Skip to content
    March 12, 2024

    February 2024 Releases

    Summary

    In February, we released hundreds of new reports and over a dozen new detection rules to continue to support your organization’s security and compliance programs. We’re continuing to improve how we use logged data to quickly show where threats may exist so you can stop or contain them. This enables you to keep up with the ever-changing threat landscape while reducing the burden of creating detections and reports.

    Feature and Platform Updates

    Global Reports: We added 245 new reports to the Saved Reports menu in Report Builder, including the following:

    • Compliance reports for CIS Controls (47), CMMC (50), FERPA (48), FINRA (49) and ISO 27001 (43)

    • Four Google Workspace reports to facilitate investigations into suspicious logins after receiving related findings in the app

    • “AnyDesk Process per Endpoint” report, which helps identify whether AnyDesk is running in your environment, which is an audit we recommend performing in response to the AnyDesk cyberattack

    • Two new Microsoft 365 reports detailing the changes made to users' MFA methods

    • “Sophos XG: Firewall Rule Configuration Change” report is an alternative option to a new default-disabled detection rule by the same name to help audit configuration changes

    Detection Updates

    Log Type

    Detection Rule Name

    Details

    HTTP Access (Apache/IIS/NginX)

    NEW - ConnectWise ScreenConnect SetupWizard Authentication Bypass CVE-2024-1709

    This new P1 detection rule alerts when a device makes a web request to SetupWizard.aspx with a trailing path. This activity may be related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1709

    Multi-Source

    NEW - ConnectWise ScreenConnect Path Traversal Exploitation CVE-2024-1708

    This new P1 detection rule alerts when a device shows activity related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1708. It detects the creation of files with .ASPX or .ASHX extensions in the Program Files (x86)\ScreenConnect\App_Extensions\ directory, which is unusual behavior that is not performed by ScreenConnect as part of normal operation.

    NEW - ConnectWise ScreenConnect SetupWizard User Database Modification CVE-2024-1709

    This new P1 detection rule alerts when a device shows activity related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1709.

    Google GSuite

    NEW - Google Workspace: Suspicious Login

    This new P3 detection rule alerts when Google flags a suspicious login for a user.

    NEW - Google Workspace: Login from Outside the U.S.

    This new default disabled detection rule alerts when a user has logged in to Google Workspace from outside of the U.S.

    NEW - Google Workspace: Impossible Travel Login

    This new P2 detection rule alerts when one or more Google Workspace users exhibit behavior matching impossible travel activity, which means logins or access attempts from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity.

    Microsoft 365 Azure AD

    NEW - Microsoft 365: Login Blocked due to Conditional Access Policy

    This new operational detection rule triggers when a user attempts to log in but is blocked by a Conditional Access policy.

    NEW - Microsoft 365: MFA Change of Method

    This new default-disabled detection alerts when a user changes their MFA methods, with details in the info evidence field to show which methods the user selected.

    NEW - Microsoft 365: Successful Login Using Commonly Targeted Account Name

    This new default-disabled detection alerts when there is a successful login to a user account that is part of a "watchlist" of account types commonly targeted in password spraying and brute force attacks. That list includes shared, service, or test accounts, which are vulnerable to account takeover due to their shared or temporary status.

    Multi-source

    NEW - DFIR Report: SocGholish Command and Control

    This new P2 detection rule alerts when there is traffic on your network to a known command and control server that is likely related to the SocGholish infrastructure.

    NEW - Discovery via ADGet

    This new P1 detection rule alerts when a process runs that is associated with ADGet, which is leveraged by threat actors to gather information about Active Directory users, computers, domains, and trusts. The tool exports Active Directory data to a Zip archive.

    NEW - Execution of Cisco Jabber ProcessDump

    This new P2 detection rule alerts when Cisco Jabber-bundled ProcessDump.exe is executed on a device. This utility could be abused by threat actors to dump the memory of any running process.

    NEW - Invocation of Sudo for Windows

    This new P3 detection rule alerts when a user is seen invoking Sudo for Windows on a device.

    NEW - PUA: Restic Backup Activity

    This new P3 detection rule alerts when a user is seen executing the application restic on a device. Although restic is used to make backups for legitimate purposes, it has also been leveraged by threat actors to exfiltrate data.

    NEW - Remote Access Tool: NetSupport Manager

    This new default-disabled rule monitors for NetSupport Manager being launched from suspicious locations.

    NEW - Suspicious Invocation of Finger.exe

    This new P2 detection alerts when Finger.exe has been launched on a device. Finger is now more often leveraged by threat actors to drop malware or exfiltrate data from a host than to be used for non-malicious activity.

    Sophos XG

    NEW - Sophos XG: Firewall Rule Configuration Change

    This new default-disabled detection rule monitors for changes to Sophos XG firewall rules. A global report by the same name was released as well for auditing via a scheduled report.

    Windows

    NEW - Share Enumeration Write Access Check via SoftPerfect Network Scanner

    This new P3 detection rule alerts when a signature matching SoftPerfect Network Scanner scanning activity is observed on a device.

    Bug Fixes and Improvements

    We have improved and expanded parsing of data from the following integrations:

    • Carbon Black Endpoint Standard
    • Cisco Meraki Firewall
    • Sophos XG Firewall
    • WatchGuard Firebox Firewall

    January Highlights

    In case you missed the January updates, you can find and review those notes here.

    Tag(s): Product Updates , Blog

    More from the blog

    View All Posts