Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
This week we have spent supporting our new release of Blumira Investigate by doing our best to ensure as much relevant data is available in the feature as possible. If you haven't seen it yet, take a look at the blog post linked above or try it out in the product! Also, as always, our emerging threat detections are one of our highest priorities.
New Detections
This update introduces:
Certutil Decode Command
Certutil is a legitimate Windows binary packaged with all modern version of Windows and features administrative utilities for viewing and managing certificates. However, Certutil functionality has been observed being used by threat actors to decode malicious code prior to execution. Threat actors will download their malicious code in its encoded form to evade defenses. Upon successful infiltration, the code will then be decoded using Certutil so it can be run on the compromised endpoint.
Status: Enabled
Log type requirement: Windows, Blumira Agent for Windows
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
