New Features: 

• SOC Change Logs:
  • To increase the effectiveness of our communications with our clients, we will release updates of SOC changes in real time to our site here: https://cyflare.com/soc-change-log/. 
  • We will then release “Highlights” of the previous month during the first week of the new month, like this Advisory here.
• Critical Incident Handler Emails:
  • Clients now have the ability to update their Critical IH plan with different emails, such as the Primary Contact, and also update the Secondary Contacts within tickets.   
  • If you would like to update this, please contact your assigned CSM

New Alarms:

• Suspicious Process Creation Commandline Detection – this covers the following types of detections:

1. 1. Empire PowerShell UAC Bypass
   2. Emotet Process Creation 
   3. LockerGoga Ransomware 
   4. CrackMapExec Command Execution 
   5. Suspicious Use of Procdump on LSASS 
   6. Unidentified Attacker November 2018 
   7. Winnti Pipemon Characteristics 
   8. PowerShell Base64 Encoded Shellcode 
   9. Ryuk Ransomware 
   10. DTRACK Process Creation 
   11. ShimCache Flush 
   12. Snatch Ransomware 
   13. TropicTrooper Campaign November 2018 

• Suspicious PowerShell Script Detection – this covers the following types of detections:

1. 1. PowerShell Mailbox Collection Script
   2. Suspicious Portable Executable Encoded in Powershell Script
   3. PowerShell Suspicious Script with Screenshot Capabilities
   4. PowerShell Script with Token Impersonation Capabilities
   5. PowerShell Invoke-NinjaCopy script
   6. PowerShell Suspicious Script with Audio Capture Capabilities
   7. PowerShell Suspicious Script with Clipboard Retrieval Capabilities
   8. PowerShell Share Enumeration Script
   9. PowerShell Script with Encryption/Decryption Capabilities
   10. PowerShell MiniDump Script
   11. PowerShell PSReflect Script
   12. PowerShell PSAttack
   13. Computer Discovery And Export Via Get-ADComputer Cmdlet – PowerShell
   14. Access to Browser Login Data
   15. Invoke-Obfuscation CLIP+ Launcher – PowerShell
   16. PowerShell ICMP Exfiltration
   17. Powershell Directory Enumeration
   18. Suspicious Hyper-V Cmdlets
   19. Change User Agents with WebRequest
   20. Suspicious Get-ADReplAccount

• Kerberos Replay Attack Detected
  • Looking for Event ID 4649 – a request was received twice with identical information.
• SoftPerfect Network Scanner Execution
  • Looking for any activity related to the SoftPerfect Network Scanner Product via Process Name/Command Line Activity 

Playbook Enhancements:

• Office365 and Azure – Successful Login outside the US 
  • Modified ticket template to include a link for Travel Advisory that can be added for known authorized travel.  
  • Travel Advisory allows clients to let the SOC know when a user in their environment is traveling and the SOC will then know this activity is authorized and not escalate the activity. 

• External User Success Brute-force Anomaly 

• • Upon identifying IP addresses flagged as malicious due to OSINT findings and SSH login attempts, the SOC will promptly initiate Incident Response procedures and notify customers using the available information. 

• Google Workspace Phishing Alert 

• • Added glue book functionality where if the customer has Proofpoint integration, the information from the same Proofpoint log event can be added within ticket details.  
  • Modified playbook logic and updated ticket template 

• SentinelOne Playbook Modification: (Endpoint Isolation) 

• • Depending on the defined policy, SentinelOne may isolate an endpoint from the network as a remediation step when detecting suspicious or malicious threats. Going forward, the SOC will proactively initiate Incident Response procedures whenever SentinelOne isolates an endpoint based on the policy configuration. 

• Malware Activity 

• • The SOC identified major tuning opportunities with this specific alarm type.  

• • Utilizing firewall responses to ignore alerts when they’ve already been blocked by the firewall  
  • Auto-closing certain low-priority IDS Signatures based on the lack of network traffic observed between the flagged domain and the internal host 

Note: If you believe any of our ticket templates can be improved or suggest an improvement, please contact [email protected]. Or reach out via our 24/7 Chat Support via ONE Platform. 

Upcoming Changes:

• Further rework on Malware Activity and Trojan Activity detections to ensure higher fidelity in ticket escalation. 
• Enhancing playbook logic for Protocol Account Login Failure Anomaly detection. 
• Improved playbook performance to avoid creating blank/incomplete ticket escalations. 
• If you have any changes or improvements you would like to see the SOC make, please contact the SOC via email at [email protected] or utilize our 24/7 Chat Support via ONE Platform.