This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

Suspicious svchost.exe Execution

Detects execution of the Windows system binary svchost.exe by a suspicious parent.
Threat actors may spawn an instance of svchost.exe and use it for code injection.

  • EDR logs

Leads page - Enterprise Network leads.

Detector

Azure Suspected Secrets Exfil

Detects access to various different secrets from the Azure Key Vault by the same Azure OID in a specified time window, when a SecretList event happened near by.
Azure OID user Requesting an abnormal amount of secrets can be an attempt to exfiltrate secrets by a compromised user.

  • Azure Audit Events

  • Enabling Azure Key Vault logs

Leads page - Azure leads

Detector

Java User-Agent Downloads External .class File

Detects potential successful Log4Shell attacks, where a Java-related process downloads a remote '.class' file from an external URL.

This detector looks for ‘java’ string in the user-agent field and a URL for a ‘.class’ file.

  • Proxy logs

Leads page - Enterprise Network leads

Detector

Suspicious Activity Reported by User

Detects Okta alerts which indicate suspicious activity that was reported by the user.

  • Okta logs

Leads page - SaaS leads

SOC Queue

Added support for Automatic investigation for aggregated detectors

  • More than 20 aggregated detectors are now available for investigation using the Automatic investigation and the Entities view.

  • In these detectors - the aggregated actions appear with a grid view under an activity named “Lead Activity” under the acting Entity.

Improvements and Bugfixes

  • Improved conditions for “Emond File Manipulation” detector.

  • Improved Log4shell callback detectors (WAF and then FW/EDR):

    • Added support for more obfuscations and implemented a new regex to extract the malicious server from them.

    • Improved detector performance.

    • Added support for the new JNDI whitelisting bypass (CVE-2021-45046)

  • Improved IOC Lookup detectors:

    • Added additional mechanisms for removing noisy false positive indicators.

    • Added more indicator fields.

    • Improved detectors performance.

  • Improved Edr Suspicious Launchctl Load

    • Detect loading from current directory, home directory, /shared or /tmp

    • Whitelist of parent processes (jamf, adobe software)

    • Prevalent values scoring model for cases of common services running in specific tenants.

  • Improved “Windows Situational Awareness Process Execution” detection:

    • Added additional attributes - target_process_user_sid and target_process_username - to the lead’s aggregate attributes, and ignore rules can be applied based these attributes.

    • Improved the detector scoring logic - if the exact same command lines ran on multiple agents in the organization, the score will be lowered relative to the number of agents where it ran.

    • Removed common false positives.

    • This detector now supports the Entities view like all other aggregate detectors, as mentioned above. The full process activity can be shown as a grid view under the Local Host Entity.