Release 12 - Out-of-the-box alerts
- Former user (Deleted)
Our February release improves our library for Windows and Linux, adding a total of 22 new alerts to our library—this brings us to our milestone of 500 out-of-the-box detections. We used various research and pen-testing techniques to help close some gaps in coverage, so these alerts are extra important to have in your library. These are the following MITRE tactics that we have improved:
Collection
Exfiltration
Execution
Persistence
Install these alerts today! Also, feel free to install the MITRE Attack Advisor App from Devo Exchange to ensure that your company is properly covered.
For our next release, we will continue to update old alerts and cover more techniques to help your company stay protected.
Alerts updated:
Detection name | Detection description | Devo table/Data source/Category | Changes made |
SecOpsGroupMembershipModifiedO365 | Group Membership Modified. |
| Updated alert template to provide better integration with Devo and created public documentation. |
SecOpsExplotationAttemptF5BigIp | Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902 |
| Updated alert template to provide better integration with Devo and created public documentation. |
SecOpsDataExfiltrationToUnsanctionedAppsO365 | Detects attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). |
| Updated alert template to provide better integration with Devo and created public documentation. |
Â
Details on the new detections released can be seen below:
Detection name | Detection description | Devo table/Data source/Category |
SecOpsWinIISWebRootProcessExecution | The execution of a process from inside a web hosting directory. Could indicate when adversaries upload a malicious file to the web server and run the file as a process. |
|
SecOpsWINWmiMOFProcessExecution | Windows Management Instrumentation enables system administrators to perform tasks locally and remotely. Adversaries may utilize the Managed Object Format (MOF) compiler to compile and execute their malicious code within the WMI repository. |
|
SecOpsWinWMIPermanentEventSubscription | WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the process WmiPrvSe.exe and might result in elevated SYSTEM privileges. |
|
SecOpsWinWmiTemporaryEventSubscription | WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the process WmiPrvSe.exe and might result in elevated SYSTEM privileges. |
|
SecOpsWinPotentialPassTheHash | Adversaries might pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. |
|
SecOpsWinAutomatedCollectionCmd | Detects a command tha could be trying to compile a list of different sensitive files on the host. |
|
SecOpsLinuxClipboardCopyXclip | Detects attempts to collect data from the clipboard using xclip tool. |
|
SecOpsLinuxCompressEncryptData | Detects a potentially malicious command that could be compressing and/or encrypting data on the host. |
|
SecOpsWinCompressEncryptData | Detects a potentially malicious command that could be compressing and/or encrypting data on the host. |
|
SecOpsLinuxNcUseDetected | Detects a potentially malicious Nc execution. |
|
SecOpsLinuxAbMaliciousExecution | Detects a potentially malicious Ab execution |
|
SecOpsLinuxRdpMountShare | Detects a command trying to mount an RDP share. This could indicate that an attacker could be trying to exfiltrate or download files to the target machine. |
|
SecOpsLinuxWgetUseDetected | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate. Masquerading occurs when the name or location of an object is manipulated or abused for the sake of evading defenses and observation. |
|
SecOpsLinuxSCPDetect | Detects a potentially malicious Scp execution. This could indicate that an attacker could be trying to exfiltrate from or download a file to the target machine. |
|
SecOpsLinuxPhpServerStarted | Detects the initialization of a PHP Http server. This could indicate that an attacker could be trying to exfiltrate files from the target machine. |
|
SecOpsLinuxRubyHttpServerStarted | Detects the initialization of a Ruby Http server. This could indicate that an attacker could be trying to exfiltrate files from to the target machine. |
|
SecOpsLinuxPythonServerStarted | Detects the initialization of a Python simple server. This could indicate that an attacker could be trying to exfiltrate files from to the target machine. |
|
SecOpsLinuxCurlExecution | Detects a potentially malicious Curl execution. This could indicate that an attacker could be trying to exfiltrate from or download a file to the target machine. |
|
SecOpsWinMapSmbShare | Detects a potentially malicious command that could be related to a mapping of an SMB share. |
|
SecOpsWinNewPsDrive | Detects a command mounting a new PS-drive. |
|
SecOpsWinRcloneExecution | Detects exfiltration using Rclone utility. |
|
SecOpsWinSmtpExfiltration | Detects exfiltration via SMTP. |
|