New Applications for September 2018

by Community Manager on ‎09-11-2018 03:24 AM - last edited Tuesday by (9,820 Views)

Palo Alto Networks releases New App-IDs on every 3rd Tuesday of the month. As a way of letting our customers know well in advance what new App-IDs are being released, we publish the list here: New Apps for September 19 Release. We highly encourage customers to look at this link and understand what new applications are being released, and if they would like to use these in their policy, to safely enable them.

 

We are releasing five functional App-IDs for msrpc and two functional App-IDs for Active Directory that can be used to get visibility and can be used in a security policy to block lateral movement for an attacker.

  • msrpc functional App-IDs
    • ms-remote-registry, ms-scheduler – Attackers tend to use these operations to enumerate remote hosts and run commands on remote machines. By default computers do not use these rpc services, so you can allow only specific sources (management servers or vulnerability scanners) or specific destinations that require these rpc services.
    • ms-local-user-management , ms-local-security-management – You can use these App-IDs to be allowed only to DCs and between DCs. This will reduce the attack surface for attackers using bloodhound and other automatic enumeration methods to find a way to gain domain controller access.
  • active-directory functional App-IDs
    • ms-dc-replication- attackers might abuse this rpc service to dump active directory data using dcsync or shadow DC techniques. By whitelisting these App-IDs only to DCs (as sources and destinations), you can reduce the attack surface.

We are adding functional App-IDs for SaaS applications like yahoo-mail to provide more granularity. This can help in controlling aspects like file downloads, uploads and sharing for this popular SaaS application.

We are adding a few App-IDs for code management softwares—coverity, crucible, Jfrog and sonarqube.

We are releasing App-IDs for crypto-loot and jsecoin to detect and block crypto mining activity in your network.

 

 

New Applications (20)

Name Description
acme-protocol The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users\' web servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let\'s Encrypt service. The protocol, based on passing JSON-formatted messages over HTTPS, has been published as an Internet Draft by its own chartered IETF working group.
coverity Coverity is a code analysis tool by Synopsys, consisting primarily of static code analysis and dynamic code analysis. The tool enables engineers and security teams to find defects and security vulnerabilities in custom source code written in C, C++, Java, C#, JavaScript and more.
crucible Crucible is a collaborative code review application by Atlassian. Crucible is a Web-based application primarily aimed at enterprise, and usually integrated with Fisheye service from Atlassian.
crypto-loot The Crypto-Loot JavaScript Miner allows you to embed a Monero (XMR) miner directly into your website. Anyone visiting the website runs the miner directly in their browser and mine XMR. This App-ID identifies such mining traffic giving you the ability to block this in an enterprise environment.
grammarly Grammarly is a cloud-based English-language writing-enhancement platform.Grammarly\'s proofreading and plagiarism-detection resources check against more than 250 grammar rules.
jfrog-artifactory JFrog Artifactory is a Universal Repository Manager supporting all major packaging formats, build tools and CI servers. This app-id controls traffic between a client and an on-premise or cloud jfrog artifactory instance.
jsecoin JSEcoin is a cryptocurrency mined by webmasters and built for everyone. It uses a JavaScript miner for the Monero Blockchain that you can embed in a website. Anyone visiting the website runs the miner directly in their browser and mine XMR. This App-ID identifies such mining traffic giving you the ability to block this in an enterprise environment.
ms-dc-replication (functional) DC-Replication (Domain Controller Replication) is the process by which the changes that are made on one domain controller are synchronized with all other domain controllers in the domain or forest that store copies of the same information.
ms-directory-service-setup(functional) Directory Service Setup provides a remote procedure call (RPC) interface for querying domain-related computer state and configuration data. The client end of the Directory Services Setup Remote Protocol is an application that issues method calls on the RPC interface. The server end of the Directory Services Setup Remote Protocol obtains and replies to the client with the requested data about the computer on which the server is running.
ms-event-log (functional) Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log.
ms-local-security-management(functional) The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies.
ms-local-user-management(functional) The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups.
ms-remote-registry(functional) Microsoft Windows Remote Registry Service is a DCE/RPC based protocol used by CIFS hosts to access the registry across a network.
ms-workstation-service(functional) The Workstation Service Remote Protocol is designed for remotely querying and configuring certain aspects of an SMB network redirector on a remote computer.
mssql-db-encrypted(functional) Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Mssql-db-encrypted identifies mssql-db traffic with encryption.
mssql-db-unencrypted(functional) Microsoft SQL Server is a relational database management system (RDBMS) produced by Microsoft. Mssql-db-unencrypted identifies mssql-db traffic without encryption.
sonarqube SonarQube (formerly Sonar) is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. This app-id controls traffic between a client and an on-premise or cloud sonarqube instance.
yahoo-mail-downloading(functional) This App-ID detects the downloading attachments activity by users on Yahoo-mail.
yahoo-mail-posting(functional) This App-ID detects the sending emails activity by users on yahoo mail.
yahoo-mail-uploading(functional) This App-ID detects the uploading attachments activity by users on Yahoo mail.

 

 

More detailed information for each application is available for customers in New Apps for September 19 Release.

The Customer Resources page also holds the previous updates.

Ask Questions Get Answers Join the Live Community