiple trainees at the same time. Since deploying Dynamics 365 mixed reality solutions on HoloLens 2, Toyota has reduced inspection time by 20 percent.
“Our training efficiency is increased, trainers and trainees are receptive to the technology, and they rank Dynamics 365 Guides on HoloLens 2 as their preferred way to learn.”Zach Reeder, Technology Development Engineer at Toyota Motor North America. Read more about Toyota’s story here.
Connect workers with experts to enable always on service
Dynamics 365 mixed reality is helping enterprises deliver exceptional service with personalized customer experiences. Dynamics 365 Remote Assist on HoloLens 2 connects field technicians with remote experts for a seamless collaboration that includes content capture abilities, interactive annotations, and contextual data overlays for easier repairs and fixes. Equip field technicians with all the important, relevant information directly into their line of sight, creating actionable experiences for employees.
Dynamics 365 Remote Assist on HoloLens 2 improves field task efficiency, reduces rework, and improves first-time fix ratesincreasing capacity for work and improving customer outcomes. According to the HoloLens 2 TEI study, manufacturers avoided 240 to 320 hours of average lost throughput per year.
L’Oral, one of the top multination cosmetics manufacturers with employees in 150 countries, has a wide range of products that require sophisticated machinery for production and packaging. When a machine requires service, L’Oreal flies out an expert to address the issue, increasing downtime machine and travel costs. To solve this challenge, L’Oreal deployed Dynamics 365 Remote Assist on HoloLens 2 to enable remote experts to effectively collaborate with frontline workers to resolve the issue expeditiously and reduce operational costs. With Dynamics 365 Remote Assist on HoloLens 2, remote experts can see what the technician sees and react to the same image with annotations and share critical information in real-time. Since deploying Dynamics 365 Remote Assist on HoloLens 2, L’Oreal has reduced downtime by 50 percent.
“The time we spend on diagnostics and resolving issues has been cut in half. This has led directly to lower operational costs. It has also allowed us to be more agile and flexible”Georges-Alban Farges, Industrial Performance Manager at L’Oral. Read about L’Oral’s story here.
Next steps
Stay tuned as we continue this blog series with a deep dive spotlight on healthcare, education, architecture, engineering, and construction industries. In the meantime, learn more about mixed reality applications on HoloLens 2 and get started today:
Request a Dynamics 365 Mixed Reality demo on Microsoft HoloLens 2. Book an appointment with our Microsoft Stores team today. Select ‘Other’ under Choose topic and reference HoloLens 2 demo in “What can we help with”.
This article is contributed. See the original author and article here.
As the shift to hybrid work becomes a reality, it is clear that the workplace today is different than it was two years ago. Employees’ expectations continue to evolve as they reconsider their “worth it” equation.
The threat actor harvested credentials of third-party commercial organizations by sending spearphishing emails that contained a PDF attachment. The PDF attachment contained a shortened URL that, when clicked, led users to a website that prompted the user for their email address and password. The threat actor harvested credentials of Energy Sector targets by sending spearphishing emails with a malicious Microsoft Word document or links to the watering holes created on compromised third-party websites.
Note: this activity also applies to:
Tactic: Reconnaissance [TA0043], Technique: Phishing for Information [T1598]:
Software Configuration: implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
The threat actor created watering holes on compromised third-party organizations’ domains.
This activity typically takes place outside the visibility of target organizations, making detection of this behavior difficult. Ensure that users browse the internet securely. Prevent intentional and unintentional download of malware or rootkits, and users from accessing infected or malicious websites. Treat all traffic as untrusted, even if it comes from a partner website or popular domain.
The threat actor obtained access to Energy Sector targets by leveraging compromised third-party infrastructure and previously compromised Energy Sector credentials against remote access services and infrastructure—specifically VPN, RDP, and Outlook Web Access—where MFA was not enabled.
Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.
MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.
Update Software: perform regular software updates to mitigate exploitation risk.
Exploit Protection: use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
Application Isolation and Sandboxing: restrict execution of code to a virtual environment on or in transit to an endpoint system.
The threat actor installed VPN clients on compromised third-party targets to connect to Energy Sector networks.
Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.
MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
Disable or Remove Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Command and Scripting Interpreter: PowerShell [T1059.001]
During an RDP session, the threat actor used a PowerShell Script to create an account within a victim’s Microsoft Exchange Server.
Note: this activity also applies to:
Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001]
Antivirus/Antimalware: use signatures or heuristics to detect malicious software.
Code Signing: enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
Disable or Remove Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.
Command and Scripting Interpreter: Windows Command Shell [T1059.003]
The threat actor used a JavaScript with an embedded Command Shell script to:
Create a local administrator account;
Disable the host-based firewall;
Globally open port 3389 for RDP access; and
Attempt to add the newly created account to the administrators group to gain elevated privileges.
The threat actor created a Scheduled Task to automatically log out of a newly created account every eight hours.
Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
Harden Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.
User Account Management: manage the creation of, modification of, use of, and permissions associated with user accounts.
The threat actor created local administrator accounts on previously compromised third-party organizations for reconnaissance and to remotely access Energy Sector targets. MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.
The threat actor created webshells on Energy Sector targets’ publicly accessible email and web servers.
Detect: the portion of the webshell that is on the server may be small and look innocuous. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server’s content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network.
Indicator Removal on Host: Clear Windows Event Logs [T1070.001]
The threat actor created new accounts on victim networks to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit.
The threat actor also removed applications they installed while they were in the network along with any logs produced. For example, the VPN client installed at one third-party commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted.
Note: this activity also applies to:
Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001]
Encrypt Sensitive Information: protect sensitive information with strong encryption.
Remote Data Storage: use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Restrict File and Directory Permissions: restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Indicator Removal on Host: File Deletion [T1070.004]
The threat actor cleaned up target networks by deleting created screenshots and specific registry keys.
The threat actor also deleted all batch scripts, output text documents, and any tools they brought into the environment, such as scr.exe.
Monitor: monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
After downloading tools from a remote server, the threat actor renamed the extensions.
Restrict File and Directory Permissions: restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Code Signing: enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
Execution Prevention: block execution of code on a system through application control, and/or script blocking.
The threat actor used password-cracking techniques to obtain the plaintext passwords from obtained credential hashes.
The threat actor dropped and executed open-source and free password cracking tools such as Hydra, SecretsDump, and CrackMapExec, and Python.
MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Password Policies: set and enforce secure password policies for accounts.
Microsoft Word attachments sent via spearphishing emails leveraged legitimate Microsoft Office functions for retrieving a document from a remote server over Server Message Block (SMB) using Transmission Control Protocol ports 445 or 139. As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.)
Password Policies: set and enforce secure password policies for accounts.
Filter Network Traffic: use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
The threat actor’s watering hole sites contained altered JavaScript and PHP files that requested a file icon using SMB from an IP address controlled by the threat actors.
The threat actor manipulated LNK files to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat actor exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.
OS Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory [T1003.001]
The threat actor used an Administrator PowerShell prompt to enable the WDigest authentication protocol to store plaintext passwords in the LSASS memory. With this enabled, credential harvesting tools can dump passwords from this process’s memory.
Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Password Policies: set and enforce secure password policies for accounts.
Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.
Privileged Process Integrity: protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.
User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Credential Access Protection: use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.
The threat actor collected the files ntds.dit. The file ntds.dit is the Active Directory (AD) database that contains all information related to the AD, including encrypted user passwords.
Monitor: monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.
Privileged Account Management: manage the creation of, modification of, se of, and permissions associated with privileged accounts, including SYSTEM and root.
User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
The threat actor used privileged credentials to access the Energy Sector victim’s domain controller. Once on the domain controller, the threat actors used batch scripts dc.bat and dit.bat to enumerate hosts, users, and additional information about the environment.
Tactic: Discovery [TA0007], Technique: System Owner/User Discovery [T1033]
Monitor: normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information.
Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.
The threat actor accessed workstations and servers on corporate networks that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems.
The actor targeted and copied profile and configuration information for accessing ICS systems on the network. The threat actor copied Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems and took screenshots of a Human Machine Interface (HMI).
Note: this activity also applies to
Tactic: Discovery [TA0007], Technique File and Directory Discovery [T1083]
The actor used dirsb.bat to gather folder and file names from hosts on the network.
Note: this activity also applies to:
Tactic: Execution [TA0002], Command and Scripting Interpreter: Windows Command Shell [T1059.003]
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information.
The threat actor conducted reconnaissance operations within the network. The threat actor focused on identifying and browsing file servers within the intended victim’s network.
Network Intrusion Prevention: use intrusion detection signatures to block traffic at network boundaries.
Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.
Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.
User Account Management: manage the creation of, modification o, se of, and permissions associated with user accounts.
Disable or Remove Feature or Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
Filter Network Traffic: use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Limit Software Installation: block users or groups from installing unapproved software.
The threat actor collected the Windows SYSTEM registry hive file, which contains host configuration information.
Monitor: monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data.
Data may also be acquired through Windows system management tools such as WMI and PowerShell.
Archive Collected Data: Archive via Utility [T1560.001]
The threat actor compressed the ntds.dit file and the SYSTEM registry hive they had collected into archives named SYSTEM.zip and comps.zip.
Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
The threat actor used Windows’ Scheduled Tasks and batch scripts, to execute scr.exe and collect additional information from hosts on the network. The tool scr.exe is a screenshot utility that the threat actor used to capture the screen of systems across the network.
Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.
MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
Disable or Remove Feature or Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
The actor used batch scripts labeled pss.bat and psc.bat to run the PsExec tool. PsExec was used to execute scr.exe across the network and to collect screenshots of systems in a text file.
The threat actor downloaded tools from a remote server.
Monitor: monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as File Transfer Protocol, that does not normally occur may also be suspicious.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.
Use intrusion detection signatures to block traffic at network boundaries.
This article is contributed. See the original author and article here.
CISA, the Federal Bureau of Investigation, and the Department of Energy have released a joint Cybersecurity Advisory (CSA) detailing campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international Energy Sector organizations. The CSA highlights historical tactics, techniques, and procedures as well as mitigations Energy Sector organizations can take now to protect their networks.
Recent Comments