Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Welcome to the new year! New you and new detections?
This update introduces:
This detection monitors for failed windows logins due to the targeted account being disabled. This may be related to legitimate activity, but is unusual in most environments and could be evidence of unauthorized access attempts. Additionally, multiple failed login attempts for the built-in "Guest" account should be considered suspicious, as this account is disabled by default in modern Windows systems and is commonly targeted by attackers during reconnaissance activities. Vulnerability scanners (such as Qualys or Nessus) may also generate findings.
When at least one user who has registered an additional MFA method(s). This may be part of a natural onboarding or account reset procedure. Malicious actors have been known to add their own MFA devices under their control in order to maintain access to an account and respond to MFA prompts without user interaction.
When file artifacts are detected matching those seen in active attacks related to Cleo CVE-2024-55956