March 2023 (1)

  • Updated on May 29, 2024
  • Published on Jul 20, 2023
Prev Next

Read about everything that's new on Hunters.

Product updates

IOC search out of Beta

We are happy to announce that the IOC search feature is now available to all Hunters customers!

IOC Search allows you to quickly search your organization’s raw data logs to determine if a known IOC has been in your environment. The IOC Search tool is a search bar that essentially replaces the need to run an SQL query on raw data. Quickly locating IOCs enables you to also pinpoint the identities (devices, usernames, etc.) that have interacted with an IOC.
947f1e3-IOC_Search

Read more about it here.

More information in the audit log

The Hunters audit log was expanded to include more verbose records of addition, edit, and deletion of the following items:

  • Asset tag
  • Asset annotation
  • Custom rule
  • Custom analytic
  • Data source

Read more about it here.

Integrations

AWS Inspector Findings

Hunters now supports a new type of AWS logs - AWS Inspector Findings. Amazon Inspector is a security assessment service provided by Amazon Web Services (AWS). It helps to identify potential security vulnerabilities in your AWS resources and applications.

Learn more here.

Vectra

Vectra AI is a Threat Detection and Response platform and services for hybrid and multi-cloud environments. Vectra Network Detection and response (NDR), formally called Vectra Cognito, is an AI-driven cloud and network detection & response (NDR) platform.

The integration includes Vectra NDR logs, providing information on network logs and alerts by Vectra.

Learn more here.

Symantec

Hunters now supports a new type of logs from Symantec - Cloud Secure Web Gateway Audit Logs. More details about these logs can be found here.

Learn more here.

Zscaler

Hunters now supports a new type of logs from Zscaler - Zscaler ZIA DNS. These logs log data from the DNS logs that the NSS sends to the SIEM (for more details, click here).

Learn more [here]Zscaler Internet Access (ZIA).

Detection

Azure Active Directory detection pack

Azure (along with Azure AD) is Microsoft’s cloud platform and the 2nd biggest cloud provider in the world. Azure contains a wide variety of cloud services and many organizations base their infrastructure on Azure, as well as Azure AD as an identity provider and also windows endpoints management, as it is a managed version of the classic Active Directory.

Threats to cloud platforms are diverse and are covered by MITRE’s cloud matrix: Matrix - Enterprise | MITRE ATT&CK® .

In an effort to provide better coverage of possible threats on Azure, Hunters’ Security Research team created new detection opportunities in order to cover the following threats:

  • Credentials Access
  • Privilege Escalation
  • Discovery
  • Exfiltration

As part of this long-term research project, the following two detectors were recently released.

Soft Match Sync to gain Access to Azure

Password Hash Synchronization (PHS) is an authentication method that synchronizes user password hashes, as well as other attributes, between on-prem AD and Azure AD. PHS enables users to use the same password to log in to both on-prem AD and Azure AD.

A normal behavior includes new users on the on-prem AD that are synced to the Azure AD resulting in new users on Azure AD (events Add user). Then, the two users will continue to sync periodically.

Threat Actors can create a new on-prem user, or modify the UPN of an existing on-prem user, in a way in which its UPN matches with an existing non-synced user on Azure AD. That may enable them to use Soft Match Sync functionality and replicate the password of the on-prem user to the Azure user. As a result, Threat Actors can escalate their on-prem access to Azure environment.

The detector looks for such attempts by searching for a sync between an on-prem user and an already existing cloud-only (i.e., not synced) user on Azure AD. The investigation flow consists of trying to distinguish between the on-prem user and its associated synced Azure user, and present identity and activity info for each user.

Relevant data sources: Azure Audit

Suspicious Sign-Ins by Azure AD Connect Sync Account

During the initial Azure AD Connect (AADC) server setup, three dedicated users are created to support the sync operation. One of these users is the Azure AD Connect Account, AKA “Sync user”. This user is granted the special Directory Synchronization Accounts role and should be used only for sync tasks.

Threat actors getting control over the AD Connect server, can retrieve the Sync user’s clear text credentials by using common tools (e.g., AADInternals scripts). Next, the threat actor can leverage those credentials to access other services and attempt to elevate permissions.

The detector looks for Sign-Ins by this Sync user to services other than Microsoft Azure Active Directory Connect. Such an activity is very uncommon and may indicate the Sync user was compromised and leveraged to access other services.

Relevant data sources: Azure Sign-Ins