Hello All!
The Devo Threat Research Team has just released their November OOTB Alerts for you! This release, available now from the Security Operations Content Manager, provides 15 new detections and a couple of updates to existing ones. This includes our first EDR detections!
EDR (End Point Detection and Response) is very important to monitor and detect because endpoints are used in all facets of the business and can be used to store critical information.
Read the full release notes in our Documentation portal!
[ Release notes 9 ]
Alert analyzed/updated:
| Detection name | Changes made |
| SecOpsWinWmiExecVbsScript | Updated the alert to have an enhanced detection condition. |
| SecOpsWinWmiScriptExecution | Fixed an error where the entity source IP was not properly mapped. |
Details on the new detections released can be seen below:
| Detection name | Devo table/Data Detection description source/Category |
| SecOpsBroRdpBruteFor ceSuccessHydraNcrack | Detects a successful RDP connection via Hydra or Ncrack hacking tools. ids.bro.rdp |
| SecOpsBroWinLsatUser Enumeration | Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts. ids.bro.dce_rpc |
| SecOpsBroWinDceRpc eServiceCall | Detects the creation or deletion of services via RPC remote administration. Actors may create/delete services to establish a greater foothold once inside a network. ids.bro.dce_rpc |
| SecOpsBroWinDceRpc SamrEnumeration SecOpsBroSmbFirstSeenShare | Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR). ids.bro.dce_rpc Detects the first seen SMB share for an entity. Adversaries may utilize SMB shares to transport files; while not inherently malicious,
this event should be reviewed for legitimacy. ids.bro.notice |
Detects interesting hostname login events.
SecOpsBroSshInteresin gHostNameLogin
See Bro/Zeek reference for context around
interesting hostnames. ids.bro.notice
SecOpsBroHttpRequest Detects HTTP requests that contain only a ids.bro.http
| SingleHeader | single header. |
| SecOpsBroSelfSignedC ert | Detects servers responding via SSL or TLS services using self-signed certificates. ids.bro.ssl |
| SecOpsWinMemoryCorr uptionVulnerability | Detects exploitation of Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641) allowing remote code execution. box.all.win |
| SecOpsWinFakeProces ses | Detects instances of known Windows processes executing outside of standard directories. Malware authors often utilize masquerading to hide malicious executables behind legitimate Windows executable names. box.all.win |
| SecOpsWinDnsExeParentProcess | Detects DNS.EXE program spawning other processes. box.all.win |
| SecOpsLinuxNOPASS WDSudoers SecOpsEDRCrowdStrik eOverwatchNotification SecOpsEDRCylanceSc oreUnsafe | Detects suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in Linux platform. This requires auditd be installed and configured. box.unix Falcon Overwatch has identified suspicious activity. This has been raised for your awareness and should be investigated as edr.crowdstrike.falco normal. n An unsafe file is one that has attributes that greatly resemble malware. edr.cylance.threats |
| SecOpsO365PSTExport Alert | This detection is triggered when a user has performed an Ediscovery or exported a pst file cloud.office365.mana with sensitive information. gement |