Release 22 - Out-of-the-box alerts
- Juan Tomás Alonso Nieto (Deactivated)
We're thrilled to unveil the latest detection update (Release 22), introducing powerful enhancements to fortify your security infrastructure. This update features several key improvements:
New Alert: OS Credential Dumping: With our latest detection capabilities, we now provide a new alert system designed to identify instances of OS credential dumping promptly. This critical security threat, often exploited by malicious actors, can compromise sensitive login credentials. By issuing alerts for potential credential dumping activities, our system empowers users to respond swiftly, minimizing the risk of unauthorized access.
New Alert: Detection for Traffic to Paste Bin: Recognizing the evolving threat landscape, we've incorporated detection mechanisms to monitor and flag traffic directed toward paste bin services. These platforms are frequently leveraged by adversaries for data exfiltration and sharing of sensitive information. By detecting suspicious activities related to paste bin usage, our system enables proactive intervention, safeguarding against unauthorized data dissemination.
Regex Optimized Improvements for Window and Proxy Alerts: In this update, we've optimized regular expressions (regex) to enhance the accuracy and efficiency of window and proxy alerts. These improvements refine our detection capabilities, ensuring more precise identification of suspicious activities associated with Windows and Proxy servers. By fine-tuning regex patterns, we reduce false positives and provide users with actionable insights into potential security threats.
Updated Field Naming for Microsoft Office365 Detections: We've revamped field naming conventions for Microsoft Office365 detection to streamline data interpretation and analysis. This update ensures consistency and clarity in identifying and responding to security events within the Office365 environment. By aligning field names with industry standards, users can easily navigate and leverage insights from our detection system to bolster their Office365 security posture.
These updates reflect our commitment to continuously enhancing our detection capabilities, empowering users to stay ahead of emerging threats, and safeguarding their digital assets effectively.
Detection name | Detection description | Devo table / Data source / Category | Changes made |
| Detects well-known credential dumping tools execution via service execution events. |
| New Alert |
| Monitor proxy logs for connections from internal IPs to parsing or content aggregation sites known for data parsing and content extraction functionalities (Also Known As Paste sites). |
| New Alert |
| Detects if a login has been performed by a user which has been created in the last 24 hours and checks if the user creation and the login has been performed from the same IP. This behaviour could indicate a privilege escalation attempt. |
| Tuned subquery parameters |
| Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. |
| Updated based on window logging updates |
| Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. |
| Update field naming |
| The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya. |
| Optimized regex |
| Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. |
| Optimized regex |
| Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. |
| Optimized regex |
| The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya. |
| Optimized regex |
| Detects remote logins by an administrative user account. Administrative account names are tailored to the organization's specific naming conventions. |
| Updated entity mapping |
| The execution of a process from inside a web hosting directory. cand indicate when adversaries upload a malicious file to the web server and run the file as a process. Â |
| Optimized regex |
Â