fbpx
Share on:

While there are simply too many new detection rules added to Blumira’s platform to list, here are a few that highlight the recent work of our incident detection engineers that help with Windows and Office 365 cloud security monitoring.

We roll out new rules on a weekly cadence to keep up with evolving attacker techniques and security misconfigurations to make sure Blumira doesn’t miss any key findings in your environment. A detection is a security event that we’ve identified and alert our customers on to take action.

In each detection below, we include next steps for remediation and how it maps to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

The following detections were written by Lead Incident Detection Engineer Amanda Berlin:

Detecting Cloud Security Misconfigurations

Detection: Office 365 – New or Modified Microsoft 365 Group

A new group in Office 365 has been created or modified. A Microsoft 365 group creates a group email to collaborate. You can also add Microsoft Teams for group conversations, files, and calendars. This type of finding helps you track any misconfigurations for auditing purposes. 

Blumira’s playbook walks you through the next steps to verify if this was an approved Office 365 group addition or modification. If you aren’t able to correlate this group change with legitimate use, Blumira recommends locking the user account associated with this change and performing incident response steps to ensure no other unknown actions have been taken by this user.

See below for additional details on MITRE mapping, why it’s important to detect and how to get this detection.

Detection: Office 365 – New or Modified Distribution or Mail-Enabled Security Group

A new group in Office365 has been created or modified. A plain distribution group creates an email address for a group of people, while a mail-enabled security group is a distribution list that can also be used to control access to OneDrive and SharePoint. If it is a security group, it will be listed in evidence as that group type.

MITRE: T1136; Tactic: Persistence

Why it’s important to detect: An attacker could create an account to maintain access to targeted systems. In cloud environments, attackers may create accounts that only have access to specific services to reduce the chance of detection, according to MITRE.

How to get these detections: You can get these two detections by setting up Blumira’s Azure Event Hub and Microsoft Office 365 integrations to start collecting and analyzing logs for automated detection and response.

Detecting Windows Security Events & Misconfigurations

Detection: Suspicious PowerShell Command

Microsoft Defender for Endpoint (previously named Microsoft Defender for Endpoints) has detected a malicious PowerShell command on {devname}. To review the potentially malicious command, visit the Windows security center for more details. This type of tactic is commonly used by attackers to run malicious code, escalate permissions or move laterally throughout your network.

If this was not an approved administrative action, Blumira’s remediation guidance is to examine logs around the time of the PowerShell command execution, remove the device from the network (if possible), then perform internal incident response procedures.

MITRE: T1059.001, Tactic: Execution

Why it’s important to detect: PowerShell is a powerful command-line interface and scripting environment included in the Windows operating system. Attackers may abuse PowerShell commands and scripts to discover information, execute code and download and run executables from the internet, according to MITRE.

How to get these detections: You can get these detections by setting up Blumira’s Microsoft Defender for Endpoint integration to start collecting and analyzing logs for automated detection and response. 

Detection: A Windows Security Group Was Created or Modified      

There are two types of AD groups:

  • Active Directory Security Groups. This type of group is used to provide access to resources (security principal). For example, you want to grant a specific group access to files on a network shared folder. To do this, you need to create a security group.
  • Active Directory Distribution Groups. This type of group is used to create email distribution lists (usually used in Microsoft Exchange Server). An e-mail sent to such a group will reach all users (recipients) in the group. This type of group cannot be used to provide access to domain resources, because they are not security-enabled.
    If you are unaware of the creation/modification of this group, Blumira recommends locking the user account associated with this change and performing incident response steps to ensure no other unknown actions have been taken by this user.

MITRE: T1136; Tactic: Persistence

Why it’s important to detect: Attackers will create accounts to maintain access to targeted systems. Accounts may be created on the local system or within a domain or cloud tenant, according to MITRE. Detecting this type of activity can help identify security misconfigurations or help with auditing.

How to get these detections: You can get these detections by setting up Blumira’s Microsoft Windows integration to start collecting and analyzing logs for automated detection and response.

Related Resources

  • Cloud Security Monitoring – Blumira’s cloud SIEM platform natively integrates with cloud services to provide cloud security monitoring and detect potential cloud threats. 
  • Microsoft Security – Easily detect and respond to Microsoft security risks, exploits and threats with Blumira’s cloud SIEM. Deploy in hours, without a security team.

See these detections in action by requesting a demo of Blumira’s platform or get a free trial and easily integrate with your Microsoft and cloud services for faster detection and response.

 

Security news and stories right to your inbox!