Blumira Resources & Blog

September 2024 Product Release Notes

Written by Faith Bradley | Oct 8, 2024 8:00:00 PM

Summary

In September, we introduced new system-level notifications to warn users when a Cloud Connector has stopped logging so they can fix the problem as soon as possible. We also packed 14 new detection rules into our detection suite, along with even more threat intelligence to boost your security coverage. Check out the details below!

Feature and Platform Updates

  • New System Notifications: Cloud Connector health notifications are now available to users in all Blumira editions. If enabled, you will be notified when your Cloud Connectors encounter a persisting error status or cannot complete their initial setup so you can take action to fix the connector and resume logging. You can edit your personal settings on the Notification Settings page. Learn more about the available options here.

    More Threat Feed Data: We’ve updated the threat feeds we use to provide you with threat alerts and blocking capabilities, adding DFIR Report intelligence that covers these command and control frameworks: DCRAT, AsyncRAT, Viper, PupyRAT, Havoc, and More_eggs.

    New Global Report: “Microsoft 365 - Global Admin Role Assignments” is a new global report for users looking to track net new Global Admin role assignments in Microsoft 365.

Detection Updates

Log Type Detection Details

All traffic data types

NEW - DFIR Report: AsyncRAT Command and Control

This command and control traffic is likely related to AsyncRAT infrastructure. AsyncRAT is a remote access trojan. For more information about AsyncRAT, see the GitHub repository.

Default state: Enabled

All traffic data types

NEW - DFIR Report: DcRAT Command and Control

This command and control traffic is likely related to DcRAT infrastructure. DcRAT is a remote access trojan known for initial access operations. For more information about DcRAT, see the GitHub repository or this post from Blackberry.

Default state: Enabled

All traffic data types

NEW - DFIR Report: Havoc Command and Control

This command and control traffic is likely related to Havoc infrastructure. Havoc is a command and control framework. For more information about Havoc, see the GitHub repository.

Default state: Enabled

All traffic data types

NEW - DFIR Report: More_eggs Command and Control

This command and control traffic is likely related to More_eggs infrastructure. More_eggs is a JavaScript backdoor trojan. For more information about More_eggs, see this post from MITRE.

Default state: Enabled

All traffic data types

NEW - DFIR Report: Pupy Command and Control

This command and control traffic is likely related to Pupy infrastructure. Pupy is a free and open-source remote access tool and post-exploitation framework. For more information about Pupy, see the GitHub repository or this post from AHN Labs.

Default state: Enabled

All traffic data types

NEW - DFIR Report: Viper Command and Control

This command and control traffic is likely related to Viper infrastructure. Viper is a free and open-source modular offensive security multi-tool, similar to Metasploit, that can be used across stages in intrusions including command and control, discovery, lateral movement, and impact. For more information about DcRAT, see the GitHub repository.

Default state: Enabled

Azure AD

NEW - Azure: SQL Firewall Rule Created

Because it's nice to know when your Azure tenant may be opening SQL up!

Default state: Disabled; must be enabled by an administrator

Azure AD

NEW - Azure: SQL Firewall Rule Deleted

Probably not as risky of a detection as “Firewall Rule Created,” but it's nice to have parity. 😉

Default state: Disabled; must be enabled by an administrator

GCP Cloud Audit

NEW - Google Cloud Platform: API Key Generated

A user has created or requested the creation of an API key within your Google Cloud Platform (GCP) tenant. This can be part of the normal admin or operational lifecycle within GCP. Threat actors have been increasingly observed using API keys to maintain persistence within cloud environments.

Default state: Enabled

GCP Cloud Audit

NEW - Google Cloud Platform: Secret Created in Secret Manager

A user in your Google Cloud Platform tenant has created or requested to create a new secret.

Default state: Disabled; must be enabled by an administrator

MS365 AD

NEW - Microsoft 365: SsoArtifactRevoked Failed Login

Detects when a user has failed to log in to Microsoft 365 services and the resultant error indicates the session was denied due to a bad password (either expired or recently changed). These events can also be related to conditional access policies denying a login. We have seen evidence of this activity in Business Email Compromise during our research.

Default state: Disabled; must be enabled by an administrator

Windows or Blumira Agent

NEW - ESX Admin Group Creation or Modification

A domain group named "ESX Admins" has been created or modified in Active Directory. This detection identifies the following activities:

  • Domain group created and titled "ESX Admins"

  • Renaming an existing domain group to "ESX Admins"

  • Adding users to the "ESX Admins" group

While this may be legitimate administrative activity, it should still be accounted for. Threat actors have been observed taking advantage of a vulnerability using these groups via CVE-2024-37085.

Default state: Enabled

Windows or Blumira Agent

NEW - Suspicious Windows Defender Registry Key Tampering via Reg.exe

Administrators and administrative software may modify Windows Defender registry keys while installing antivirus. Threat actors may tamper with Windows Defender registry keys to attempt to disable protection and detection features during adversarial activity and malware deployment. For more information, see Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours.

Default state: Enabled

Windows, Blumira Agent for Windows, Blumira Agent for Linux, Blumira Agent for Mac

NEW - Network Tunneling Tool: Chisel

Chisel is a free and open source network tunneling tool that can be used to establish tunnels for various protocols over HTTP for legitimate business uses like enabling remote access. These tools can also be used to bypass network security controls, obscure malicious activities, or exfiltrate sensitive data if used by threat actors who have gained unauthorized access to a system or network.

To learn more, see the following resources:

Default state: Enabled

August Release Notes

In case you missed the August updates, you can find and review those notes here.