In September, we introduced new system-level notifications to warn users when a Cloud Connector has stopped logging so they can fix the problem as soon as possible. We also packed 14 new detection rules into our detection suite, along with even more threat intelligence to boost your security coverage. Check out the details below!
New System Notifications: Cloud Connector health notifications are now available to users in all Blumira editions. If enabled, you will be notified when your Cloud Connectors encounter a persisting error status or cannot complete their initial setup so you can take action to fix the connector and resume logging. You can edit your personal settings on the Notification Settings page. Learn more about the available options here.
More Threat Feed Data: We’ve updated the threat feeds we use to provide you with threat alerts and blocking capabilities, adding DFIR Report intelligence that covers these command and control frameworks: DCRAT, AsyncRAT, Viper, PupyRAT, Havoc, and More_eggs.
New Global Report: “Microsoft 365 - Global Admin Role Assignments” is a new global report for users looking to track net new Global Admin role assignments in Microsoft 365.
| Log Type | Detection Details |
|---|---|
|
All traffic data types |
NEW - DFIR Report: AsyncRAT Command and Control This command and control traffic is likely related to AsyncRAT infrastructure. AsyncRAT is a remote access trojan. For more information about AsyncRAT, see the GitHub repository. Default state: Enabled |
|
All traffic data types |
NEW - DFIR Report: DcRAT Command and Control This command and control traffic is likely related to DcRAT infrastructure. DcRAT is a remote access trojan known for initial access operations. For more information about DcRAT, see the GitHub repository or this post from Blackberry. Default state: Enabled |
|
All traffic data types |
NEW - DFIR Report: Havoc Command and Control This command and control traffic is likely related to Havoc infrastructure. Havoc is a command and control framework. For more information about Havoc, see the GitHub repository. Default state: Enabled |
|
All traffic data types |
NEW - DFIR Report: More_eggs Command and Control This command and control traffic is likely related to More_eggs infrastructure. More_eggs is a JavaScript backdoor trojan. For more information about More_eggs, see this post from MITRE. Default state: Enabled |
|
All traffic data types |
NEW - DFIR Report: Pupy Command and Control This command and control traffic is likely related to Pupy infrastructure. Pupy is a free and open-source remote access tool and post-exploitation framework. For more information about Pupy, see the GitHub repository or this post from AHN Labs. Default state: Enabled |
|
All traffic data types |
NEW - DFIR Report: Viper Command and Control This command and control traffic is likely related to Viper infrastructure. Viper is a free and open-source modular offensive security multi-tool, similar to Metasploit, that can be used across stages in intrusions including command and control, discovery, lateral movement, and impact. For more information about DcRAT, see the GitHub repository. Default state: Enabled |
|
Azure AD |
NEW - Azure: SQL Firewall Rule Created Because it's nice to know when your Azure tenant may be opening SQL up! Default state: Disabled; must be enabled by an administrator |
|
Azure AD |
NEW - Azure: SQL Firewall Rule Deleted Probably not as risky of a detection as “Firewall Rule Created,” but it's nice to have parity. 😉 Default state: Disabled; must be enabled by an administrator |
|
GCP Cloud Audit |
NEW - Google Cloud Platform: API Key Generated A user has created or requested the creation of an API key within your Google Cloud Platform (GCP) tenant. This can be part of the normal admin or operational lifecycle within GCP. Threat actors have been increasingly observed using API keys to maintain persistence within cloud environments. Default state: Enabled |
|
GCP Cloud Audit |
NEW - Google Cloud Platform: Secret Created in Secret Manager A user in your Google Cloud Platform tenant has created or requested to create a new secret. Default state: Disabled; must be enabled by an administrator |
|
MS365 AD |
NEW - Microsoft 365: SsoArtifactRevoked Failed Login Detects when a user has failed to log in to Microsoft 365 services and the resultant error indicates the session was denied due to a bad password (either expired or recently changed). These events can also be related to conditional access policies denying a login. We have seen evidence of this activity in Business Email Compromise during our research. Default state: Disabled; must be enabled by an administrator |
|
Windows or Blumira Agent |
NEW - ESX Admin Group Creation or Modification A domain group named "ESX Admins" has been created or modified in Active Directory. This detection identifies the following activities:
While this may be legitimate administrative activity, it should still be accounted for. Threat actors have been observed taking advantage of a vulnerability using these groups via CVE-2024-37085. Default state: Enabled |
|
Windows or Blumira Agent |
NEW - Suspicious Windows Defender Registry Key Tampering via Reg.exe Administrators and administrative software may modify Windows Defender registry keys while installing antivirus. Threat actors may tamper with Windows Defender registry keys to attempt to disable protection and detection features during adversarial activity and malware deployment. For more information, see Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours. Default state: Enabled |
|
Windows, Blumira Agent for Windows, Blumira Agent for Linux, Blumira Agent for Mac |
NEW - Network Tunneling Tool: Chisel Chisel is a free and open source network tunneling tool that can be used to establish tunnels for various protocols over HTTP for legitimate business uses like enabling remote access. These tools can also be used to bypass network security controls, obscure malicious activities, or exfiltrate sensitive data if used by threat actors who have gained unauthorized access to a system or network. To learn more, see the following resources: Default state: Enabled |
In case you missed the August updates, you can find and review those notes here.