Release 11 - Out-of-the-box-alerts
- Anthony Shevlin (Deactivated)
Our January release improves our library for Windows and Proxy, adding a total of 14 new Windows alerts and one new Proxy alert. These detections help improve our coverage for the following tactics and techniques:
MITRE Tactic | MITRE Technique |
|---|---|
Execution | System Services |
Command and Control | Application Layer Protocol |
Command and Control | Ingress Tool Transfer |
Defense Evasion | Valid Accounts |
Collection | Data from Local System |
Defense Evasion | Masquerading |
Exfiltration | Exfiltration Over Web Service |
Exfiltration | Exfiltration Over Alternative Protocol |
Install and tune these today to improve your security posture. You can also double check your coverage by downloading and using the MITRE Attack Advisor App to ensure that your company is properly covered.
We will continue to update old alerts, create documentation, and cover more techniques to help your company stay protected.
All the new and modified alerts as part of Release 11 can be seen in the below tables.Â
Updated detections:
Detection name | Detection description | Devo table/Data source/Category | Changes made |
SecOpsFWEmbargoedCountryInboundTrafficDetected | Detects inbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes. |
| Integrated alerts with Lookups for better control over false postives. |
SecOpsFWEmbargoedCountryOutboundTrafficDetected | Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes. |
| Integrated alerts with lookups for better control over false positives and updated documentation. |
SecOpsWinLsassMemDump | Detects attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). |
| Enhanced alert to integrate with union tables. This should increase overall alert performance. |
New detections:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsOutboundTrafficToDeviceFlaggedAsThreat | A record flagged a destination host from a threat intelligence match list. |
|
SecOpsLolbinBitsadminTransfer | Detects a potentially malicious execution of Bitsadmin binary. |
|
SecOpsLolbinCertreq | Detects a potentially malicious execution of CertReq. |
|
SecOpsLolbinCertutil | Detects a potentially malicious execution of certutil. |
|
SecOpsLolbinConfigsecuritypolicy | Detects a potentially malicious execution of ConfigSecurityPolicy. |
|
SecOpsLolbinDatasvcutil | Detects a potentially malicious execution of DataSvcUtil binary. |
|
SecOpsLolbinMshta | Detects a potentially malicious execution of Mshta. |
|
SecOpsWinCurl | Detects a potentially malicious Windows Curl execution. |
|
SecOpsWinIcmpExfiltration | Detects exfiltration via ICMP. |
|
SecOpsWinInvokewebrequestUse | Detects a potentially malicious Invoke-WebRequest method execution. |
|
SecOpsWinSensitiveFiles | Detects a new process which involves a Windows local system sensitive file. |
|
SecOpsWinServiceCreatedNonStandardPath | Adversaries may attempt to create malicious Services for lateral movement or remote code execution as well as persistence and execution. The Clop ransomware has also been seen in the wild abusing Windows services. |
|
SecOpsWinSuspiciousWritesToRecycleBin | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate. Masquerading occurs when the name or location of an object is manipulated or abused for the sake of evading defenses and observation. |
|
SecOpsWinTFTPExecution | Detects a potentially malicious execution of TFTP. |
|
SecOpsWinWebclientClassUse | Detects a potentially malicious WebClient method execution. |
|