Share on:

In December, we kept the Blumira Agent energy humming with the release of several detections for Mac and Linux endpoint logs. Additionally, our Sophos Central integration is now available as a Cloud Connector, and we’ve added a new threat feed and detection rule to protect against BianLian activity.

Feature and Platform Updates

  • New Cloud Connector: We added a Sophos Central Cloud Connector to the app, so users can now send SIEM Event logs to Blumira without a sensor.
  • New Threat Feed: After reviewing the DFIR Report SQL Brute Force Leads to BlueSky Ransomware, we added a new threat feed called “DFIR Report: BianLian Command and Control.” This threat feed is used by our automated blocking feature, along with Blumira’s Dynamic Blocklists. A new detection was also added to the app to trigger findings related to entries in this threat feed.

Detection Updates

Log TypeDetection Rule NameDetails
Blumira Agent (multi-source)NEW - macOS: Potential Autostart Re-Opened Application ModificationThis new informational detection is triggered when loginwindow.plist is accessed on a device. Any unauthorized modifications to loginwindow.plist files should be investigated.
NEW - macOS: Logging Service Shut DownThis new P3 detection triggers when a device shuts down its logging service. While this may indicate a normal actuation of the logging service it may also indicate an attacker is attempting to halt evidence retrieval similar to Windows Log alerting.
NEW - macOS: UnSafe File Permissions - Chmod 777This new P3 risk detection triggers when a file has had permissions set to allow read, write, and execute to all users on the system. Setting these permissions on a file can result in unsafe modification of content or leaking of sensitive data and is not a recommended practice.
macOS: Mac User Added to Local Administrator Group via command lineThis P2 suspect detection triggers when a user has been granted administrator privileges on a device via a command-line tool. Such a method of user elevation is uncommon and potentially risky. Achieving administrative status allows the user complete control over the device, including overriding existing policies or permissions.
Bash/Zsh History ManipulationWe updated this detection rule to work with Blumira Agent logs. The detection was renamed from "Indicator: T1070.003 Bash History Manipulation" to "Bash/Zsh History Manipulation" and covers several types of history manipulation.
Indicator: T1222.002 Linux Unusual File Attribute ActionThese existing detections are now compatible with Blumira Agent logs.
Indicator: T1136.001 - New user with root UID and GIDThese existing detections are now compatible with Blumira Agent logs.
Indicator: T1222.002 Linux UnSafe File Permissions: Chmod 777These existing detections are now compatible with Blumira Agent logs.
Linux: Logging Service Shut DownThese existing detections are now compatible with Blumira Agent logs.
Execution of Python tty ShellThese existing detections are now compatible with Blumira Agent logs.
Cisco ASA SystemNEW - Cisco ASA: Excessive Authentication ErrorsThis new P2 Threat detection triggers when one or more user accounts have failed AAA authentication at an excessive rate (5+ failed logins within an hour), which could indicate a brute force attack where word lists are used to guess username/password combinations.
Microsoft 365 ExchangeNEW - Microsoft 365: Suspicious Exchange Transport Rule CreationThis new P2 Threat detection triggers when a new transport rule is created with signatures that match malicious rules used by threat actors, such as antispam header removal. To learn more about compromises related to transport rule techniques, see Microsoft’s article: Malicious OAuth applications abuse cloud email services to spread spam.
Microsoft OutlookOutlook .pst File ExportWe added an info field to the evidence for this detection to assist customers in investigating the related activity. The field will appear only when the information is available in the logs and is not null.
Microsoft WindowsNEW - Authentication by Known Attack ToolThis new P1 Suspect detection is triggered when a device authenticates to your network using a workstation with a known bad workstation name. This activity is often used to scan a network during the reconnaissance phase of an intrusion.
NEW - Disabling of Windows FirewallThis new P3 Suspect detection triggers when a device is seen disabling the Windows Firewall. Threat actors have been observed disabling firewalls to permit malicious traffic, so this activity should be investigated and validated for security.
NEW - Excessive Failed IIS Logins per UserThis new detection triggers when there are excessive failures against public web services (RDP, Exchange, etc) to surface brute force attacks.
Kerberoast attack behaviorWe updated the detection logic to make this more sensitive and performative on newer versions of Windows while also maintaining high-fidelity alerting.
Multi-sourceNEW - Dump LSASS.exe Memory using Windows Error ReportingThis new P1 Suspect detection triggers when a local administrator has used Windows Error Reporting (WerFault.exe) to perform a process dump of all running processes on the system.
NEW - DFIR Report: BianLian Command and ControlThis new P2 threat detection, which is included in Automated blocking with Blumira’s Dynamic Blocklists, triggers when traffic to a known command and control server has been observed on your network. This command and control traffic is likely related to the infrastructure of BianLian, a criminal group known for ransomware operations.

Bug Fixes and Improvements

  • Improvements in Report Builder were released, including the following:
    • a horizontal bar for scrolling the results table
    • the ability to view up to 250 rows at a time
    • queries with over 5,000 rows of results automatically sort with the most recent results first

November Highlight

In November, we announced the expansion of Blumira Agent, which can now be installed on Mac and Linux endpoints. Get maximum visibility and compliance across your organization’s fleet by deploying the agent on all of your devices!


Security news and stories right to your inbox!