fbpx

Blumira wanted to begin the year with a recap of how last year looked regarding the number of detections across our customers’ networks. The detections (findings, as we call them around here) found in this list are the findings we don’t consider to be operational. If we were to include our customer-specific operational findings to this list, account lockouts would take the number one spot, easily!

The goal of this article is to show our readers what we’re seeing on the attack surface. Some of the detections in this list are as simple as alerting on critical alerts from various data sources such as antivirus products, firewalls, etc., while others are very complex in their nature, relying on counting, timings, and a ton of regex (fun stuff).

Start detecting threats in hours with a free trial of Blumira’s cloud SIEM.

Free Trial

Without further ado, here are the top 10 detections we saw in 2020 based off of how many findings they triggered across the Blumira customer base.

Public to Private Recon in Individual Connections

This Finding indicates an attacker is attempting to enumerate services that are exposed to the internet. As this only matches when traffic is allowed, this means that either the firewall is set up to allow all traffic, or, the source attacker has found services that are allowed through the firewall and may be leveraged further.

Anomalous Honeypot Access

This indicates that you have an endpoint that is actively attempting to gain information about a honeypot and is likely unaware of its nature. When a honeypot detection occurs, unless the host is a known actor, the source should be acted upon immediately.

Regsvr32 Malicious DLL

Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls. It can also be used to specifically bypass process allowlisting. Malicious activity or users may take advantage of this functionality to avoid being detected by endpoint solutions because of allowlists or false positives from Windows using regsvr32.exe for normal operations.

2FA (Two-Factor) Authentication Outside of U.S.

Self-explanatory detection here. We often employ customer allowlists to cut down on false-positives caused by remote workers. Whether we’ve detected a user unexpectedly out of the country or a malicious user that gained some sort of access to a username, this finding has been very helpful and highly accurate.

Potentially Malicious Executable File

We lean heavily on endpoint security for this one. Our goal here was to bridge the gap between as many next-generation endpoint solutions as possible. We alert on high-confidence alerts from most of these endpoint solutions with this single detection.

Internal Password Spraying

When you see this finding, our best security practice recommendation is to go figure out what’s going on as soon as possible. This detection alerts our customers that a single endpoint is attempting to spray the network with random passwords. If one of these random password authentication attempts is successful, it can lead to endpoint compromise, privilege escalation, etc.

Anomalous Server Path Access

This often indicates that an attacker is attempting to enumerate paths across an internal host, in an attempt to find vulnerable or interesting objects on the server. The thresholds for this detection generally avoid scanning bots, however, in some cases, this detection may trigger bots scanning for known-shells sitting on hosts already. In case of these detections and not targeted attacks, they should be broadly blocked where possible, e.g., if from China, block Chinese traffic.

Administrator-Level Account Addition

This one in particular can be considered an operational finding that I was attempting to leave off of this list, but it’s not a daily finding your organization should be seeing. When this event occurs, you should think of this as a “sound the alarms” moment where you should be dropping everything to verify with the source user that this administrative-level account addition was expected. Sometimes it’s not a malicious action, rather an accidental one which would still warrant action on the account.

Null Session Activity

This alert identifies when a single device is contacting multiple devices anonymously to administrative shares. This is usually a tactic used in information gathering prior to an attack. We recommend tracking down {client_ip} and seeing if this is normal activity or disabling the access for this device. We also recommend disabling null sessions whenever possible – here’s guidance on how to disable null sessions in Windows.

25 Windows Account Lockouts in 12 hours

This event has historically been a direct result of Password Spraying like we saw above. Unless you have a very large network, this detection is a rare false positive. This should be correlated with the source machine performing the logins.

Prioritizing Key Security Findings to Reduce Noise

You may notice half of these detections are sourced from the internet. We don’t alert on every scan from the outside world by default, rather, we find a ton of value in letting our customers know when there appears to be a sophisticated reconnaissance attempt or attack happening against their network. If we were to alert on all scanning from the internet, there would be hundreds of findings a day for each one of our customers. One of Blumira’s top priorities with detections is to be accurate and discreet. If a customer is interested in seeing scanning from the network, we have no problem putting a detection rule together, but we inherently don’t prefer to deploy that detection by default.

We have caught many talented penetration testers and hackers using most of these Top 10 detections. Although they may be some of the most triggered findings, our Internal Password Spraying and Anomalous Access detections seem to be an attacker’s worst nightmare. We have heard firsthand from red teams that they’ve never seen some of these findings on previous penetration tests, whether a SIEM solution was present or not.

These remarks are what keep our Incident Detection Engineering team going. We in the Blue team world know that the Red team as well as attackers have the upper hand in this fight against network exploitation, but with Blumira deployed, you can rest easy knowing our detections can catch early stage attacks.

Test it out yourself with a free trial of Blumira’s cloud SIEM.

Free Trial

Security news and stories right to your inbox!