The Devo Threat Research Team has published OOTB Alerts Release 22! This release, available now from the Security Operations Content Manager, provides 9 updated detections and 2 new alerts. This update introduces powerful enhancements to fortify and monitor your security infrastructure.
To access this new content, open the Security Operations app inside Devo and navigate to the Content Manager. Here, you can search for the detection name, update your existing detections or view all the new detection details and choose to deploy the new content.
This update features several key improvements:
- New Alert: OS Credential Dumping: With our latest detection capabilities, we now provide a new alert system designed to identify instances of OS credential dumping promptly. This critical security threat, often exploited by malicious actors, can compromise sensitive login credentials. By issuing alerts for potential credential dumping activities, our system empowers users to respond swiftly, minimizing the risk of unauthorized access.
- New Alert: Detection for Traffic to Paste Bin: Recognizing the evolving threat landscape, we've incorporated detection mechanisms to monitor and flag traffic directed toward paste bin services. These platforms are frequently leveraged by adversaries for data exfiltration and sharing of sensitive information. By detecting suspicious activities related to paste bin usage, our system enables proactive intervention, safeguarding against unauthorized data dissemination.
- Regex Optimized Improvements for Window and Proxy Alerts: In this update, we've optimized regular expressions (regex) to enhance the accuracy and efficiency of window and proxy alerts. These improvements refine our detection capabilities, ensuring more precise identification of suspicious activities associated with Windows and Proxy servers. By fine-tuning regex patterns, we reduce false positives and provide users with actionable insights into potential security threats.
- Updated Field Naming for Microsoft Office365 Detections: We've revamped field naming conventions for Microsoft Office365 detection to streamline data interpretation and analysis. This update ensures consistency and clarity in identifying and responding to security events within the Office365 environment. By aligning field names with industry standards, users can easily navigate and leverage insights from our detection system to bolster their Office365 security posture.
These updates reflect our commitment to continuously enhancing our detection capabilities, empowering users to stay ahead of emerging threats, and safeguarding their digital assets effectively.
New Detections
| Name | Description | Devo Table/Data Source/Category | Change Log |
|---|---|---|---|
| SecOpsOsCredentialDumpingGsecdump | Detects well -known credential dumping tools execution via service execution events. | box.all.win | New! |
| SecOpsProxyDataExfiltrationDetection | Monitor proxy logs for connections from internal IPs to parsing or content aggregation sites known for data parsing and content. | proxy.all.access | New! |
Updated Detections
| Name | Description | Devo Table/Data Source/Category | Change Log |
|---|---|---|---|
| SecOpsAWSCreateloginprofile | Detects I fa login has been performed by a user who has been created in the last 24hrs and checks if the user creation and the login have been performed from the same IP. This behavior could indicate a privilege escalation attempt. | cloud.aws.cloudtrail | Tuned subquery parameters |
| SecOpsO365PhishAttempt | Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems | cloud.office365.management | Updated based on window logging updates |
| SecOpsO365SusMailboxDelegation | Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. | cloud.office365.management | Updated field naming |
| SecOpsREvilKaseyaWebShellsUploadConn | The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days, the attack was pushed out via an infected IT Management update from Kaseya | proxy.all.access | Optimized regex |
| SecOpsHAFNIUMHttpPostTargetingExchangeServers | Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. | web.all.access | Optimized regex |
| SecOpsHAFNIUMWebShellsTargetingExchangeServers | Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. | web.all.access | Optimized regex |
| SecOpsREvilKaseyaWebShells | The REvil Ransomware has hit 40 service proviers globally due to multiple Kaseya VSA Zero-days. The attack was pushed out via an infected IT Management update from Kaseya | web.all.access | Optimized regex |
| SecOpsWinAdminRemoteLogon | Detects remote logins by an administrative user account. Administrative account names are tailored to the organization’s specific naming conventions. | box.all.win | Updated entity mapping |
| SecOpsWinIISWebRootProcessExecution | The execution of a process from inside a web hosting directory and indicate when adversaries upload a malicious file to the web server and run the file as a process. | box.all.win | Optimized regex |
Subscribe to Product update to never miss an update!