New threat detection rules have been added to MaxPatrol SIEM, Positive Technologies ' information security event monitoring system . New event enrichment mechanisms have been introduced: they help information security analysts confirm up to 90% of events without additional data requests. MaxPatrol SIEM can now detect signs of five of the more popular hacking tools -- Sliver, NimPlant, Masky, PowerView and Evil-WinRM .
Positive Technologies experts are constantly researching new cyber threats, monitoring the activities of hacker groups around the world and studying their tactics and techniques. Based on this data, experts create threat detection methods that are regularly transferred to MaxPatrol SIEM in the form of expertise packages . This enables SIEM system users to detect current threats and respond promptly to cybercriminals, who are constantly developing new attack tools, methods and techniques, and improving previously created tools.
Zhengdian experts have developed an information security event enrichment mechanism for MaxPatrol SIEM . These mechanisms independently search for dynamic data that arises during the development of an attack, providing information security analysts with a complete context of the processes being launched (an automatic process chain building mechanism has previously been implemented in MaxPatrol SIEM ).
The company's experts have updated previously downloaded software packages to detect hacking tools and disguises. New rules added to MaxPatrol SIEM allow detection of increasingly popular tools Sliver1 and NimPlant2 , attempts to exploit Metasploit malware's ProxyNotShell vulnerability and the activities of the Masky3 , PowerView4 and Evil-WinRM5 frameworks, which are still part of cybercriminals' arsenal.
With new rules, MaxPatrol SIEM can also detect advanced techniques in the infrastructure that hide attackers, including:
-Run process without extension - used to bypass relevant rules that allow for explicit searches for processes with .exe extension, and for masking;
- start a process with a double extension ( .docx.exe ) - this method is used by attackers for phishing;
- Download a process or library signed with a Microsoft certificate that does not have a valid signing status - This is how attackers try to disguise their tools as legitimate Microsoft programs.
Petr Kovchunov , Senior Information Security Knowledge Base and Expertise Specialist at Positive Technologies , said: "MaxPatrol SIEM regularly gains unique expertise on the threats most relevant to the company. This knowledge enables the identification of sophisticated targeted attacks before they occur with serious consequences. Prevent them before. Each expertise package has a detailed description, available directly from the interface: which rules are in combination, how to configure event sources, and how to properly respond to events. Attackers are introducing new techniques, constantly experimenting .They have started using some techniques more frequently to bypass defenses and disguise SOC analysts, so in this update we added some rules to help detect this technique.
As part of a major inspection update, the product also received a new set of rules to help detect suspicious activity from domestic database management system ClickHouse6 . The suite includes more than 20 relevant rules to help quickly detect attacks in different stages, from reconnaissance to attempts to offload or corrupt data from the DBMS . Previously, MaxPatrol SIEM was loaded with rule sets for detecting attacks on PostgreSQL , Oracle Database, Microsoft SQL Server , and MongoDB .
To start using the new rules and event enrichment mechanism, you need to update MaxPatrol SIEM to version 7.0 and install the updated inspection package.
1. Freeware with a wide range of features, from remote command execution to privilege escalation.
2. Freeware, similar in functionality to Sliver , but written in Nim and Python .
3. An attack tool for AD CS .
4. A tool for attacking Active Directory .
5. Free software designed for red teams. Attackers use it to remotely execute commands via WinRM .
6. Columnar, open source analytical DBMS , allowing real-time analysis and query of structured big data.