2022 - April

This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category	Name	Description	Prerequisites	Where it can be found
Detector	Prisma Native AWS Alerts	Native alerts by Prisma Cloud CSPM for AWS	Prisma Cloud Alerts	Leads page - under AWS leads
Detector	Prisma Native Azure Alerts	Native alerts by Prisma Cloud CSPM for Azure	Prisma Cloud Alerts	Leads page - under Azure leads
Detector	Suspicious Named Pipe Usage (Possible CobaltStrike or Meterpreter)	Detects the use of Mimikatz or getsystem Meterpreter/Cobalt Strike command - technique number 1 by detecting a suspicious pipe pattern.	EDR Logs	Leads page - Enterprise Network leads
Detector	Getsystem Command Execution via Meterpreter or Cobalt Strike	Detects dropping DLL to create a client with SYSTEM user privileges and using rundll32.exe to load it. This privilege escalation methodology is commonly used by Meterpreter or Cobalt Strike, using getsystem command - technique number 2.	EDR Logs	Leads page - Enterprise Network leads
Detector	Cobalt Strike DNS Beacon Detected	Detects suspicious DNS queries known from Cobalt Strike beacons	DNS Query Logs CrowdStrike Logs	Leads page - Enterprise Network leads
Detector	SOCKS Proxy Usage	Detects remote network logon from localhost IP address, which indicates running a proxy server on the remote host machine.	Windows Event Logs	Leads page - Enterprise Network leads
Detector	Reflective DLL Open Process	Detects opening process by a process that loaded DLL reflectively. Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads.	CrowdStrike Logs	Leads page - Enterprise Network leads
Drilldown	User SID Info	Provides additional information on Windows user accounts (when a `windows_user_sid` attribute is found in the lead). The result provides security context that may help in understanding whether the user is a built-in user and what are its permissions.	EDR Logs	Entity enrichment for Process and OSUser
Drilldown	Username Prevalence	The drilldown provides some insights on the organizational prevalence of a specific username. The DD main focus is to look for consecutive periods of time in which the user was active.	EDR Logs	Activity enrichment for OSUser

Improvements and Bugfixes

The scoring for the detector “Okta Admin Privilege Granted” was fixed. An internal parsing issue was solved.
Improved graph connectivity between computer hostnames which appear only in one EDR agent.
The detector “IAM Action Failed with Access Denied” was deprecated.
The detector “Access from Unauthorized OS Version” was deprecated.
The detector “New Service Created on Domain Controller“ was deprecated.
Added new asset tags for common servers, based on process names:
- VMWare vCenter Server
- Citrix Delivery Controller Server
- AD Certificate Services Server
- Azure AD Connect Server
Added new asset tags for Server OS:
- Windows Server
- Linux Server
Added new asset tags for high / critical priority devices in Carbon Black
Reduced false positives in detector “Execution of Malicious PowerShell Cmdlets”
Added a grid to the “Get Additional Activity by Azure Correlation ID” Drilldown to better present the activities related to the lead.
Improved the Drilldown “AWS Config of Resource” to increase its success rate.
The entity “AWS Generic Resource" was changed to include the AWS tags corresponding to it.
We will now automatically attempt to fill attributes for the entity “AWS Generic Resource” which have not appeared in the lead from AWS Config.
AWS Suspected Secrets Exfil: Secret Usage enrichment and scoring should not fail anymore.