March 12, 2024

February 2024 Releases

Summary

In February, we released hundreds of new reports and over a dozen new detection rules to continue to support your organization’s security and compliance programs. We’re continuing to improve how we use logged data to quickly show where threats may exist so you can stop or contain them. This enables you to keep up with the ever-changing threat landscape while reducing the burden of creating detections and reports.

Feature and Platform Updates

Global Reports: We added 245 new reports to the Saved Reports menu in Report Builder, including the following:

Compliance reports for CIS Controls (47), CMMC (50), FERPA (48), FINRA (49) and ISO 27001 (43)
Four Google Workspace reports to facilitate investigations into suspicious logins after receiving related findings in the app
“AnyDesk Process per Endpoint” report, which helps identify whether AnyDesk is running in your environment, which is an audit we recommend performing in response to the AnyDesk cyberattack
Two new Microsoft 365 reports detailing the changes made to users' MFA methods
“Sophos XG: Firewall Rule Configuration Change” report is an alternative option to a new default-disabled detection rule by the same name to help audit configuration changes

Detection Updates

Log Type	Detection Rule Name	Details
HTTP Access (Apache/IIS/NginX)	NEW - ConnectWise ScreenConnect SetupWizard Authentication Bypass CVE-2024-1709	This new P1 detection rule alerts when a device makes a web request to `SetupWizard.aspx` with a trailing path. This activity may be related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1709
Multi-Source	NEW - ConnectWise ScreenConnect Path Traversal Exploitation CVE-2024-1708	This new P1 detection rule alerts when a device shows activity related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1708. It detects the creation of files with `.ASPX` or `.ASHX` extensions in the `Program Files (x86)\ScreenConnect\App_Extensions\` directory, which is unusual behavior that is not performed by ScreenConnect as part of normal operation.
Multi-Source	NEW - ConnectWise ScreenConnect SetupWizard User Database Modification CVE-2024-1709	This new P1 detection rule alerts when a device shows activity related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1709.
Google GSuite	NEW - Google Workspace: Suspicious Login	This new P3 detection rule alerts when Google flags a suspicious login for a user.
	NEW - Google Workspace: Login from Outside the U.S.	This new default disabled detection rule alerts when a user has logged in to Google Workspace from outside of the U.S.
	NEW - Google Workspace: Impossible Travel Login	This new P2 detection rule alerts when one or more Google Workspace users exhibit behavior matching impossible travel activity, which means logins or access attempts from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity.
Microsoft 365 Azure AD	NEW - Microsoft 365: Login Blocked due to Conditional Access Policy	This new operational detection rule triggers when a user attempts to log in but is blocked by a Conditional Access policy.
	NEW - Microsoft 365: MFA Change of Method	This new default-disabled detection alerts when a user changes their MFA methods, with details in the `info` evidence field to show which methods the user selected.
	NEW - Microsoft 365: Successful Login Using Commonly Targeted Account Name	This new default-disabled detection alerts when there is a successful login to a user account that is part of a "watchlist" of account types commonly targeted in password spraying and brute force attacks. That list includes shared, service, or test accounts, which are vulnerable to account takeover due to their shared or temporary status.
Multi-source	NEW - DFIR Report: SocGholish Command and Control	This new P2 detection rule alerts when there is traffic on your network to a known command and control server that is likely related to the SocGholish infrastructure.
	NEW - Discovery via ADGet	This new P1 detection rule alerts when a process runs that is associated with ADGet, which is leveraged by threat actors to gather information about Active Directory users, computers, domains, and trusts. The tool exports Active Directory data to a Zip archive.
	NEW - Execution of Cisco Jabber ProcessDump	This new P2 detection rule alerts when Cisco Jabber-bundled `ProcessDump.exe` is executed on a device. This utility could be abused by threat actors to dump the memory of any running process.
	NEW - Invocation of Sudo for Windows	This new P3 detection rule alerts when a user is seen invoking Sudo for Windows on a device.
	NEW - PUA: Restic Backup Activity	This new P3 detection rule alerts when a user is seen executing the application restic on a device. Although restic is used to make backups for legitimate purposes, it has also been leveraged by threat actors to exfiltrate data.
	NEW - Remote Access Tool: NetSupport Manager	This new default-disabled rule monitors for NetSupport Manager being launched from suspicious locations.
	NEW - Suspicious Invocation of Finger.exe	This new P2 detection alerts when `Finger.exe` has been launched on a device. Finger is now more often leveraged by threat actors to drop malware or exfiltrate data from a host than to be used for non-malicious activity.
Sophos XG	NEW - Sophos XG: Firewall Rule Configuration Change	This new default-disabled detection rule monitors for changes to Sophos XG firewall rules. A global report by the same name was released as well for auditing via a scheduled report.
Windows	NEW - Share Enumeration Write Access Check via SoftPerfect Network Scanner	This new P3 detection rule alerts when a signature matching SoftPerfect Network Scanner scanning activity is observed on a device.