Share on:

Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we’ve made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we’ll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you’re lucky.

Introduction and Overview

This week was split up into research, bug fixes, 2 new default enabled detections, and us sneaking in another article within an article!

New Detections

This update introduces several new detections, including:

macOS: Suspicious Plutil Activity

Plutil is a built-in macOS utility that allows administrators, developers, and other tooling to interact with property list (.plist) files. These files are used to define how applications are handled at runtime and how applications generally behave. Plist files may be modified by normal administrative activity, including by RMM and MDM software. However, threat actors have been observed leveraging plutil to modify .plist files in an attempt to modify application behavior, redirect to malicious applications, and evade defensive measures. For more information, click here.

  • Status: Enabled
  • Log type requirement: Blumira Agent for Mac

Remote Access Tool: RustDesk

RustDesk is a free and open source remote access tool used to remotely manage and support endpoints. This tool has been observed in-use by threat actors to establish remote connections to victim endpoints. If your organization does not use RustDesk as authorized remote management software, this activity should be investigated. For more information, click here.

  • Status: Enabled
  • Log type requirement: Windows/Sysmon Process logging, Blumira Agent for Windows, Blumira Agent for Linux, or Blumira Agent for Mac

IDE Content

Of course we’re going to sneak some of our other content into detection updates!

“Entra”sting Roles You’ll Want to Know About

From our newest member of the IDE team, Justin Kikani!
The article details Entra, Microsoft’s comprehensive identity management platform. Justin emphasizes the complexity of managing it, including the need for careful documentation and understanding of its evolving features and roles, especially in the wake of security incidents.

Security news and stories right to your inbox!