This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

AWS GuardDuty Kubernetes Native Alert

Native Guard Duty alert of the finding type Kubernetes.

  • GuardDuty Alerts

Leads page - AWS leads

SOC Queue

Detector

Suspicious Execution from Windows Public Folder

Detects execution of commonly abused binaries:
wscript.exe, cscript.exe, mshta.exe, rundll32.exe, regsvr32.exe, cmstp.exe, at.exe, msxsl.exe, regsvcs.exe, regasm.exe, pwsh.exe, installutil.exe
with the %Users\Public% path in their commandline. This is a world-writable path that is often abused by attackers.

  • EDR logs

Leads page - Enterprise Network leads.

Detector

DNS Server Data Exfiltration

Detects suspected data exfiltration over the DNS protocol.

  • DNS queries logs

Leads page - Enterprise Network leads

Detector

Suspected Pwnkit Exploitation CVE-2021-4034

Detects Pwnkit exploitation attempts which include pkexec process execution without proper arguments validation observed in the EDR logs

  • EDR logs

Leads page - Enterprise Network leads

Drilldown

Organizational Local Username Creation Prevalence

Summarizes the data on the creation of a user on all of the EDR agents in the organization.

  • EDR logs

Entities enrichments - under the Employee, OSUser and Process entities (when they include the OS username).

Drilldown

Local User Creation Details

Summarizes details on the creation of a user.

  • EDR logs

Entities enrichments - under the Employee, OSUser and Process entities (when they include the OS username).

Detector

TCC DB File Manipulation

Detects possible abuse of the macOS system file TCC.db, which is used for controlling application access to certain features.
The detector detects two different behaviors:

  • Local SSH connection (by the machine to itself), then manipulation of the TCC.db. This is a behavior commonly used by attackers since local SSH connections grant Full Disk Access in macOS devices by default.

  • Manipulation of the TCC.db (e.g. copying to another location) and then an SQLite command that inserts values to a table called Access - this is also a common behavior by attackers, to manipulate the DB in a different location or with a different name.

  • EDR logs

Leads page - Enterprise Network leads

Detector

Microsoft 365 Defender Endpoint Alerts

Integration with the new version of Microsoft 365 Defender alerts for EDR events.

  • Microsoft 365 Defender Alert logs

Leads page - Enterprise Network leads

Improvements and Bugfixes

  • Improved query performance of “IP IOC Found in Network Traffic Events” detector.

  • Improved “Okta Sessions from Email” auto-investigation to extract “Accessed App Names” and “Denied App Names” attributes for each session as well.

  • Improvements for story connections between different Proofpoint Alerts.

  • Improvements for “CloudTrail Disruption Events” detector’s scoring logic.

  • Fixed Domain enrichments for CrowdStrike alerts that contain Domain IOCs.

  • Improved hostname attribution for CrowdStrike agents in customers that ingest the CrowdStrike Devices data type.

  • Fixed an issue in “Email Address Statistics” auto-investigation that caused some data to be missing.

  • Improved Email alerts scoring by excluding noisy image file names.

  • Improved Entities display of “Instance Profile Security Credentials Used by Multiple IP Addresses”.

  • Improvement for the AWS GuardDuty Alerts - extract the “User-Agent” attribute for whenever it exists in the alerts.

  • Added the “Lead Activity” logic to multiple G Suite and AWS aggregate detectors.

  • Improvements for “AWS Root User Activity” detector that includes changing this detector to contain aggregated information about Root user activity.

  • Improvements for Carbon Black Native Alerts:

    • Deprecated detectors on specific alert types to prevent duplicate leads & reduce noise.

    • Improved Entities creation, Process Entities population is now more consistent and successful.