The Warlock ransomware group (also tracked as Water Manaul) has significantly enhanced its post-exploitation capabilities in recent attacks. While continuing to exploit unpatched Microsoft SharePoint servers for initial access, the group now employs a new BYOVD technique targeting the NSecKrnl.sys driver to disable security
Table of contents
Rapid Evolution of a Nascent GroupWarlock's Post-Exploitation Activity EnhancementsDefending Against WarlockSort: