Document toolboxDocument toolbox

EDR detections

 

Falcon Overwatch has identified suspicious activity. This has been raised for your awareness and should be investigated as normal.

Source table → edr.crowdstrike.falcon

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The alert checks parent java processes spawning suspicious child processes such as sh, bash, dash, ksh, tcsh, zsh, curl, per, python, ruby, php or wget and java processes trying connections against remote host on ports 1389, 389, 1099, 53 or 5353. [WARNING] This alert detects suspicious behaviours that could be completely legitimate. It is therefore likely to need some kind of tunning.

Source table → edr.crowdstrike.cannon.processrollup2

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya.

Source table → edr.all.threats

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.

Source table → edr.all.threats

An unsafe file is one that has attributes that greatly resemble malware.

Source table → edr.cylance.threats