November 2023 (1)

  • Updated on Jan 30, 2024
  • Published on Nov 1, 2023
Prev Next

Product updates

Improvements to data source connection

  • Support for multiple KMS keys in CloudFormation - Previously when connecting a data source through an S3 bucket, you could only specify one KMS key for the bucket. Now we support multiple prefixes chained by a comma.
  • Support for specifying direct prefix when connecting S3 Notification-based data sources - When connecting a bucket with multiple prefixes and only some of them should be ingested by Hunters, you might want to grant Hunters permissions only for a specific prefix within the bucket. Up until today, we couldn’t distinguish between these prefixes, which would result in “Test Connection” failing due to us reaching an undesired prefix. Now, when connecting such a bucket, you can explicitly specify which prefix we should be looking at for the test to be completed successfully.

image.png

Integrations

Qualys

Hunters now supports an additional data type from Qualys - Qualys Hosts. The Hosts information logged by Qualys, includes enrichments per host monitored by Qualys, such as the ASR (Asset Risk Score), DNS Data, Cloud-related data, activity and status data, and more.

The new integration includes:

  • Collection of data from the Qualys API
  • Transformation of the data into the data lake

Note: The source is not currently mapped to an alert, unified schema or IOC Search as it was not found relevant for these use cases.

Learn more here

Box

A new integration was added to Hunters - Box. Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses.

The new integration includes:

  • 3 data types: Box Users, Box Groups, and Box Events.
  • All data types are collected via the Box API and are ingested into the data lake.
  • The Box Events data type is mapped to the Hunters login schema, automatically benefiting from all existing out-of-the-box login-based detections
  • The Box Events data type is mapped to the IOC Search feature.

Learn more here

Linux AuditD

The Linux AuditD Integration in Hunters was upgraded:

  • The integration is now open in self-service ingestion.
  • The full Raw key-value object is now being parsed and added to the table, allowing access to the various fields in different event types.

Learn more here

Linux Mail Logs

A new integration for Linux Mail Logs was added, which includes:

  • Ingestion of the data, stored on Linux machines under the directory /var/log/maillog.
  • The data is mapped to the Hunters Email schema and is leveraged in email-related enrichments.
  • The data is mapped to the IOC Search feature.

Learn more here

Detection

New Detectors

🔎 Web Application SQL Injection

Detector ID: web_server_sql_injection

This new detector was built to detect SQL injection attempts in web requests. SQLi is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve, modify, or delete, causing persistent changes to the application’s content or behavior.

The detector looks for SQL injection attempts based on the web requests unified schema.

🔎 Suspicious Cloud Function Modification From GCP Storage Bucket

Detector ID: gcp_cloud_function_modified_from_storage

By design, the source code of Cloud Functions is stored on Cloud Storage instances, which can be either in a default storage bucket or alternatively on a pre-defined storage instance. An actor with the appropriate permission for that storage instance can read and modify the source code from the storage instance itself and gain access to the service account attached to the function to escalate its privileges or gain long-term persistence.
Catch modification of the Cloud Function source code directly from the GCP Storage without going through Cloud Function API. Since modification of objects isn’t logged in GCP audit logs, the detector leverages a correlation between an automatic build operation happening after the source code has been updated, without a corresponding UpdateFunction or CreateFunction API call before.

💡

This detection logic is completely unique and exclusive to Hunters, and it is based on Axon research around Cloud Functions in this quarter.

Modified detectors

🔎 Commandline with Suspicious PowerShell Flags

Detector ID: edr_powershell_suspicious_flags

The detector coverage was enhanced and will now also look for flags indicating PS downgrade attempts, such as -v 2, -version 2, and more.
We also used the opportunity to filter out some false positive cases, so the detector is now 30% less noisy.

🔎 File Accessed via RDP Share

Detector ID: edr_file_accessed_via_rdp_share

The detector now looks only at accesses to \\tsclient, without including accesses to sub-folders or files with the name tsclient.
In addition, we exclude accesses initiated by Acrobat application, since it doesn’t align with the thesis.
These modifications are expected to reduce noise by 50%-60%.