April 15, 2024
Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
This week was full of some detection maturity and threat research!
New Detections
This update introduces:
Decimal Character Encoded Command
No it's not just the spongebob meme.....
This tactic is used by threat actors to obfuscate their commands and evade detection. Some administrators may also intentionally use this functionality, but it is extremely uncommon. For more information see here or here.
- Status: Enabled
- Log type requirement: Windows or Blumira Agent for Windows
IDE Content
Of course we're going to sneak some of our other content into detection updates!
CVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE
On Friday (4-12-24), Palo Alto announced a new critical vulnerability in devices running their GlobalProtect Gateway. Successful exploitation of this vulnerability leads to command injection and allows an attacker to run arbitrary code as root on the device.
Palo Alto disclosed that they are aware of a “limited number of attacks” using this vulnerability (CVE-2024-3400) in the wild. However, since this is a publicly facing service, it’s more than likely that attackers will begin to increasingly leverage this vulnerability.
