May 23, 2024 - Content Release
This release includes new Cloud SIEM detection rules, and updates to existing rules to correct summary and description expressions. All changes are enumerated below.
Rules​
- [New] FIRST-S00061 First Seen USB device in use on Windows host
- This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. If the device name is unexpected and not authorized to be used in the environment, investigate the alert further and look for file creation events to the drive in question. The
fields["EventData.DeviceDescription"]
field contains the device name.
- This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics. If the device name is unexpected and not authorized to be used in the environment, investigate the alert further and look for file creation events to the drive in question. The
- [New] FIRST-S00059 First Seen esentutl command From User
- Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. Esentutl can also be utilized to download files from a remote share or URL. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance.
- [New] FIRST-S00058 First Seen vssadmin command From User
- Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance. If this activity is performed as part of normal system maintenance, the rule can be tuned to exclude these groups of users.
- [New] FIRST-S00060 First Seen wbadmin command From User
- Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system, and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material. This activity should be treated as high priority if not performed by an authorized systems administrator as part of normal and planned systems maintenance.
- [New] MATCH-S00908 Okta - MFA Request Denied by User
- This signal will trigger when a user denies an MFA request within the Okta authenticator application. Examine other authentication attempts for this particular user, and undertake confirmation efforts to ensure that this activity is expected and valid.
- [New] MATCH-S00907 Okta - Policy Rule Added
- This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. Check the Okta administrator portal for more details regarding the application in question such as scopes and access levels. The field
fields["target.1.alternateId"]
contains the name of the application that was created
- This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications. Check the Okta administrator portal for more details regarding the application in question such as scopes and access levels. The field
- [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint
- This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta users API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. A full list of functionality for this endpoint can be found in the Okta documentation here. The
\u201cSuccess\u201d
field will indicate whether this API request was successful or not, and the\u201cDescription\u201d
field will contain the event that was generated by the API request. Both failed and successful requests should be investigated. Ensure that this request was performed for legitimate purposes such as developer workflows or other automation mechanisms. Consider adding a match list exclusion with authorized accounts who perform requests to this Okta API endpoint via programmatic methods if this signal is triggering false positives.
- This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta users API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks. A full list of functionality for this endpoint can be found in the Okta documentation here. The
- [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method
- This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates. Investigation of the host is recommended to identify the behavior leading to and around the execution of this PowerShell process.
- [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution
- Detects the use of PowerShell for Application Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling. Investigation into the host and user to identify the process executing the PowerShell function. See here for reference.
- [New] MATCH-S00918 Suspicious cat of PAM common-password policy
- The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users. The common-password file defines behavior of password use in Linux subsystems. This detection looks for use of cat to display the contents of the common-password file, which should not be a common occurrence on systems. It is recommended to investigate the host upon which this detection occurs to understand the exposure of the password policies for the system.
- [New] MATCH-S00919 chage command use on host
- The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the
-l
flag to determine when the user's password or account is due to expire. It is recommended to investigate the system and account the command has been executed on, to assess the intent of this execution. Additionally, looking at the command line and parent process is helpful in identifying valid automated processes executing this command that would benefit from tuning out via Rule Tuning.
- The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the
- [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
- [Updated] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User
- [Updated] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address
- [Updated] FIRST-S00032 First Seen Kubectl Command From User
- [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
- [Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP
- [Updated] MATCH-S00906 Okta - Application Created
- [Updated] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
- [Updated] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
- [Updated] MATCH-S00865 Potential Docker Escape via Command Line
- [Updated] MATCH-S00817 Suspicious Azure Active Directory Device Code Authentication
- [Updated] MATCH-S00883 macOS - Keychain Enumeration