Skip to content
Get A Demo
Free SIEM
    March 19, 2024

    Security Detection Update - 2024-3-19

    Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

    Introduction and Overview

    This week was split up into research, bug fixes, 2 new default enabled detections, and us sneaking in another article within an article!


    New Detections

    This update introduces several new detections, including:

    macOS: Suspicious Plutil Activity

    Plutil is a built-in macOS utility that allows administrators, developers, and other tooling to interact with property list (.plist) files. These files are used to define how applications are handled at runtime and how applications generally behave. Plist files may be modified by normal administrative activity, including by RMM and MDM software. However, threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures. For more information, click here.

    • Status: Enabled
    • Log type requirement: Blumira Agent for Mac

    Remote Access Tool: RustDesk

    RustDesk is a free and open source remote access tool used to remotely manage and support endpoints. This tool has been observed in-use by threat actors to establish remote connections to victim endpoints. If your organization does not use RustDesk as authorized remote management software, this activity should be investigated. For more information, click here.

    • Status: Enabled
    • Log type requirement: Windows/Sysmon Process logging, Blumira Agent for Windows, Blumira Agent for Linux, or Blumira Agent for Mac


    IDE Content

    Of course we're going to sneak some of our other content into detection updates!

    “Entra”sting Roles You’ll Want to Know About

    From our newest member of the IDE team, Justin Kikani!
    The article details Entra, Microsoft's comprehensive identity management platform. Justin emphasizes the complexity of managing it, including the need for careful documentation and understanding of its evolving features and roles, especially in the wake of security incidents.

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts