Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
This week was split up into research, bug fixes, 2 new default enabled detections, and us sneaking in another article within an article!
This update introduces several new detections, including:
Plutil is a built-in macOS utility that allows administrators, developers, and other tooling to interact with property list (.plist) files. These files are used to define how applications are handled at runtime and how applications generally behave. Plist files may be modified by normal administrative activity, including by RMM and MDM software. However, threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures. For more information, click here.
RustDesk is a free and open source remote access tool used to remotely manage and support endpoints. This tool has been observed in-use by threat actors to establish remote connections to victim endpoints. If your organization does not use RustDesk as authorized remote management software, this activity should be investigated. For more information, click here.
Of course we're going to sneak some of our other content into detection updates!
From our newest member of the IDE team, Justin Kikani!
The article details Entra, Microsoft's comprehensive identity management platform. Justin emphasizes the complexity of managing it, including the need for careful documentation and understanding of its evolving features and roles, especially in the wake of security incidents.