|
All traffic data types
|
NEW - DFIR Report: AsyncRAT Command and Control
This command and control traffic is likely related to AsyncRAT infrastructure. AsyncRAT is a remote access trojan. For more information about AsyncRAT, see the GitHub repository.
Default state: Enabled
|
|
All traffic data types
|
NEW - DFIR Report: DcRAT Command and Control
This command and control traffic is likely related to DcRAT infrastructure. DcRAT is a remote access trojan known for initial access operations. For more information about DcRAT, see the GitHub repository or this post from Blackberry.
Default state: Enabled
|
|
All traffic data types
|
NEW - DFIR Report: Havoc Command and Control
This command and control traffic is likely related to Havoc infrastructure. Havoc is a command and control framework. For more information about Havoc, see the GitHub repository.
Default state: Enabled
|
|
All traffic data types
|
NEW - DFIR Report: More_eggs Command and Control
This command and control traffic is likely related to More_eggs infrastructure. More_eggs is a JavaScript backdoor trojan. For more information about More_eggs, see this post from MITRE.
Default state: Enabled
|
|
All traffic data types
|
NEW - DFIR Report: Pupy Command and Control
This command and control traffic is likely related to Pupy infrastructure. Pupy is a free and open-source remote access tool and post-exploitation framework. For more information about Pupy, see the GitHub repository or this post from AHN Labs.
Default state: Enabled
|
|
All traffic data types
|
NEW - DFIR Report: Viper Command and Control
This command and control traffic is likely related to Viper infrastructure. Viper is a free and open-source modular offensive security multi-tool, similar to Metasploit, that can be used across stages in intrusions including command and control, discovery, lateral movement, and impact. For more information about DcRAT, see the GitHub repository.
Default state: Enabled
|
|
Azure AD
|
NEW - Azure: SQL Firewall Rule Created
Because it's nice to know when your Azure tenant may be opening SQL up!
Default state: Disabled; must be enabled by an administrator
|
|
Azure AD
|
NEW - Azure: SQL Firewall Rule Deleted
Probably not as risky of a detection as “Firewall Rule Created,” but it's nice to have parity. 😉
Default state: Disabled; must be enabled by an administrator
|
|
GCP Cloud Audit
|
NEW - Google Cloud Platform: API Key Generated
A user has created or requested the creation of an API key within your Google Cloud Platform (GCP) tenant. This can be part of the normal admin or operational lifecycle within GCP. Threat actors have been increasingly observed using API keys to maintain persistence within cloud environments.
Default state: Enabled
|
|
GCP Cloud Audit
|
NEW - Google Cloud Platform: Secret Created in Secret Manager
A user in your Google Cloud Platform tenant has created or requested to create a new secret.
Default state: Disabled; must be enabled by an administrator
|
|
MS365 AD
|
NEW - Microsoft 365: SsoArtifactRevoked Failed Login
Detects when a user has failed to log in to Microsoft 365 services and the resultant error indicates the session was denied due to a bad password (either expired or recently changed). These events can also be related to conditional access policies denying a login. We have seen evidence of this activity in Business Email Compromise during our research.
Default state: Disabled; must be enabled by an administrator
|
|
Windows or Blumira Agent
|
NEW - ESX Admin Group Creation or Modification
A domain group named "ESX Admins" has been created or modified in Active Directory. This detection identifies the following activities:
-
Domain group created and titled "ESX Admins"
-
Renaming an existing domain group to "ESX Admins"
-
Adding users to the "ESX Admins" group
While this may be legitimate administrative activity, it should still be accounted for. Threat actors have been observed taking advantage of a vulnerability using these groups via CVE-2024-37085.
Default state: Enabled
|
|
Windows or Blumira Agent
|
NEW - Suspicious Windows Defender Registry Key Tampering via Reg.exe
Administrators and administrative software may modify Windows Defender registry keys while installing antivirus. Threat actors may tamper with Windows Defender registry keys to attempt to disable protection and detection features during adversarial activity and malware deployment. For more information, see Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours.
Default state: Enabled
|
|
Windows, Blumira Agent for Windows, Blumira Agent for Linux, Blumira Agent for Mac
|
NEW - Network Tunneling Tool: Chisel
Chisel is a free and open source network tunneling tool that can be used to establish tunnels for various protocols over HTTP for legitimate business uses like enabling remote access. These tools can also be used to bypass network security controls, obscure malicious activities, or exfiltrate sensitive data if used by threat actors who have gained unauthorized access to a system or network.
To learn more, see the following resources:
Default state: Enabled
|
