2022 - February

This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category	Name	Description	Prerequisites	Where it can be found
Detector	AWS GuardDuty Kubernetes Native Alert	Native Guard Duty alert of the finding type Kubernetes.	GuardDuty Alerts	Leads page - AWS leads SOC Queue
Detector	Suspicious Execution from Windows Public Folder	Detects execution of commonly abused binaries: wscript.exe, cscript.exe, mshta.exe, rundll32.exe, regsvr32.exe, cmstp.exe, at.exe, msxsl.exe, regsvcs.exe, regasm.exe, pwsh.exe, installutil.exe with the %Users\Public% path in their commandline. This is a world-writable path that is often abused by attackers.	EDR logs	Leads page - Enterprise Network leads.
Detector	DNS Server Data Exfiltration	Detects suspected data exfiltration over the DNS protocol.	DNS queries logs	Leads page - Enterprise Network leads
Detector	Suspected Pwnkit Exploitation CVE-2021-4034	Detects Pwnkit exploitation attempts which include pkexec process execution without proper arguments validation observed in the EDR logs	EDR logs	Leads page - Enterprise Network leads
Drilldown	Organizational Local Username Creation Prevalence	Summarizes the data on the creation of a user on all of the EDR agents in the organization.	EDR logs	Entities enrichments - under the Employee, OSUser and Process entities (when they include the OS username).
Drilldown	Local User Creation Details	Summarizes details on the creation of a user.	EDR logs	Entities enrichments - under the Employee, OSUser and Process entities (when they include the OS username).
Detector	TCC DB File Manipulation	Detects possible abuse of the macOS system file TCC.db, which is used for controlling application access to certain features. The detector detects two different behaviors: Local SSH connection (by the machine to itself), then manipulation of the TCC.db. This is a behavior commonly used by attackers since local SSH connections grant Full Disk Access in macOS devices by default. Manipulation of the TCC.db (e.g. copying to another location) and then an SQLite command that inserts values to a table called Access - this is also a common behavior by attackers, to manipulate the DB in a different location or with a different name.	EDR logs	Leads page - Enterprise Network leads
Detector	Microsoft 365 Defender Endpoint Alerts	Integration with the new version of Microsoft 365 Defender alerts for EDR events.	Microsoft 365 Defender Alert logs	Leads page - Enterprise Network leads

Improvements and Bugfixes

Improved query performance of “IP IOC Found in Network Traffic Events” detector.
Improved “Okta Sessions from Email” auto-investigation to extract “Accessed App Names” and “Denied App Names” attributes for each session as well.
Improvements for story connections between different Proofpoint Alerts.
Improvements for “CloudTrail Disruption Events” detector’s scoring logic.
Fixed Domain enrichments for CrowdStrike alerts that contain Domain IOCs.
Improved hostname attribution for CrowdStrike agents in customers that ingest the CrowdStrike Devices data type.
Fixed an issue in “Email Address Statistics” auto-investigation that caused some data to be missing.
Improved Email alerts scoring by excluding noisy image file names.
Improved Entities display of “Instance Profile Security Credentials Used by Multiple IP Addresses”.
Improvement for the AWS GuardDuty Alerts - extract the “User-Agent” attribute for whenever it exists in the alerts.
Added the “Lead Activity” logic to multiple G Suite and AWS aggregate detectors.
Improvements for “AWS Root User Activity” detector that includes changing this detector to contain aggregated information about Root user activity.
Improvements for Carbon Black Native Alerts:
- Deprecated detectors on specific alert types to prevent duplicate leads & reduce noise.
- Improved Entities creation, Process Entities population is now more consistent and successful.