Release 13 - Out-of-the-box alerts
- Former user (Deleted)
- Juan Tomás Alonso Nieto (Deactivated)
These are the new detections available in our latest release:
Detection name | Detection description | Devo table / Data source / Category |
|---|---|---|
SecOpsCloudDiscoveryAnomalyDetectionO365 | This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses, and services, such as large amounts of uploaded data compared to other users, and large service transactions compared to the service's history. |
|
SecOpsAWSCreateAccessKey | This search looks for AWS CloudTrail events where a user, who already has permission to create access keys, makes an API call to create access keys for a second user. |
|
SecOpsLinuxPamdKeyLogging | Detects audit enablement of TTY input leveraging Pam.d tool. |
|
SecOpsLinuxAudioCapture | Detects attempts to record audio with a record utility. |
|
SecOpsLinuxCommandExecutionWebUser | Detects possible command execution by a web application/web shell. |
|
SecOpsDNSQueryToExternalSrvcInteractionDomains | Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE. |
|
SecOpsWinAutomatedCollectionPowershell | Detects a Powershell command that could be trying to compile a list of different sensitive files on the host. |
|
SecOpsWinPowershellKeyloggin | Detects execution of a Powershell script that could be trying to log user keystrokes on the target machine. |
|
SecOpsWinAttackerToolsOnEndpoint | Adversaries may execute active reconnaissance scans to gather information that can be used during targeting by running well-known attacker tools. |
|
SecOpsWinSysInfoGatheringUsingDxdiag | Using dxdiag.exe adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data. |
|
SecOpsWinWMIReconRunningProcessOrSrvcs | Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data. |
|
SecOpsWinGatherVictimIdentitySAMInfo | The Samlib.dll module is being abused by adversaries, threat actors, and red teamers to access information on SAM objects or access credentials information in DC. Information about the victim's identity can be used during targeting. |
|
SecOpsWinKerberosUserEnumeration | Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data as well as sensitive details such as credentials. |
|
SecOpsWermgrConnectingToIPCheckWebServices | Adversaries may gather information about the victim's networks that can be used during targeting. This information may include a variety of details, including administrative data as well as specifics regarding its topology and operations. |
|
SecOpsAppInitDLLsLoaded | Monitor DLL loads by processes that load user32.dll and look for DLLs that are not recognized or not normally loaded into a process. |
|
SecOpsDLLWithNonUsualPath | Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. |
|
SecOpsREvilKaseyaRegistryKey | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya. |
|
SecOpsSuspiciousBehaviorAppInitDLL | Malware can insert the location of their malicious library under the Appinit_Dlls registry key to have another process load their library. |
|
SecOpsWinGoldenSamlCertificateExport | Detects for potential certificate export to bypass authentication mechanisms. |
|
SecOpsWinMemoryCorruptionVulnerability | Detects exploitation of Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641) allowing remote code execution. |
|
SecOpsWinSpoolsvExeAbnormalProcessSpawn | Detects Spoolsv.exe launching unexpected child processes. This activity may be related to behavior in CVE-2018-8440. |
|
SecOpsWinAppInstallerExecution | Detects a malicious execution of AppInstaller.exe that could be trying to download a file to the target machine. |
|
SecOpsLolbinCertocexecution | Detects a malicious execution of certoc.exe that could be trying to download a file to the target machine or load an arbitrary DLL file. |
|
Futhermore, Mitre coverage has been added in the following areas:
Exfiltration
Privilege Escalation
Collection (Target Q1)
Persistence
Reconnaissance (Target Q1)
Credential Access
Defense Evasion
Command and Control