This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

Prisma Native AWS Alerts

Native alerts by Prisma Cloud CSPM for AWS

  • Prisma Cloud Alerts

Leads page - under AWS leads

Detector

Prisma Native Azure Alerts

Native alerts by Prisma Cloud CSPM for Azure

  • Prisma Cloud Alerts

Leads page - under Azure leads

Detector

Suspicious Named Pipe Usage (Possible CobaltStrike or Meterpreter)

Detects the use of Mimikatz or getsystem Meterpreter/Cobalt Strike command - technique number 1 by detecting a suspicious pipe pattern.

  • EDR Logs

Leads page - Enterprise Network leads

Detector

Getsystem Command Execution via Meterpreter or Cobalt Strike

Detects dropping DLL to create a client with SYSTEM user privileges and using rundll32.exe to load it.
This privilege escalation methodology is commonly used by Meterpreter or Cobalt Strike, using getsystem command - technique number 2.

  • EDR Logs

Leads page - Enterprise Network leads

Detector

Cobalt Strike DNS Beacon Detected

Detects suspicious DNS queries known from Cobalt Strike beacons

  • DNS Query Logs

  • CrowdStrike Logs

Leads page - Enterprise Network leads

Detector

SOCKS Proxy Usage

Detects remote network logon from localhost IP address, which indicates running a proxy server on the remote host machine.

  • Windows Event Logs

Leads page - Enterprise Network leads

Detector

Reflective DLL Open Process

Detects opening process by a process that loaded DLL reflectively. Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.

  • CrowdStrike Logs

Leads page - Enterprise Network leads

Drilldown

User SID Info

Provides additional information on Windows user accounts (when a windows_user_sid attribute is found in the lead). The result provides security context that may help in understanding whether the user is a built-in user and what are its permissions.

  • EDR Logs

Entity enrichment for Process and OSUser

Drilldown

Username Prevalence

The drilldown provides some insights on the organizational prevalence of a specific username. The DD main focus is to look for consecutive periods of time in which the user was active.

  • EDR Logs

Activity enrichment for OSUser

 

 

Improvements and Bugfixes

  • The scoring for the detector “Okta Admin Privilege Granted” was fixed. An internal parsing issue was solved.

  • Improved graph connectivity between computer hostnames which appear only in one EDR agent.

  • The detector “IAM Action Failed with Access Denied” was deprecated.

  • The detector “Access from Unauthorized OS Version” was deprecated.

  • The detector “New Service Created on Domain Controller“ was deprecated.

  • Added new asset tags for common servers, based on process names:

    • VMWare vCenter Server

    • Citrix Delivery Controller Server

    • AD Certificate Services Server

    • Azure AD Connect Server

  • Added new asset tags for Server OS:

    • Windows Server

    • Linux Server

  • Added new asset tags for high / critical priority devices in Carbon Black

  • Reduced false positives in detector “Execution of Malicious PowerShell Cmdlets”

  • Added a grid to the “Get Additional Activity by Azure Correlation ID” Drilldown to better present the activities related to the lead.

  • Improved the Drilldown “AWS Config of Resource” to increase its success rate.

  • The entity “AWS Generic Resource" was changed to include the AWS tags corresponding to it.

  • We will now automatically attempt to fill attributes for the entity “AWS Generic Resource” which have not appeared in the lead from AWS Config.

  • AWS Suspected Secrets Exfil: Secret Usage enrichment and scoring should not fail anymore.