This week was split up into research, bug fixes, 2 new default enabled detections, and us sneaking in another article within an article!
This update introduces several new detections, including:
macOS: Suspicious Plutil Activity
Plutil is a built-in macOS utility that allows administrators, developers, and other tooling to interact with property list (.plist) files. These files are used to define how applications are handled at runtime and how applications generally behave. Plist files may be modified by normal administrative activity, including by RMM and MDM software. However, threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures. For more information, click here.
- Status: Enabled
- Log type requirement: Blumira Agent for Mac
Remote Access Tool: RustDesk
RustDesk is a free and open source remote access tool used to remotely manage and support endpoints. This tool has been observed in-use by threat actors to establish remote connections to victim endpoints. If your organization does not use RustDesk as authorized remote management software, this activity should be investigated. For more information, click here.
- Status: Enabled
- Log type requirement: Windows/Sysmon Process logging, Blumira Agent for Windows, Blumira Agent for Linux, or Blumira Agent for Mac
Of course we're going to sneak some of our other content into detection updates!
From our newest member of the IDE team, Justin Kikani!
The article details Entra, Microsoft's comprehensive identity management platform. Justin emphasizes the complexity of managing it, including the need for careful documentation and understanding of its evolving features and roles, especially in the wake of security incidents.
