The Devo SciSec Team (Devo’s Threat Research Team) has released our fourth alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.
Alert Pack - Execution
This release brings a multitude of detections that will alert when an attacker is trying to execute malicious scripts and malware. These alerts will provide your team with actionable information on attacks using keylogging scripts, downloading malware, etc. all types of attacks that are trying to keep your system down or steal information.
Complete information on this threat vector.
“Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.”
Download now directly from Devo Exchange by clicking here.
Full release notes and details of every alert in this Alert Pack.
Here is a sample of a few of the alerts included:
SecOpsO365PowerShellActivity - This alert catches uses of PowerShell in the O365 environment.
SecOpsWinExecVbsScript - Detects suspicious file execution by wscript and cscript. Adversaries can use this mechanism to execute malicious code for persistence or privilege escalation.
SecOpsWinSchtasksRemoteSystem - Detects flags passed to schtasks.exe on the command-line that indicate a job is being scheduled on a remote system.
SecOpsWinScheduledTaskCreation - Detects when a scheduled task is created in Windows.
SecOpsAzureAutomationWebhookCreated - This alert identifies when an Azure Automation webhook has been created. This could be leveraged by an attacker in order to execute arbitrary code on the Azure environment.