Back to BlogIn December, we kept the Blumira Agent energy humming with the release of several detections for Mac and Linux endpoint logs. Additionally, our Sophos Central integration is now available as a Cloud Connector, and we’ve added a new threat feed and detection rule to protect against BianLian activity.
Feature and Platform Updates
- New Cloud Connector: We added a Sophos Central Cloud Connector to the app, so users can now send SIEM Event logs to Blumira without a sensor.
- New Threat Feed: After reviewing the DFIR Report SQL Brute Force Leads to BlueSky Ransomware, we added a new threat feed called “DFIR Report: BianLian Command and Control.” This threat feed is used by our automated blocking feature, along with Blumira’s Dynamic Blocklists. A new detection was also added to the app to trigger findings related to entries in this threat feed.
Detection Updates
| Log Type | Detection Rule Name | Details |
|---|---|---|
| Blumira Agent (multi-source) | NEW - macOS: Potential Autostart Re-Opened Application Modification | This new informational detection is triggered when loginwindow.plist is accessed on a device. Any unauthorized modifications to loginwindow.plist files should be investigated. |
| NEW - macOS: Logging Service Shut Down | This new P3 detection triggers when a device shuts down its logging service. While this may indicate a normal actuation of the logging service it may also indicate an attacker is attempting to halt evidence retrieval similar to Windows Log alerting. | |
| NEW - macOS: UnSafe File Permissions - Chmod 777 | This new P3 risk detection triggers when a file has had permissions set to allow read, write, and execute to all users on the system. Setting these permissions on a file can result in unsafe modification of content or leaking of sensitive data and is not a recommended practice. | |
| macOS: Mac User Added to Local Administrator Group via command line | This P2 suspect detection triggers when a user has been granted administrator privileges on a device via a command-line tool. Such a method of user elevation is uncommon and potentially risky. Achieving administrative status allows the user complete control over the device, including overriding existing policies or permissions. | |
| Bash/Zsh History Manipulation | We updated this detection rule to work with Blumira Agent logs. The detection was renamed from "Indicator: T1070.003 Bash History Manipulation" to "Bash/Zsh History Manipulation" and covers several types of history manipulation. | |
| Indicator: T1222.002 Linux Unusual File Attribute Action | These existing detections are now compatible with Blumira Agent logs. | |
| Indicator: T1136.001 - New user with root UID and GID | These existing detections are now compatible with Blumira Agent logs. | |
| Indicator: T1222.002 Linux UnSafe File Permissions: Chmod 777 | These existing detections are now compatible with Blumira Agent logs. | |
| Linux: Logging Service Shut Down | These existing detections are now compatible with Blumira Agent logs. | |
| Execution of Python tty Shell | These existing detections are now compatible with Blumira Agent logs. | |
| Cisco ASA System | NEW - Cisco ASA: Excessive Authentication Errors | This new P2 Threat detection triggers when one or more user accounts have failed AAA authentication at an excessive rate (5+ failed logins within an hour), which could indicate a brute force attack where word lists are used to guess username/password combinations. |
| Microsoft 365 Exchange | NEW - Microsoft 365: Suspicious Exchange Transport Rule Creation | This new P2 Threat detection triggers when a new transport rule is created with signatures that match malicious rules used by threat actors, such as antispam header removal. To learn more about compromises related to transport rule techniques, see Microsoft’s article: Malicious OAuth applications abuse cloud email services to spread spam. |
| Microsoft Outlook | Outlook .pst File Export | We added an info field to the evidence for this detection to assist customers in investigating the related activity. The field will appear only when the information is available in the logs and is not null. |
| Microsoft Windows | NEW - Authentication by Known Attack Tool | This new P1 Suspect detection is triggered when a device authenticates to your network using a workstation with a known bad workstation name. This activity is often used to scan a network during the reconnaissance phase of an intrusion. |
| NEW - Disabling of Windows Firewall | This new P3 Suspect detection triggers when a device is seen disabling the Windows Firewall. Threat actors have been observed disabling firewalls to permit malicious traffic, so this activity should be investigated and validated for security. | |
| NEW - Excessive Failed IIS Logins per User | This new detection triggers when there are excessive failures against public web services (RDP, Exchange, etc) to surface brute force attacks. | |
| Kerberoast attack behavior | We updated the detection logic to make this more sensitive and performative on newer versions of Windows while also maintaining high-fidelity alerting. | |
| Multi-source | NEW - Dump LSASS.exe Memory using Windows Error Reporting | This new P1 Suspect detection triggers when a local administrator has used Windows Error Reporting (WerFault.exe) to perform a process dump of all running processes on the system. |
| NEW - DFIR Report: BianLian Command and Control | This new P2 threat detection, which is included in Automated blocking with Blumira’s Dynamic Blocklists, triggers when traffic to a known command and control server has been observed on your network. This command and control traffic is likely related to the infrastructure of BianLian, a criminal group known for ransomware operations. |
Bug Fixes and Improvements
- Improvements in Report Builder were released, including the following:
- a horizontal bar for scrolling the results table
- the ability to view up to 250 rows at a time
- queries with over 5,000 rows of results automatically sort with the most recent results first
November Highlight
In November, we announced the expansion of Blumira Agent, which can now be installed on Mac and Linux endpoints. Get maximum visibility and compliance across your organization’s fleet by deploying the agent on all of your devices!