While there are simply too many new detection rules added to Blumira’s platform to list, here are a few that highlight the recent work of our incident detection engineers that help with Windows and Office 365 cloud security monitoring.
We roll out new rules on a weekly cadence to keep up with evolving attacker techniques and security misconfigurations to make sure Blumira doesn’t miss any key findings in your environment. A detection is a security event that we’ve identified and alert our customers on to take action.
In each detection below, we include next steps for remediation and how it maps to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The following detections were written by Lead Incident Detection Engineer Amanda Berlin:
Detection: Office 365 – New or Modified Microsoft 365 Group
A new group in Office 365 has been created or modified. A Microsoft 365 group creates a group email to collaborate. You can also add Microsoft Teams for group conversations, files, and calendars. This type of finding helps you track any misconfigurations for auditing purposes.
Blumira’s playbook walks you through the next steps to verify if this was an approved Office 365 group addition or modification. If you aren’t able to correlate this group change with legitimate use, Blumira recommends locking the user account associated with this change and performing incident response steps to ensure no other unknown actions have been taken by this user.
See below for additional details on MITRE mapping, why it’s important to detect and how to get this detection.
Detection: Office 365 – New or Modified Distribution or Mail-Enabled Security Group
A new group in Office365 has been created or modified. A plain distribution group creates an email address for a group of people, while a mail-enabled security group is a distribution list that can also be used to control access to OneDrive and SharePoint. If it is a security group, it will be listed in evidence as that group type.
MITRE: T1136; Tactic: Persistence
Why it’s important to detect: An attacker could create an account to maintain access to targeted systems. In cloud environments, attackers may create accounts that only have access to specific services to reduce the chance of detection, according to MITRE.
How to get these detections: You can get these two detections by setting up Blumira’s Azure Event Hub and Microsoft Office 365 integrations to start collecting and analyzing logs for automated detection and response.
Detection: Suspicious PowerShell Command
Microsoft Defender for Endpoint (previously named Microsoft Defender for Endpoints) has detected a malicious PowerShell command on {devname}. To review the potentially malicious command, visit the Windows security center for more details. This type of tactic is commonly used by attackers to run malicious code, escalate permissions or move laterally throughout your network.
If this was not an approved administrative action, Blumira’s remediation guidance is to examine logs around the time of the PowerShell command execution, remove the device from the network (if possible), then perform internal incident response procedures.
MITRE: T1059.001, Tactic: Execution
Why it’s important to detect: PowerShell is a powerful command-line interface and scripting environment included in the Windows operating system. Attackers may abuse PowerShell commands and scripts to discover information, execute code and download and run executables from the internet, according to MITRE.
How to get these detections: You can get these detections by setting up Blumira’s Microsoft Defender for Endpoint integration to start collecting and analyzing logs for automated detection and response.
Detection: A Windows Security Group Was Created or Modified
There are two types of AD groups:
MITRE: T1136; Tactic: Persistence
Why it’s important to detect: Attackers will create accounts to maintain access to targeted systems. Accounts may be created on the local system or within a domain or cloud tenant, according to MITRE. Detecting this type of activity can help identify security misconfigurations or help with auditing.
How to get these detections: You can get these detections by setting up Blumira’s Microsoft Windows integration to start collecting and analyzing logs for automated detection and response.
See these detections in action by requesting a demo of Blumira’s platform or get a free trial and easily integrate with your Microsoft and cloud services for faster detection and response.