October 3, 2024

Security Detection Update – 2024-10-3

Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

Introduction and Overview

It was so great seeing so many people at Grrcon this last week!! Instead of putting out two blog posts back to back, we combined two weeks of releases into one :D Our team produced some great new threat feed detections based off of some amazing research over at DFIR Report, and also some new GCP informational and risk detections!

New/Modified Detections

This update introduces:

DFIR Report: AsyncRAT Command and Control

This command and control traffic is likely related to AsyncRAT infrastructure. AsyncRAT is a remote access trojan.

Status: Enabled
Log type requirement: All traffic data types
For more information about AsyncRAT, see the GitHub repository

DFIR Report: DcRAT Command and Control

This command and control traffic is likely related to DcRAT infrastructure. DcRAT is a remote access trojan known for initial access operations.

Status: Enabled
Log type requirement: All traffic data types
For more information about DcRAT, see the GitHub repository or this post from Blackberry

DFIR Report: Havoc Command and Control

This command and control traffic is likely related to Havoc infrastructure. Havoc is a command and control framework.

Status: Enabled
Log type requirement: All traffic data types
For more information about Havoc, see the GitHub repository

DFIR Report: More_eggs Command and Control

This command and control traffic is likely related to More_eggs infrastructure. More_eggs is a JavaScript backdoor trojan.

Status: Enabled
Log type requirement: All traffic data types
For more information about More_eggs, see this post from MITRE

DFIR Report: Pupy Command and Control

This command and control traffic is likely related to Pupy infrastructure. Pupy is a free and open-source remote access tool and post-exploitation framework.

Status: Enabled
Log type requirement: All traffic data types
For more information about Pupy, see the GitHub repository or this post from AHN Labs

DFIR Report: Viper Command and Control

This command and control traffic is likely related to Viper infrastructure. Viper is a free and open-source modular offensive security muti-tool, similar to Metasploit, that can be used across stages in intrusions including command and control, discovery, lateral movement, and impact.

Status: Enabled
Log type requirement: All traffic data types
For more information about DcRAT, see the GitHub repository

Google Cloud Platform: API Key Generated

A user has created or requested the creation of an API key within your Google Cloud Platform (GCP) tenant. This can be part of the normal admin or operational lifecycle within GCP. Threat actors have been increasingly observed using API keys to maintain persistence within cloud environments.

Status: Enabled
Log type requirement: GCP Cloud Audit

Google Cloud Platform: Secret Created in Secret Manager

A user in your Google Cloud Platform tenant has created/requested to create a new secret.

Status: Default Disabled
Log type requirement: GCP Cloud Audit

Tag(s): Product Updates , Blog , Product Release Notes , Detection Update

Amanda Berlin

Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...