Cortex XDR Articles

  November 3, 2019 Release Increased the severity to high for a BIOC rule: Bitsadmin.exe used to upload data ( 6ba957eb-d63e-4cee-99aa-89e21ef3acc8) -  improved logic, changed metadata and increased the severity to high Increased the severity to medium for 5 BIOC rules: Windows set to permit unsigned drivers (Test Mode) ( bc4e5b48-cd06-4eb4-a35c-3ea42bf98ff4) - changed metadata, and increased the severity to medium Delete Volume USN Journal with fsutil ( 9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - increased the  severity to medium 64-bit PowerShell spawning a 32-bit PowerShell ( 824a3186-b262-4e01-a45c-35cca8efa233) -  improved logic, and increased the severity to medium Rundll32.exe running with no command-line arguments ( 0c0a801a-06ff-4a10-b555-67e56ecbd410) -  improved logic, and increased the severity to medium Injection into rundll32.exe ( 0c0a80af-06ff-4a10-b555-67e56ecbd410) -  improved logic, and increased the severity to medium Added 3 new informational BIOC rules: Bitsadmin.exe used to download data ( 6aa957eb-d63e-4cee-99aa-89e21ef3acc8) - added a new informational alert Non-browser access to a pastebin-like site ( 6b394699-0a16-4d03-b8b4-e9a062965ad7) - added a new informational alert Non-browser failed access to a pastebin-like site ( c1e7607b-e56c-43ca-b072-5b266bb4133b) - added a new informational alert Improved the logic of an informational BIOC rule: Executable or script created in the startup folder ( 5ee4f82d-6d98-4f94-a832-a62957234d69) -  improved logic Deleted an informational BIOC rule:  Default Cobalt Strike command line for beaconing with PowerShell ( f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) -  removed the alert September 27, 2019 Release Decreased the severity to informational for a BIOC rule: Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - decreased severity to informational September 26, 2019 Release Increased the severity to high for 6 BIOC rules: Command-line creation of TCP stream ( cb05480f-17d8-4138-9902-f0f9fb50b673) - improved detection  logic, and increased severity to high Netcat shell via named pipe ( cb05480f-17d8-4138-9902-f0f9fb50b674) -  improved detection  logic, and increased severity to high Python script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b675) -  improved detection  logic, and increased severity to high Perl script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b676) -  improved detection  logic, and increased severity to high PHP script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b677) -  improved detection  logic, and increased severity to high Wbadmin.exe deletes recovery files in quiet mode ( 24be0d84-2203-4d60-a1f0-39e4f80eee3a) -  improved detection  logic, changed the metadata, and increased severity to high Increased the severity to moderate for 4 BIOC rules: User added to local administrator group using a PowerShell command ( 7135da01-046f-452b-99d3-974795aca8c6) - changed the metadata, and increased severity to medium Scheduled task created with HTTP or FTP reference ( 3c888671-03a0-4e8f-8192-c7a6e031712c) -  improved detection logic, changed the metadata, and increased severity  to medium Powershell downloads files via BITS ( ed10c4cc-867c-4318-aa9d-59d57d6934bb) -  improved detection logic, changed the metadata, and increased severity  to medium Clear Windows event logs using PowerShell.exe ( d9321f3f-d32e-4aa9-8f88-22b03c36139d) -  increased severity to medium Improved the detection logic and increased the severity to low for 2 BIOC rules: Reading bash command history file ( cb05480f-17d8-4138-9902-f0f9fb50b672) -  improved detection logic, and increased severity to low Reading .ssh files ( cb05480f-17d8-4138-9905-f0f9fb50b671) -  improved detection logic, and increased severity to low Improved the detection logic of a low-severity BIOC rules: Image File Execution Options registry key injection by unsigned process ( 98430360-5b37-465e-acd6-bafa9325110c) -  improved detection logic Improved the detection logic of 4 informational BIOC rules: Default Cobalt Strike command line for beaconing with PowerShell ( f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - improved detection logic Curl connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190323) -  improved detection logic Wget connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190322)  - improved detection logic Accessing Linux bash history file ( cb05480f-17d8-4138-9902-f0f9fb50b671) -  improved detection logic Added a new informational BIOC rule: Accessing Linux bash history file using bash commands ( cb05480f-17d8-4138-9992-f0f9fb50b671) - added a new informational alert September 25, 2019 Release Added 7 new informational BIOC rules: Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - added a new informational alert Rundll32.exe running with no command-line arguments ( 0c0a801a-06ff-4a10-b555-67e56ecbd410) -  added a new informational alert Injection into rundll32.exe ( 0c0a80af-06ff-4a10-b555-67e56ecbd410) -  added a new informational alert Unsigned process injecting into a windows system binary with no command line ( 0c0a801f-06ff-4a10-b555-67e5aecbd410)  -  added a new informational alert RDP connections enabled via registry by unsigned process ( 6d432610-7ee0-4857-a8f5-009dfd4bde14) -  added a new informational alert RDP connections enabled via registry from a script host or rundll32.exe ( 0f705be9-8cd2-4263-9735-6d394f08b974) -  added a new informational alert 64-bit PowerShell spawning a 32-bit PowerShell ( 824a3186-b262-4e01-a45c-35cca8efa233) -  added a new informational alert Reduced the severity of 1 BIOC rule to informational: Outlook creates an executable file on disk ( deafab32-3050-467d-a742-92f6453a152e) -  decreased severity to informational September 5, 2019 Release Added a new BIOC rule: Image File Execution Options registry key injection by scripting engine ( f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - added a new low severity alert Improved the detection logic and increased the severity of 2 BIOC rules: Image File Execution Options registry key injection by unsigned process ( 98430360-5b37-465e-acd6-bafa9325110c) -  improved detection logic, changed the metadata, and increased severity to low WebDAV drive mounted from net.exe over HTTPS ( 0c0a801f-06ff-4a10-b555-67e56ecbd410) -  improved detection logic, and increased severity to low Improved the detection logic of 3 informational BIOC rules: Executable moved to system32 folder ( 045190df-f5ab-491a-b214-199dc17f9e3b) -  improved detection logic RDP enabled via registry ( 6d432610-7ee0-4857-a8f5-009dfd4bde14) -  improved detection logic Multiple RDP sessions enabled via registry ( b1ac2867-7f82-4d99-b565-2fb5425c1bb5) -  improved detection logic August 8, 2019 Release Improved the detection logic of 7 BIOC rules: Cscript.exe connects to an external network ( 9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic Windows Firewall disabled via registry ( 31796d2e-08a9-4047-8f37-3a0c2aad8f67) -  improved detection logic and changed the metadata Process attempts to kill a known security/AV tool ( e33072a2-ae58-43a0-bd05-08e986732f03) -  improved detection logic Wscript.exe connects to an external network ( deef10e3-42b1-45fa-a957-9713755fa514) -  improved detection logic PowerShell process connects to the internet ( 5e1b87b5-e0db-4ff9-806b-ed73a5190222) -  improved detection logic Communication over email ports to external email server by unsigned process ( 7b424216-fe61-4589-bcee-67e9e7b267be) -  improved detection logic New local user created via Powershell command line ( 8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) -  improved detection logic and changed the metadata Decreased severity of 2 BIOC rules: Microsoft Office process spawns an unsigned process ( da9356d9-f8fa-4d32-a6eb-a79a2590816e) - decreased severity to informational Web server process drops an executable to disk ( 20a37717-dd61-4fe5-a73b-80d9fb2a8862) -  decreased severity to informational Added 18 new informational BIOC rules: Windows Firewall notifications disabled via registry ( 31796d2e-08a9-4047-8f37-3a0c2aa11702) - added a new informational alert Windows Firewall policy edited via registry ( 31796d2e-08a9-4047-8f37-3a0c2aa11703) -  added a new informational alert Curl connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190323) -  added a new informational alert Wget connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190322) -  added a new informational alert Accessing Linux bash history file ( cb05480f-17d8-4138-9902-f0f9fb50b671) -  added a new informational alert Reading bash command history file ( cb05480f-17d8-4138-9902-f0f9fb50b672) -  added a new informational alert Reading .ssh files ( cb05480f-17d8-4138-9905-f0f9fb50b671) -  added a new informational alert Command-line creation of TCP stream ( cb05480f-17d8-4138-9902-f0f9fb50b673) -  added a new informational alert Netcat shell via named pipe ( cb05480f-17d8-4138-9902-f0f9fb50b674) -  added a new informational alert Python script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b675) -  added a new informational alert Perl script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b676) -  added a new informational alert PHP script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b677) -  added a new informational alert Image File Execution Options registry key injection ( 98430360-5b37-465e-acd6-bafa9325110c) -  added a new informational alert Executable moved to system32 folder ( 045190df-f5ab-491a-b214-199dc17f9e3b) -  added a new informational alert RDP enabled via registry ( 6d432610-7ee0-4857-a8f5-009dfd4bde14) -  added a new informational alert Multiple RDP sessions enabled via registry ( b1ac2867-7f82-4d99-b565-2fb5425c1bb5) -  added a new informational alert Outlook data files accessed by an unsigned process ( ea7088cd-90e4-4750-b65c-61743e3c4bb3) -  added a new informational alert WebDAV drive mounted from net.exe over HTTPS ( 0c0a801f-06ff-4a10-b555-67e56ecbd410) -  added a new informational alert July 18, 2019 Release Modified 6 BIOC rules: Privilege escalation using local named pipe impersonation ( dd0ac223-8aaa-4630-988d-de39eba83d29) - increased  severity to medium Privilege escalation using local named pipe impersonation through DLL ( d915cff3-5ce9-493f-9973-808a93ed50ad) - increased  severity to medium New entry added to startup related registry keys by unsigned process ( a09c90f7-0b45-4f2a-ac71-96170f047921 ) - decreased severity to informational Windows Firewall being disabled via registry ( 31796d2e-08a9-4047-8f37-3a0c2aad8f67) -  decreased severity to informational Outlook creates an executable file on disk ( deafab32-3050-467d-a742-92f6453a152e) -  improved detection logic Web server process drops an executable to disk ( 20a37717-dd61-4fe5-a73b-80d9fb2a8862) -  improved detection logic Deleted 2 BIOC rules: Execution of network debugging/tunnelling tool ( 56a93227-73d7-42e5-936c-0a3de691b7c6) -  removed the alert Explorer spawned from commonly abused host process ( 7b2e9352-20cf-4c52-94e9-b01fac10753a) - removed the alert July 11, 2019 Release Added 5 new medium-severity BIOC rules for detecting credential dumping: Credential dumping via gsecdump.exe ( ca11656e-2c37-4089-94e3-f659ba50d792) - added a  new medium-severity alert Credential dumping via pwdumpx.exe ( 8e3f6394-1633-47c9-8ca8-63b5c0187983) -  added a  new medium-severity alert Credential dumping via wce.exe ( 0c468243-6943-4871-be10-13fb68c0a8ef) -  added a  new medium-severity alert Dumping lsass.exe memory for credential extraction ( cb05480f-17d8-4138-aa38-f0f9fb50b671) -  added a  new medium-severity alert Credential dumping via fgdump.exe ( eebd92ac-c37f-4e7a-b37d-5c0189ddedcb) -  added a  new medium-severity alert Improved the detection logic of 7 BIOC rules: Cscript.exe connects to an external network ( 9410a485-491b-42e4-af6c-de4a76e12f0c) -  improved detection logic Windows Event Log cleared using wevtutil.exe ( 938176d0-d14a-49a0-9159-6081627eba03) -  improved detection logic, increased severity to high and changed the metadata Wscript.exe connects to an external network ( deef10e3-42b1-45fa-a957-9713755fa514) -  improved detection logic Wbadmin.exe deletes recovery files in quiet mode ( 24be0d84-2203-4d60-a1f0-39e4f80eee3a) -  improved detection logic, increased severity to medium and changed the metadata PowerShell process connects to the internet ( 5e1b87b5-e0db-4ff9-806b-ed73a5190222) -  improved detection logic Communication over email ports to external email server by unsigned process ( 7b424216-fe61-4589-bcee-67e9e7b267be) -  improved detection logic Adobe Acrobat Reader drops an executable file to disk ( 61f01972-e07f-46d7-ba75-f1ec1309625a) -  improved detection logic July 9, 2019 Release Changed the logic of 1 BIOC rule and added 16 informational BIOC rules: Windows Event Log cleared using wevtutil.exe ( 938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic Active Directory enumeration via command-line tool ( 136788a7-717a-49e2-9e0a-76f00eb60ed6) - added a new informational alert Logged on users enumeration via query.exe ( 375cb7bf-400e-4fbf-9755-693d80a5a54a) -  added a new informational alert Delete Volume USN Journal with fsutil ( 9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) -  added a new informational alert Attempted to dump ntds.dit ( 73a6f03c-d459-4314-8213-3b69c9aa69c8) -  added a new informational alert Kerberos service ticket request in PowerShell command ( 90e50124-8bf2-4631-861e-4b3e1766af5f) -  added a new informational alert Creation of volume shadow copy using vssadmin.exe ( 8dd80937-96d8-4ecf-9f44-29a46e0cb5d9) -  added a new informational alert Modification of NTLM restrictions in the registry ( 207bde33-2c02-4aa7-ae4f-e22146b79ba6) -  added a new informational alert Logged on users enumeration via quser.exe ( 6b228541-9610-4e6f-ad5d-dc6b8d027405) -  added a new informational alert Active directory enumeration using builtin nltest.exe ( 216e4145-0656-47c9-b4b3-40f362e133bc) -  added a new informational alert Clear Windows event logs using wmic.exe ( 7316c8d9-07d8-40aa-b074-b452bc3d355c) -  added a new informational alert Clear Windows event logs using PowerShell.exe ( d9321f3f-d32e-4aa9-8f88-22b03c36139d) -  added a new informational alert Indirect command execution using the Program Compatibility Assistant ( 18447eac-7ad6-44a8-aaf5-7e75b0151166) -  added a new informational alert Privilege escalation using local named pipe impersonation ( dd0ac223-8aaa-4630-988d-de39eba83d29) -  added a new informational alert Privilege escalation using local named pipe impersonation through DLL ( d915cff3-5ce9-493f-9973-808a93ed50ad) -  added a new informational alert Addition or replacement of password filter DLL(s) through registry modification ( ea98601c-e552-4b9b-8164-f085a38d383d) -  added a new informational alert Dumping registry hives with passwords via reg.exe ( 824a3186-b262-4e01-b45c-35cca8efa233) -  added a new informational alert July 7, 2019 Release 11 BIOC rule changes - note that f or this content release, and for future ones, global rule IDs are listed in parentheses next to the BIOC names: Microsoft HTML Application Host spawns from CMD or Powershell ( bfca0d1c-91f9-4ed3-b812-f207ba100a3b) -  decreased severity to informational Microsoft Office process spawns a commonly abused process ( c043b141-83d4-4158-a573-c1e348bb2ad9) -  decreased severity to informational Web server spawns an unsigned process ( bd23f54a-2bd4-417e-80ea-9dd7dcea54f4) -  decreased severity to informational PowerShell calling Invoke-Expression argument ( d9e32419-d8f0-4b2b-b395-6c27be156d56) -  decreased severity to informational Cleartext password harvesting using find tools ( 7ac5c888-838d-489c-a6a9-2bab9cec7e9d) -  decreased severity to informational Compiler process started by an Office process ( 9b8c5e4f-1b36-49ad-b2c4-155f244ea0ac) -  decreased severity to informational New local user created via command line ( 8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) -  decreased severity to informational Unsigned process injects code into a process ( 5c3624c9-b234-49b3-b6c1-beae8d9891f8) -  decreased severity to informational Scripting engine injects code to a process ( 1f985402-f4a4-4132-b74b-18a04a3620cd) -  decreased severity to informational Unsigned process makes connections over DNS ports ( 99470a0e-c311-42a1-872f-74fde3326794) -  decreased severity to informational Scripting engine makes connections over DNS ports ( b3779123-e79d-43b5-b1f5-2fb41093afef) -  decreased severity to informational June 19, 2019 Release 27 BIOC rule changes: Manipulation of Windows settings using bcdedit.exe - decreased severity to informational Bypassing Windows UAC using disk cleanup - decreased severity to low Commonly abused process executes by a remote host using psexec - decreased severity to informational Compiled HTML (help file) writes a binary file to disk - decreased severity to medium Cscript connects to an external network - decreased severity to informational Windows process masquerading by an unsigned process - decreased severity to informational Windows Powershell Logging being disabled via registry - decreased severity to informational Binary file being created to disk with a double extension - decreased severity to medium Outlook creates an executable file on disk - decreased severity to low Executable created to disk by lsass.exe - decreased severity to medium Microsoft Office process spawns a commonly abused process - decreased severity to low Powershell runs with known Mimikatz arguments - decreased severity to medium Process attempts to kill a known security/AV tool- decreased severity to medium, improved detection logic Process runs from the recycle bin - decreased severity to medium Process runs with a double extension - decreased severity to medium Enumeration of installed AV or FW products using WMIC - decreased severity to informational Powershell process makes network connections to the internet - decreased severity to informational Powershell runs base64 encoded commands - decreased severity to informational Communication over email ports to external email server by unsigned process - decreased severity to informational PowerShell calling Invoke-Expression argument - improved detection logic Compiler process started by a commonly abused shell process - decreased severity to informational Unsigned process executing whoami command - decreased severity to informational Scripting engine called to run in the command line - decreased severity to informational Unsigned process injects code into a process - decreased severity to low Sensitive Google Chrome files access by a non-Google process - decreased severity to informational Script file entry written to startup related registry keys - decreased severity to informational Adobe Acrobat Reader drops an executable file to disk - decreased severity to low, improved detection logic   April 15-16, 2019 Release Adobe Acrobat Reader drops an executable file to disk - ignore acrord32.exe as causality process to reduce false positives   Initial Release 198 BIOC rules: 12 high severity 11 medium severity 53 low severity 122 informational
View full article
‎11-03-2019 02:14 AM
2,080 Views
0 Replies
6 Likes
Executive Summary The Cortex XDR August release unifies the Analytics and Investigation and Response apps into a single Cortex XDR app, with a unified and streamlined user interface. This means that the Cortex XDR – Analytics user interface has been retired and all functionality moved to the new unified UI – see details below. What's New – Highlights   Single Cortex XDR App With a Single UI As of the August release, a single app icon for Cortex XDR appears in the hub: The "Cortex XDR – Investigation and Response" app is renamed "Cortex XDR." The "Cortex XDR - Analytics" app icon will no longer appear in the hub. Trying to access saved links (e.g. bookmarks) leading directly to Cortex XDR - Analytics pages will redirect you to a page explaining the two apps merged, with a link to the new unified Cortex XDR UI. Please update your bookmarks! The two Cortex XDR tenants (Investigation & Response and Analytics) will continue to appear as two separate line items in the hub’s status page. Cortex XDR - Analytics Alerts in the Unified Cortex XDR UI Cortex XDR - Analytics alerts are those with an alert source of "Analytics" or "Analytics BIOC." All Cortex XDR - Analytics alerts are displayed in the Cortex XDR UI alert page, grouped into incidents and can be investigated by right-clicking and choosing "Analyze." This means that Analytics BIOC alerts are shown on causality cards side by side with IOCs, BIOCs, Traps security events and next-generation firewall threat logs. Analytics alerts are also grouped into incidents; through their aggregate nature, this aids analysts in their investigations by providing broader context. You can now easily filter and sort through the data in the forensic tables for Cortex XDR - Analytics alerts and endpoints.  A Network-Based Analytics Alert From an Unmanaged Source Processes Associated with Cortex XDR - Analytics Alerts In the unified UI, you can see the data for all processes associated with all new Analytics alerts. There may be more than one process, or process instance, associated with these alerts, given their aggregate nature. This means you can now reach the causality cards for all of these processes. How? Simply right-click the process(es) icon, choose "View Process Instances," and then right-click on the chosen process instance and choose "Analyze," which will open its causality card. This drilldown enables in-depth investigation, which is now also streamlined and easy, even for aggregate Analytics alerts, whose duration may span hours or even days! Drill Down to Process Causality Chains From Analytics Alerts Triggered on Managed Endpoints View Endpoint and User Data on the Graph Viewing endpoint data (previously known as “host view”) is now possible by clicking on any endpoint which has a circle around its icon (indicating it is an internal endpoint that we have information about, and not an external host). This keeps the graph in focus, allowing you to look at the data Cortex XDR – Analytics has on all the endpoints involved in the alert. The same holds true for user data, which is displayed if you click the username in an Analytics alert graph. Exclusion Policies Cortex XDR - Analytics alerts (source type "Analytics" and "Analytics BIOC") can now be whitelisted using exclusion policies, instead of the retired Cortex XDR - Analytics whitelisting mechanism. Note that rules based on MAC addresses were not migrated. Upon upgrading to the August Cortex XDR version, existing whitelist rules were automatically migrated to exclusion policies. It is advised to review the resulting exclusion policies from this automated migration, as the two mechanisms are not identical. Exclusion policies have several benefits over the previous whitelisting mechanism: You can proactively exclude alerts. You can exclude several different alert types using a single rule! There is more flexibility in defining the exclusion rules, without any limitations on which field types can be referenced Remember - with great power comes great responsibility: You may end up completely excluding a certain alert type if you use fields and values which are always true for all triggered alerts of this type. EDL Response Generic EDL (external dynamic list) response capability: You can now choose "Add to EDL" from the "Response" menu and add any offending external IP address or domain to the firewall’s external dynamic list. Contextual EDL response from the graph and from forensic tables: Right-clicking and choosing "Add to EDL" is also available for IP addresses and domains in the graph and in the forensic tables.
View full article
yshivek ‎08-12-2019 02:57 PM
1,201 Views
0 Replies
2 Likes
Hunt down and stop stealthy attacks by unifying network, endpoint, and cloud data.
View full article
‎07-10-2019 09:43 AM
1,391 Views
0 Replies
Ask Questions Get Answers Join the Live Community
Labels