February 28, 2024
Hello World! Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we’ve made several important updates to improve your security posture and enhance the functionality of our detections. As you know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we’ll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you’re lucky.
Introduction and Overview
As we’ve not previously made public announcements on a majority of the detection work we’ve been up to, here’s a recap for you all.
As for this week, it was a busy sprint for us, as we did release some detections out-of-band for a ScreenConnect Emerging Threat you may have seen. We also focused on some Windows endpoint and Blumira agent detections as well as enhancing our Microsoft 365 offering.
New Detections
This update introduces several new detections, including:
Invocation of Sudo for Windows
Sudo is a new command for Windows, currently in Insider Preview and is not normally installed on Windows. It has to be manually enabled in its current form via the Developer settings menu. Sudo can be used to elevate permissions and is similar to Run As in nature. It has a few options to run as a new window or run inline within PowerShell or the command prompt.
For more information, click here.
- Status: Enabled
- Log type requirement: Windows process creation or Blumira Agent for Windows
Microsoft 365: MFA Change of Method
During one of our recent webinars, a current Blumira customer had this ask:
I would be very interested in an alert for any change to MFA methods, adds, deletes, changes to any method – Authenticator app, phone, txt or app password. Another company we work with had a user give up his creds. First move attacker made was to add a phone number for MFA. Most end users have no idea how to even find these settings, so any change is a red flag.
You asked and we delivered! These are findings created only when a user changes their MFA settings, not administrators.
- Status: Disabled by Default
- Log type requirement: Microsoft 365 Admin
Microsoft 365: Successful Login Using Commonly Targeted Account Name
These usernames are part of a “watchlist” of commonly targeted accounts in password spraying and brute force attacks. Accounts with these names are typically shared, service, or test accounts that may be more vulnerable to account takeover due to their shared or temporary status. For example, scanner accounts are commonly created without MFA or modern authentication requirements due to scanners typically being incompatible with such security features. Threat actors know this and purposely target these accounts for that reason.
- Status: Disabled by Default
- Log type requirement: Microsoft 365 Admin
PUA: Restic Backup Activity
Restic is a free and open source backup program used to make backups. While the tool may be used by system administrators for legitimate business purposes, it has also been leveraged by threat actors to exfiltrate data.
- Status: Enabled
- Log type requirement: Windows process creation or Blumira Agent for Windows, Mac, or Linux
Remote Access Tool: NetSupport Manager From Unusual Location
NetSupport Manager is a common remote access tool used by System Administrators to remotely manage and support endpoints. It has also been seen being abused by threat actors to remotely control victim endpoints for unauthorized access.
For more information, click here.
- Status: Disabled by Default
- Log type requirement: Windows process creation or Blumira Agent for Windows
