This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.
Where it can be found
Suspicious svchost.exe Execution
Detects execution of the Windows system binary svchost.exe by a suspicious parent.
Leads page - Enterprise Network leads.
Azure Suspected Secrets Exfil
Detects access to various different secrets from the Azure Key Vault by the same Azure OID in a specified time window, when a SecretList event happened near by.
Leads page - Azure leads
Java User-Agent Downloads External .class File
Detects potential successful Log4Shell attacks, where a Java-related process downloads a remote '.class' file from an external URL.
This detector looks for ‘java’ string in the user-agent field and a URL for a ‘.class’ file.
Leads page - Enterprise Network leads
Suspicious Activity Reported by User
Detects Okta alerts which indicate suspicious activity that was reported by the user.
Leads page - SaaS leads
Added support for Automatic investigation for aggregated detectors
More than 20 aggregated detectors are now available for investigation using the Automatic investigation and the Entities view.
In these detectors - the aggregated actions appear with a grid view under an activity named “Lead Activity” under the acting Entity.
Improvements and Bugfixes
Improved conditions for “Emond File Manipulation” detector.
Improved Log4shell callback detectors (WAF and then FW/EDR):
Added support for more obfuscations and implemented a new regex to extract the malicious server from them.
Improved detector performance.
Added support for the new JNDI whitelisting bypass (CVE-2021-45046)
Improved IOC Lookup detectors:
Added additional mechanisms for removing noisy false positive indicators.
Added more indicator fields.
Improved detectors performance.
Improved Edr Suspicious Launchctl Load
Detect loading from current directory, home directory, /shared or /tmp
Whitelist of parent processes (jamf, adobe software)
Prevalent values scoring model for cases of common services running in specific tenants.
Improved “Windows Situational Awareness Process Execution” detection:
Added additional attributes -
target_process_username- to the lead’s aggregate attributes, and ignore rules can be applied based these attributes.
Improved the detector scoring logic - if the exact same command lines ran on multiple agents in the organization, the score will be lowered relative to the number of agents where it ran.
Removed common false positives.
This detector now supports the Entities view like all other aggregate detectors, as mentioned above. The full process activity can be shown as a grid view under the Local Host Entity.