Secure Network Analytics model 7.5.2 has been launched, providing thrilling new options such because the Network Visibility Module (NVM) and Zeek detections. We are increasing our detections throughout present and new sources, and our detections engine now ingests NVM telemetry and Zeek logs, introducing 9 new alerts prominently displayed in Analytics. These alerts are additionally aligned with the well known MITRE ATT&CK framework.
By integrating a extra various vary of telemetry sources, Secure Network Analytics considerably enhances community visibility and supplies deeper insights into community actions. This launch and its detections symbolize a complicated method to broadening detection sources and capabilities. Users using the Data Store structure with Analytics enabled can improve to model 7.5.2 to right away entry these new capabilities.
The Secure Network Analytics model 7.5.2 software program updates could be downloaded from Cisco Software Central.
New Network Visibility Module (NVM) Alerts
Network Visibility Module is a part of Cisco Secure Client that data and stories on community exercise from an endpoint machine and ties in endpoint model info with these community particulars. If you might be used to accumulating NetFlow or IPFIX in your atmosphere, the Network Visibility Module will present the identical particulars a couple of community connection, however may also embrace issues like hostname, course of title, consumer info, working system, interface particulars, and extra. This helps pace up investigations and supplies further context about who and what host took an motion on the community. The detections engine processes the Network Visibility Module telemetry and alerts on 4 new detections.
You can take a look at the Network Visibility Module Configuration Guide.
Network Visibility Module (NVM) Alert Names and Descriptions
Potential Gamaredon C2 Callout
A command line utility was used to contact a URL related to the command-and-control servers of a risk actor often known as Gamaredon. Gamaredon (often known as Armageddon, Primitive Bear, and ACTINIUM) is an APT energetic since 2013 identified to leverage spearphishing to contaminate victims with customized malware.
Suspicious Curl Behavior
The system utility curl exhibited suspicious habits that could be indicative of exploitation of CVE-2023-38545.
Suspicious MSHTA Activity
The built-in Windows utility MSHTA.exe was executed interactively by a non-system consumer and utilized to make a community connection. While usually reliable when run routinely by the system, it is usually identified to be utilized by risk actors together with Advanced Persistent Threats (APTs).
Suspicious Process Path
A course of was executed on an endpoint from a listing that ought to not have executables.
New Zeek Alerts
Zeek is a well-liked, free, and open-source community site visitors evaluation software. It screens and inspects site visitors and generates log information of witnessed exercise. Those Zeek log information could be despatched to Secure Network Analytics as a telemetry supply. The detections engine reads the Zeek logs and alerts on 5 new detections.
Check out the Zeek Configuration Guide.
Zeek Alert Names and Descriptions
DNS Traffic to Tor Proxy
A tool despatched DNS question site visitors for a identified Tor proxy. This could point out that an utility is getting ready to ascertain a connection through a Tor proxy. It might be a botnet making an attempt to contact different gadgets for command-and-control. Adversaries are identified to leverage it for command-and-control and protection evasion. Even if utilized by a reliable consumer, it could actually circumvent some safety controls.
PetitPotam Attack Via EFS RPC Calls
A tool despatched a Remote Procedure Call (RPC) utilizing the Encrypting File System Remote Protocol (EFSRPC) Protocol library. The PetitPotam assault is understood to be associated to any such RPC site visitors. PetitPotam is a software that may exploit this library. It is often known as an NTLM relay assault. Since most organizations don’t use this library in any respect, or restrict the utilization of it, any use is unusual sufficient to point a potential PetitPotam assault.
Possible Impacket SecretDump Activity
A tool is making an attempt a secrets and techniques dump utilizing an impression software equivalent to secretdump.py, which permits dumping credentials from an Active Directory (AD) server. This can also be known as a secrets-dump HKTL.
Remote Task Creation through ATSVC Named Pipe
A tool is making an attempt to create a distant job utilizing ATSVC named pipes, which might be a malicious try to make use of at.exe for performing job scheduling for preliminary or recurring execution of malicious code. The at.exe utility has been deprecated in present variations of Windows in favor of schticks.
Suspicious PsExec Execution
A tool aside from a Windows Sysinternal machine is utilizing psexec with a renamed service title, which may point out a risk actor making an attempt to carry out a distant execution.
Conclusion
Users of the Secure Network Analytics Data Store with Analytics will need to improve their occasion to model 7.5.2 to realize entry to 9 new detections – 4 based mostly on Network Visibility Module telemetry and 5 based mostly on Zeek logs. These new detections are instantly accessible in Analytics. Configure the sources to export and develop your detection protection right this moment.
References
We’d love to listen to what you assume. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: