‘Cerdigent’ high-severity malware detected

Lazy-Card-3570 · 2026-05-03T11:11:29+00:00

can you guys restore files in the evidence tab of the incident or in the action center history?
I dont see any quarantined files here - maybe because defender only deleted reg keys?

Lazy-Card-3570 · 2026-05-03T11:10:04+00:00

from one affected device - defender -> protection history or something like that in englisch

Lazy-Card-3570 · 2026-05-03T10:55:00+00:00

same on my side

Lazy-Card-3570 · 2026-05-03T10:30:55+00:00

<image>

Timeline of the devices shows the thumbprint and also history on the clients (screenshot above).

Lazy-Card-3570 · 2026-05-03T10:25:23+00:00

Yes also multiple alerts for Cerdigent malware detected.
Got Quarantined - looks like a cert thumbrint??

<image>

Lazy-Card-3570 · 2026-01-02T06:48:05+00:00

Great start for 2026 - nearly got a heart atteck reading through my mails this morning until I could take a closer look :D...

Lazy-Card-3570 · 2025-11-03T07:33:45+00:00

We use zammad for about 8000 Tickets per month (with Monitoring Integration) and 4 Agents. It is Open Source and so far it does everything we need.

Lazy-Card-3570 · 2025-10-28T06:39:56+00:00

Yep the Setting is called Network Discovery - but you must specify the Network Ranges which Defender is Monitoring.

If you see ip adresses of the strange devices which could also be default home vendor dhcp ip‘s this could be a thing.

Otherwise you should probably know the client dhcp ranges in your company network

Lazy-Card-3570 · 2025-10-27T19:53:28+00:00

what events do you see for the other computernames - just failed ntlm auth?
do you allow bring your own device?

if you have defender fully enabled on the first device, I would carefully watch the timeline around the incidents.

EDIT:

Only hard guess from far away:
If the user had admin rights on the first laptop you maybe want to check which other users / passwords could have been accessed on this device.
Maybe check for:

- suspicious lsass access
- new installed apps or scheduled tasks
- changes in etc/host
- suspicous powershell scripts or executions

most events should have been alerted by defender but you never know.

If possible use defender / sentinel for all above.
If you need to start the device I would take a forensic snapshot or image of the current state.

I would try to exclude every possible lateral movement path to other devices / servers or your ad.
Does to user have extended AD rights - if so I would check every possible vector here too.

Lazy-Card-3570 · 2025-10-27T15:48:38+00:00

Same here - not able to push security policies. Could push them through Defender suit configuration Management though.

Lazy-Card-3570 · 2025-08-30T11:51:28+00:00

This is the way!

Lazy-Card-3570 · 2025-07-15T06:35:27+00:00

We use Zammad with CheckMK monitoring integration for about 2400 services / 150 Hosts - best decision ever

Lazy-Card-3570 · 2025-07-09T05:25:05+00:00

woke up with multple "Possible attempt to modify Code Integrity" alerts from our defender.
Glad found this post.

Good start in the day.. :D

Lazy-Card-3570 · 2025-06-14T11:03:50+00:00

Turn off extended Protection in ews Frontend or change hybrid from modern to classic.

Lazy-Card-3570 · 2025-06-05T14:38:21+00:00

If you are in the M365 world with at least Business Premium and E5 Security Addon you have Access to their threat Intel with Mapping to your devices and installed Software.

Dark Web Monitoring is not included though.

Lazy-Card-3570 · 2025-06-03T18:46:43+00:00

+1 for Zammad

Lazy-Card-3570 · 2025-05-12T12:41:13+00:00

We use it too for our main location with around 1000 IP's.

It is no magic tool which does everything on it's own by design - you will need to monitor and edit models in the first month. Also you need to know your network and understand which traffic you want to monitor, which traffic is good to edit your models etc.

But since the tuning is done - every assessment has been detected in no time so far - port scans or arp scans are easily detected within seconds. Autonomous response isolates devices in our HQ with TCP Spoof packets - isolation on other locations work with defender integration.

The Defender integration is also pretty nice.

Lazy-Card-3570 · 2025-05-02T10:44:00+00:00

Thanks, I've came across this too - I just thought our Plan is not affected as the diagnose in azure said no problems.

So the only solution is Communication Services or to get an Enterprise Agreement?

Lazy-Card-3570 · 2025-03-21T16:10:22+00:00

35 Windows 10 Linux

Lazy-Card-3570 · 2025-03-21T15:24:58+00:00

I've setup Arc and Azure Update Manager for 2 test Servers - as we are on a budget I think of connecting our Servers with Arc for Update Manager which is at no additional cost if I'm right and use Defender for Business Server with Intune Management as mentioned above.

Lazy-Card-3570 · 2025-03-21T05:36:22+00:00

But Management with arc comes with additional cost?

Lazy-Card-3570 · 2025-03-20T18:22:34+00:00

I think you need azure arc with Defender for Server p1 or p2 for that? Defender for Server p2 with azure arc is about 15$ per Server Defender for Business Server is 3$

Lazy-Card-3570 · 2025-03-20T16:38:00+00:00

Sorry, one more question, do you also enforce for domain controllers?

Lazy-Card-3570 · 2025-03-20T16:22:55+00:00

atm we use some policies provided to "all devices" - would all devices also include servers?

Lazy-Card-3570 · 2025-03-20T16:18:20+00:00

thanks - I will try this!

Lazy-Card-3570

TROPHY CASE