Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
This week was split up into research, bug fixes, 2 new default enabled detections, and us sneaking in another article within an article!
New Detections
This update introduces several new detections, including:
macOS: Suspicious Plutil Activity
Plutil is a built-in macOS utility that allows administrators, developers, and other tooling to interact with property list (.plist) files. These files are used to define how applications are handled at runtime and how applications generally behave. Plist files may be modified by normal administrative activity, including by RMM and MDM software. However, threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures. For more information, click here.
- Status: Enabled
- Log type requirement: Blumira Agent for Mac
Remote Access Tool: RustDesk
RustDesk is a free and open source remote access tool used to remotely manage and support endpoints. This tool has been observed in-use by threat actors to establish remote connections to victim endpoints. If your organization does not use RustDesk as authorized remote management software, this activity should be investigated. For more information, click here.
- Status: Enabled
- Log type requirement: Windows/Sysmon Process logging, Blumira Agent for Windows, Blumira Agent for Linux, or Blumira Agent for Mac
IDE Content
Of course we're going to sneak some of our other content into detection updates!
“Entra”sting Roles You’ll Want to Know About
From our newest member of the IDE team, Justin Kikani!
The article details Entra, Microsoft's comprehensive identity management platform. Justin emphasizes the complexity of managing it, including the need for careful documentation and understanding of its evolving features and roles, especially in the wake of security incidents.
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.