Summary
In February, we released hundreds of new reports and over a dozen new detection rules to continue to support your organization’s security and compliance programs. We’re continuing to improve how we use logged data to quickly show where threats may exist so you can stop or contain them. This enables you to keep up with the ever-changing threat landscape while reducing the burden of creating detections and reports.
Feature and Platform Updates
Global Reports: We added 245 new reports to the Saved Reports menu in Report Builder, including the following:
-
Compliance reports for CIS Controls (47), CMMC (50), FERPA (48), FINRA (49) and ISO 27001 (43)
-
Four Google Workspace reports to facilitate investigations into suspicious logins after receiving related findings in the app
-
“AnyDesk Process per Endpoint” report, which helps identify whether AnyDesk is running in your environment, which is an audit we recommend performing in response to the AnyDesk cyberattack
-
Two new Microsoft 365 reports detailing the changes made to users’ MFA methods
-
“Sophos XG: Firewall Rule Configuration Change” report is an alternative option to a new default-disabled detection rule by the same name to help audit configuration changes
Detection Updates
Log Type | Detection Rule Name | Details |
---|---|---|
HTTP Access (Apache/IIS/NginX) | NEW - ConnectWise ScreenConnect SetupWizard Authentication Bypass CVE-2024-1709 | This new P1 detection rule alerts when a device makes a web request to SetupWizard.aspx with a trailing path. This activity may be related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1709. |
Multi-Source | NEW - ConnectWise ScreenConnect Path Traversal Exploitation CVE-2024-1708 | This new P1 detection rule alerts when a device shows activity related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1708. It detects the creation of files with .ASPX or .ASHX extensions in the Program Files (x86)\ScreenConnect\App_Extensions\ directory, which is unusual behavior that is not performed by ScreenConnect as part of normal operation. |
Multi-Source | NEW - ConnectWise ScreenConnect SetupWizard User Database Modification CVE-2024-1709 | This new P1 detection rule alerts when a device shows activity related to potential exploitation of ConnectWise ScreenConnect CVE-2024-1709. |
Google GSuite | NEW - Google Workspace: Suspicious Login | This new P3 detection rule alerts when Google flags a suspicious login for a user. |
Google GSuite | NEW - Google Workspace: Login from Outside the U.S. | This new default disabled detection rule alerts when a user has logged in to Google Workspace from outside of the U.S. |
Google GSuite | NEW - Google Workspace: Impossible Travel Login | This new P2 detection rule alerts when one or more Google Workspace users exhibit behavior matching impossible travel activity, which means logins or access attempts from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. |
Microsoft 365 Azure AD | NEW - Microsoft 365: Login Blocked due to Conditional Access Policy | This new operational detection rule triggers when a user attempts to log in but is blocked by a Conditional Access policy. |
Microsoft 365 Azure AD | NEW - Microsoft 365: MFA Change of Method | This new default-disabled detection alerts when a user changes their MFA methods, with details in the info evidence field to show which methods the user selected. |
Microsoft 365 Azure AD | NEW - Microsoft 365: Successful Login Using Commonly Targeted Account Name | This new default-disabled detection alerts when there is a successful login to a user account that is part of a "watchlist" of account types commonly targeted in password spraying and brute force attacks. That list includes shared, service, or test accounts, which are vulnerable to account takeover due to their shared or temporary status. |
Multi-source | NEW - DFIR Report: SocGholish Command and Control | This new P2 detection rule alerts when there is traffic on your network to a known command and control server that is likely related to the SocGholish infrastructure. |
Multi-source | NEW - Discovery via ADGet | This new P1 detection rule alerts when a process runs that is associated with ADGet, which is leveraged by threat actors to gather information about Active Directory users, computers, domains, and trusts. The tool exports Active Directory data to a Zip archive. |
Multi-source | NEW - Execution of Cisco Jabber ProcessDump | This new P2 detection rule alerts when Cisco Jabber-bundled ProcessDump.exe is executed on a device. This utility could be abused by threat actors to dump the memory of any running process. |
Multi-source | NEW - Invocation of Sudo for Windows | This new P3 detection rule alerts when a user is seen invoking Sudo for Windows on a device. |
Multi-source | NEW - PUA: Restic Backup Activity | This new P3 detection rule alerts when a user is seen executing the application restic on a device. Although restic is used to make backups for legitimate purposes, it has also been leveraged by threat actors to exfiltrate data. |
Multi-source | NEW - Remote Access Tool: NetSupport Manager | This new default-disabled rule monitors for NetSupport Manager being launched from suspicious locations. |
Multi-source | NEW - Suspicious Invocation of Finger.exe | This new P2 detection alerts when Finger.exe has been launched on a device. Finger is now more often leveraged by threat actors to drop malware or exfiltrate data from a host than to be used for non-malicious activity. |
Sophos XG | NEW - Sophos XG: Firewall Rule Configuration Change | This new default-disabled detection rule monitors for changes to Sophos XG firewall rules. A global report by the same name was released as well for auditing via a scheduled report. |
Windows | NEW - Share Enumeration Write Access Check via SoftPerfect Network Scanner | This new P3 detection rule alerts when a signature matching SoftPerfect Network Scanner scanning activity is observed on a device. |
Bug Fixes and Improvements
We have improved and expanded parsing of data from the following integrations:
- Carbon Black Endpoint Standard
- Cisco Meraki Firewall
- Sophos XG Firewall
- WatchGuard Firebox Firewall
January Highlights
In case you missed the January updates, you can find and review those notes here.