threat hunting

CISA today added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — a move that forces federal agencies to prioritize fixes and should put every security team on high alert. The four CVEs are: CVE-2024-43468 (Microsoft Configuration Manager — unauthenticated SQL...

Microsoft’s public record for CVE-2026-21239 identifies a kernel-level elevation of privilege in Windows and pairs that entry with Microsoft’s new “confidence” indicator — a vendor signal that shapes how defenders should triage, patch, and hunt for this class of risk. The entry is short on...

Microsoft’s security team is warning that a new, low-cost marketing tactic is quietly weaponizing AI convenience: companies are embedding hidden instructions in “Summarize with AI” and share-with-AI buttons to inject persistent recommendations into assistants’ memories — a technique the...

Microsoft’s decision to ship Sysmon as an optional, built‑in feature of Windows 11 marks a material shift in how enterprise defenders capture endpoint telemetry — it moves a tool long treated as an add‑on from the realm of community distribution into the core Windows servicing and support...

Microsoft’s Technical Takeoff returns in March 2026 with a concentrated, engineering‑led lineup aimed squarely at Windows, Windows‑in‑the‑cloud, and endpoint management teams—and for IT pros who manage Windows 11, Windows 365, Azure Virtual Desktop or Intune, the four Mondays of deep dives are...

When something on a Windows PC “feels off” — a persistent CPU spike, a process that keeps reappearing after you remove it, or a program quietly making outbound connections — Task Manager can leave you guessing. That’s why advanced users and incident responders reach for the Windows Sysinternals...

Microsoft's advisory listing for CVE-2026-20958 places the vulnerability squarely in the category security teams take most seriously: a vendor‑acknowledged SharePoint flaw tied to information disclosure that demands immediate patch‑and‑hunt workflows, careful exposure reduction, and post‑patch...

Microsoft’s update entry for CVE‑2026‑20963 names a new remote code execution (RCE) concern tied to on‑premises Microsoft SharePoint Server and flags the vendor’s confidence metric as the central signal administrators should use to prioritise action: the identifier exists in the Microsoft...

Microsoft’s advisory entry for CVE-2026-20959 identifies a SharePoint Server spoofing vulnerability affecting on‑premises SharePoint builds and recommends immediate review and application of the vendor’s security updates; public technical detail is intentionally sparse, but the practical risk...

Microsoft’s Security Update Guide lists CVE-2026-20951 as a remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server, but public technical details are sparse; defenders should treat the identifier as an urgent patch-and-hunt signal, cross-check vendor KB mappings, and...

Microsoft’s Security Update Guide records CVE-2026-20922 as a Windows NTFS vulnerability that can lead to remote code execution, and the vendor’s published “report confidence” metadata is the single most important triage signal for how aggressively administrators should respond. Background /...

Microsoft’s security registry records CVE-2026-20838 as a Windows kernel information‑disclosure vulnerability — an advisory IT teams must treat as a credible reconnaissance primitive that can materially aid follow‑on local exploitation unless systems are patched and detection controls are...

Microsoft has recorded CVE‑2026‑20833 as an information‑disclosure vulnerability affecting Windows’ Kerberos authentication stack, and while the vendor acknowledgement makes the defect real and actionable, the public record is intentionally terse — leaving defenders with firm guidance to patch...

Microsoft is shipping Sysmon functionality as a native, optional Windows feature—bringing the high-fidelity forensic telemetry that used to live only in the Sysinternals toolkit directly into Windows 11 and Windows Server and making it manageable through the operating system’s feature controls...

Microsoft is shipping System Monitor (Sysmon) functionality as a built‑in Windows capability next year, moving the venerable Sysinternals monitoring tool from a standalone download into the Windows servicing pipeline and official support surface — a shift that promises easier deployment...

Kaspersky’s Global Research and Analysis Team (GReAT) has exposed an active, server‑focused cyberespionage campaign — tracked as PassiveNeuron — that specifically targets Windows Server hosts in government, financial and industrial networks across Asia, Africa and Latin America, with activity...

A stealthy, long-running espionage campaign that researchers have named BRICKSTORM has quietly infiltrated high-value organizations across the technology and legal sectors, maintaining extremely long dwell times and using novel techniques to hide on devices that traditional defenses often...

CISA’s new advisory on an incident response engagement lays out a blunt, actionable set of lessons from a compromise that began with a public-facing GeoServer being exploited for remote code execution—and the takeaways should be required reading for any defender running internet-facing services...

Microsoft’s advisory for CVE-2025-59216 describes a race-condition vulnerability in the Windows Graphics Component that can allow an authenticated local attacker to elevate privileges if they can win a timing window. Executive summary What it is: CVE-2025-59216 is a “concurrent execution using...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has analyzed malicious “listener” malware actively deployed against Ivanti Endpoint Manager Mobile (EPMM) servers following public proof-of-concept exploit code for CVE-2025-4427 and CVE-2025-4428, and the resulting toolset allows...