Share on:

Our incident detection engineers (IDEs) are hard at work keeping up with the latest exploits and attacker tactics, techniques and procedures (TTPs) so your team doesn’t have to. 

Our IDEs create rules based on threat-based research and observed threat actor attack paths and operations. They emulate attacks in the lab, pulling data from threat intel reports and investigating threat actor activity. Then, they craft detections based on threat actor behavior and test it across customer datasets to remove false positives and help reduce alert fatigue for our customers.

Here are a few of the latest detection rules we’ve automatically rolled out to the platform:

Microsoft 365 (Formerly Office 365)

Finding: Inbox Forwarding to External Address

Why it’s important for security:

Using email forwarding rules, attackers can collect sensitive information, as well as monitor a targeted user and gain intelligence about the user or their organization to use in further exploits, according to MITRE. This is a common tactic used in business email compromise (BEC) and could result in leaking sensitive data to an external party. This is one of the top initial threat vectors that can lead to ransomware; detecting and responding early can prevent a breach.

How Blumira helps:

Our IDEs have intentionally developed our rules to notify you of indicators of real threats to cut down on false positives. Blumira’s platform notifies you when a user has set up an email forwarding rule to send messages to external domain accounts, and provides all relevant data and a response playbook to help your teams take action immediately.

Finding: Malware Campaign Detected in SharePoint and OneDrive

Why it’s important for security:

It’s critical to detect malware files within Microsoft SharePoint, a collaboration platform, or OneDrive, a file hosting service. Identifying malware early enough can stop it from spreading throughout your organization’s environment and resulting in a compromise or data breach. Attackers often send malicious files via email attachments to targeted users.

How Blumira helps:

This rule notifies you that Microsoft 365 has identified a malicious file, providing the name of the file and location, as well as playbooks to guide you through next steps.

PowerShell (Windows)

PowerShell is a powerful Windows command-line interface and scripting environment used to automate management tasks. But threat actors also abuse PowerShell commands and scripts to execute code and discover information in your Windows environment, according to MITRE. Attacks that fall into this category are commonly known as “Living off the Land” as they use built-in administrative tools to accomplish the end goal, and can be harder to detect.

Finding: PowerShell Malicious Execution: PowerShell Empire

Why it’s important for security:

PowerShell Empire (or just Empire) is an open source remote administration and post-exploitation framework that pen testers use for legitimate reasons. The tool is also widely used by adversaries to move around a network after gaining initial access, giving them the ability to escalate privileges, steal credentials and move laterally across a network (U.K. National Cyber Security Centre). 

How Blumira helps:

PowerShell Empire can be difficult to detect on a network using traditional antivirus software due to being built on a legitimate application and operating almost entirely in memory, according to NCSC. 

Blumira can detect and provide you with contextual findings on known post-exploitation frameworks like PowerShell Empire, Cobalt Strike and PoshC2. We identify when a malicious PowerShell execution occurs in your environment, which can be a potential indicator of a threat actor moving around laterally and escalating privileges to exploit an Active Directory infrastructure. However, there are many different users of these tools, including red teams, APT actors and ransomware threat actors, which is why it’s important to investigate and verify if the use of these tools is legitimate or not.

Finding: PoshC2 Framework Module

Why it’s important for security:

PoshC2 is a remote administration and post-exploitation framework, available as open source software on GitHub. It assists penetration testers with red teaming, post-exploitation and lateral movement. The server-side components are written in Python and the implants are written in PowerShell; implants allow users to load PowerShell modules and execute commands (MITRE). 

How Blumira helps:

Attackers can also use PoshC2 to execute commands, set up persistence, conduct discovery of processes running in your environment and more. Blumira’s platform notifies you when a PowerShell module from PoshC2 is running in your environment and provides additional information on who is running it as well as identifying the specific module used, then gives you advice on how to respond. 

Finding: PowerUp Privilege Escalation Module

Why it’s important for security:

PowerUp is a module included in the PowerSploit toolkit that can explore systems for permission weaknesses in scheduled tasks and be used to escalate user privileges (MITRE). PowerSploit is an offensive security framework used in penetration testing with PowerShell modules and scripts that perform code execution, persistence, antivirus bypassing, and more.

How Blumira helps:

Blumira notifies you when it detects a PowerUp module running on a certain endpoint, run by a certain user to elevate their privileges to administrator. Early detection of this activity can help you respond faster using Blumira’s pre-built playbooks to prevent a potential attack in progress.


Finding: Hidden Files or Unusual File Attribute Action

Why it’s important for security:

Threat actors may hide files and directories as a defense evasion technique. On Linux, users can mark specific files as hidden by putting a period in front of files and folder names. 

In addition to hiding files, threat actors may modify file or directory permissions/attributes to prevent detection by access control lists (ACLs) and access-protected files. Linux allows for two primary commands to change file and directories permissions – threat actors can use these commands to make themselves the owner of files and directories, and/or lock out others. Unusual file attribute actions are also a common Linux malware tactic to avoid removal.

How Blumira helps:

Blumira detects and notifies you of potential execution of a hidden file, and provides steps to take to respond. Blumira also notifies you when it detects a command to change file permissions so your team can investigate whether or not it was normal administrative activity, or possibly malicious.

Finding: Linux Reverse Shell

Why it’s important for security:

Before stealing data, threat actors may stage data they’ve collected in one location or directory (separate files or combined in one). This technique helps them minimize the number of connections made to their C2 server to help evade detection (MITRE).

How Blumira helps:

Blumira detects when a reverse shell has been executed by a user, connecting to a remote system at certain IP addresses and ports. Using a reverse shell, attackers can stage data in one place and transmit it to look like normal traffic.

Finding: Cron Persistence

Why it’s important for security:

Cron is a Linux command-line utility that runs processes on your system at regular scheduled times (job scheduler). Threat actors can also use cron to schedule initial or recurring execution of malicious code, executing programs at system startup or on a regularly scheduled basis to maintain persistence (MITRE).

How Blumira helps:

Blumira detects and notifies you of an anomalous cron job added to your scheduler, providing the user and UID (user ID) to help you investigate further.

How Blumira Simplifies Detection & Response

Our belief is that SIEMs should help make our customers’ lives easier and not introduce unnecessary friction in their day. 

Putting that belief in action, our IDE and engineering teams actively maintain Blumira’s platform behind the scenes and add more detections on a rolling basis, as we believe it’s the responsibility of the product to support the user.

We also strive to provide useful and actionable findings to our customers with all relevant, contextual information and pre-built playbooks to guide them through response. 

Learn more about our approach and sign up for a free trial.

Security news and stories right to your inbox!