Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
Welcome to the new year! New you and new detections?
New Detections
This update introduces:
Disabled Account Attempted Login
This detection monitors for failed windows logins due to the targeted account being disabled. This may be related to legitimate activity, but is unusual in most environments and could be evidence of unauthorized access attempts. Additionally, multiple failed login attempts for the built-in "Guest" account should be considered suspicious, as this account is disabled by default in modern Windows systems and is commonly targeted by attackers during reconnaissance activities. Vulnerability scanners (such as Qualys or Nessus) may also generate findings.
Status: Default Disabled
Log type requirement: Windows
Microsoft 365: New MFA Device Added
When at least one user who has registered an additional MFA method(s). This may be part of a natural onboarding or account reset procedure. Malicious actors have been known to add their own MFA devices under their control in order to maintain access to an account and respond to MFA prompts without user interaction.
Status: Enabled
Log type requirement: MS365 AD/Entra
Potential Exploitation of Cleo CVE-2024-55956 - Autorun File Artifacts
When file artifacts are detected matching those seen in active attacks related to Cleo CVE-2024-55956
Status: Enabled
Log type requirement: Windows, Blumira Agent for Windows
Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...
