2022 - March
This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.
New Content
Category | Name | Description | Prerequisites | Where it can be found |
|---|---|---|---|---|
Drilldown | AWS Session Statistics | Shows a summary of all the activity seen being done by the AWS actor during the time surrounding the lead. This includes actions done with others AWS ARNs spawned by the same ARN during the session. |
| Entities enrichments - under the AWS IAM User and AWS IAM Assumed Role entities. |
Drilldown | AWS Config of Resource | A generic display for the most recent AWS Config snapshot found for given Resource ARN |
| Entity enrichment for AWSIAMUser and AwsGenericResource |
Detector | Cato Networks IPS Native Alerts | Cato Networks IPS Native Alerts, from Cato’s network security platform. |
| Leads page - Enterprise Network leads SOC Queue |
Detector | Netsh Helper DLL Registry Manipulation | Detects manipulations to Netsh DLL helpers registry values. |
| Leads page - Enterprise Network leads SOC Queue |
Detector | Suspicious Scheduled Task Registered | Detects possible abuse of the Scheduled Tasks Windows mechanism. |
| Leads page - Enterprise Network leads |
Detector | Commonly Abused Binary Scheduled Task Registered | Detects registration of a scheduled task that executes a built-in or "living-off-the-land" system binaries that are commonly used in fileless attacks. |
| Leads page - Enterprise Network leads |
Detector | Illusive IRM Native Alerts | Illusive IRM Native Alerts, from Illusive Networks security platform. |
| Leads page - SaaS leads SOC Queue |
Drilldown | Command History | Shows the commands executed by this process at the same session and context, based on CrowdStrike's CommandHistory event. |
| Entity enrichment for Process |
Detector | Remote Access Software Installation | Detects installation of remote desktop support or remote access software. Threat actors often use legitimate remote access tools to access their victims. |
| Leads page - Enterprise Network leads |
Scoring Model | New EDR Agent
| Generic scoring layer that lowers the lead confidence if the EDR agent was first seen less days than the threshold configured (default 3). Currently applied only on the “Remote Access Software” detector but can be used for more detectors in the future. |
| Remote Access Software Installation scoring explanation. |
Improvements and Bugfixes
Allowing “G Suite Activity Statistics” auto-investigation to run on all leads.
Fixed an issue in a few AWS auto-investigations causing timestamps to be shown as numbers.
Improved scoring for the detector - “Successful AWS Console Login without MFA or SAML” - The scoring model has been updated to increase score when the user logging in without MFA is the root user.
Fixed issues in the display for the detector “Instance Profile Security Credentials Used by Multiple IP Addresses” - which sometimes had issues generating its entities.
Optimized performance and improve success rate of Process Tree Parents Drilldown
Export information about time ranges which the Drilldown “AWS ARN Session Statistics” ran on.
Improved scoring for the detectors “Sharing of RDS DB/DB Cluster Snapshot” “Sharing of EBS Snapshot” and “VPC Peering” by lowering their score for additional known third party AWS accounts.
Improved visualization of multiple AWS Drilldowns.
Improved graph (and story) connectivity between different leads from the detector “AWS GuardDuty Kubernetes Native Alert”.
Improvements to the implementation speed of the drilldown “G Suite User Details” - which raises its success rate.