Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
It was so great seeing so many people at Wild West Hackin' Fest this last week!! The team back (at their own individual remote work) home released two great detections that cover some LOLBAs activity that has been seen from ransomware actors.
This update introduces:
These commands will allow unsigned drivers to run on a host. Administrators may use these commands legitimately to troubleshoot driver compatibility conflicts or for driver development and testing, however this is uncommon. Threat actors have been observed abusing these commands in order to run unsigned and malicious or vulnerable drivers.
This tool may be used legitimately to display or alter the encryption of directories and files on NTFS volumes. Threat actors have been observed abusing this tool as a precursor to ransomware deployment. This detection specifically looks for cipher being run with the/w
parameter against a specific drive (ex. cipher /w:\\?\C:
) - a malicious tactic observed in the wild.