This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Drilldown

AWS Session Statistics

Shows a summary of all the activity seen being done by the AWS actor during the time surrounding the lead. This includes actions done with others AWS ARNs spawned by the same ARN during the session.

  • AWS CloudTrail logs

Entities enrichments - under the AWS IAM User and AWS IAM Assumed Role entities.

Drilldown

AWS Config of Resource

A generic display for the most recent AWS Config snapshot found for given Resource ARN

  • AWS Config

Entity enrichment for AWSIAMUser and AwsGenericResource

Detector

Cato Networks IPS Native Alerts

Cato Networks IPS Native Alerts, from Cato’s network security platform.

  • Cato Networks

Leads page - Enterprise Network leads

SOC Queue

Detector

Netsh Helper DLL Registry Manipulation

Detects manipulations to Netsh DLL helpers registry values.
Threat actors often use this registry key to establish persistence on a victim's machine.

  • EDR logs

Leads page - Enterprise Network leads

SOC Queue

Detector

Suspicious Scheduled Task Registered

Detects possible abuse of the Scheduled Tasks Windows mechanism.
The properties of the task heuristically match an attacker’s behavior, based on triggers, task description, and common values.

  • EDR logs

  • Windows Event Logs

Leads page - Enterprise Network leads

Detector

Commonly Abused Binary Scheduled Task Registered

Detects registration of a scheduled task that executes a built-in or "living-off-the-land" system binaries that are commonly used in fileless attacks.

  • EDR logs

  • Windows Event Logs

Leads page - Enterprise Network leads

Detector

Illusive IRM Native Alerts

Illusive IRM Native Alerts, from Illusive Networks security platform.

  • Illusive IRM

Leads page - SaaS leads

SOC Queue

Drilldown

Command History

Shows the commands executed by this process at the same session and context, based on CrowdStrike's CommandHistory event.

  • CrowdStrike logs

Entity enrichment for Process

Detector

Remote Access Software Installation

Detects installation of remote desktop support or remote access software. Threat actors often use legitimate remote access tools to access their victims.

  • EDR logs

Leads page - Enterprise Network leads

Scoring Model

New EDR Agent

 

Generic scoring layer that lowers the lead confidence if the EDR agent was first seen less days than the threshold configured (default 3). Currently applied only on the “Remote Access Software” detector but can be used for more detectors in the future.

  • EDR logs

Remote Access Software Installation scoring explanation.

 

 

Improvements and Bugfixes

  • Allowing “G Suite Activity Statistics” auto-investigation to run on all leads.

  • Fixed an issue in a few AWS auto-investigations causing timestamps to be shown as numbers.

  • Improved scoring for the detector - “Successful AWS Console Login without MFA or SAML” - The scoring model has been updated to increase score when the user logging in without MFA is the root user.

  • Fixed issues in the display for the detector “Instance Profile Security Credentials Used by Multiple IP Addresses” - which sometimes had issues generating its entities.

  • Optimized performance and improve success rate of Process Tree Parents Drilldown

  • Export information about time ranges which the Drilldown “AWS ARN Session Statistics” ran on.

  • Improved scoring for the detectors “Sharing of RDS DB/DB Cluster Snapshot” “Sharing of EBS Snapshot” and “VPC Peering” by lowering their score for additional known third party AWS accounts.

  • Improved visualization of multiple AWS Drilldowns.

  • Improved graph (and story) connectivity between different leads from the detector “AWS GuardDuty Kubernetes Native Alert”.

  • Improvements to the implementation speed of the drilldown “G Suite User Details” - which raises its success rate.