Secure Network Analytics version 7.5.2 has just been published, introducing thrilling fresh attributes like the Network Visibility Module (NVM) and Zeek detections. Our detections reach beyond current and novel sources, with our engine now processing NVM telemetry and Zeek logs, unveiling nine fresh alerts prominently showcased in Analytics. These alerts are also mapped to the well-known MITRE ATT&CK framework.
By incorporating a wider variety of telemetry sources, Secure Network Analytics significantly boosts network visibility and delivers deeper insights into network operations. This release, along with its detections, embodies an advanced strategy to broaden sources and capabilities for detection. Users presently utilizing the Data Store architecture with Analytics enabled can upgrade to access these innovative capabilities straight away.
The updated Secure Network Analytics version 7.5.2 software is available for download on Cisco Software Central.
Fresh Network Visibility Module (NVM) Alerts
The Network Visibility Module is an element of Cisco Secure Client that logs and discloses network activity originating from an endpoint device and associates endpoint-style insights with those network specifics. If your setup typically involves collecting NetFlow or IPFIX, the Network Visibility Module will furnish identical details regarding a network connection but with additional elements like hostname, process name, user data, operating system, interface specifics, and more. This functionality aids in acceleration of inquiries and renders added context about the initiator and the host executing an action on the network. The detections engine assesses the Network Visibility Module telemetry and raises alerts on four fresh detections.
Explore the Network Visibility Module Configuration Guide.
Network Visibility Module (NVM) Alert Names and Descriptions
Possible Gamaredon C2 Callout
An executable was leveraged to connect to a URL linked with the command-and-control servers of a threat actor recognized as Gamaredon. Gamaredon (also referred to as Armageddon, Primitive Bear, and ACTINIUM) has been an active APT since 2013, known for utilizing spearphishing to infect victims with custom malware.
Questionable Curl Behavior
The system utility curl displayed behavior that raised suspicions, potentially signaling exploitation of CVE-2023-38545.
Questionable MSHTA Activity
The native Windows application MSHTA.exe was interactively executed by a non-system user to establish a network connection. While usually legitimate when run automatically by the system, it has also been exploited by threat actors including Advanced Persistent Threats (APTs).
Unusual Process Path
A process was launched on an endpoint from a directory where executables should not exist.
Fresh Zeek Alerts
Zeek is a well-liked, complimentary, open-source network traffic analysis tool. It keeps watch over traffic, scrutinizes it, and generates log files detailing observed activity. These Zeek log files can be dispatched to Secure Network Analytics as a telemetry source. The detections engine interprets the Zeek logs and flags five new detections.
Dive into the Zeek Configuration Guide.
Zeek Alert Names and Descriptions
DNS Traffic to Tor Proxy
A device dispatched DNS queries for a recognized Tor proxy, indicating an application might be gearing up to establish a link via a Tor proxy. This could be a botnet trying to reach out to other devices for command-and-control purposes. Adversaries exploit this method for command-and-control and defense evasion. Despite potential legitimate use by a genuine user, it has the ability to bypass certain security measures.
PetitPotam Attack Via EFS RPC Calls
A device leveraged a Remote Procedure Call (RPC) using the Encrypting File System Remote Protocol (EFSRPC) Protocol library. The PetitPotam attack is associated with this RPC traffic type. PetitPotam is a tool capable of exploiting this library and is also known as an NTLM relay attack. Since most organizations seldom employ this library, any usage would be unusual and might indicate a potential PetitPotam attack.
Possible Impacket SecretDump Activity
A device is trying to conduct a secrets dump utilizing an impact tool like secretdump.py, enabling credential extraction from an Active Directory (AD) server. Referred to as a secrets-dump HKTL, this activity may pose risks.
Remote Task Creation via ATSVC Named Pipe
A device is endeavoring to establish a remote task through ATSVC named pipes, potentially indicating a malicious intent to employ at.exe for scheduling tasks, either for initial or recurrent execution of malicious code. The at.exe utility has been phased out in current Windows versions in favor of schticks.
Questionable PsExec Deployment
An apparatus, other than a Windows Sysinternal device, executed psexec with a service name alteration, suggesting a threat actor might be seeking to execute actions remotely.
Wrapping Up
If you’re a user of the Secure Network Analytics Data Store equipped with Analytics, it’s recommended to upgrade to version 7.5.2 for immediate access to nine fresh detections – four sourced from Network Visibility Module telemetry and five from Zeek logs. These new detections are instantly available in Analytics. Start configuring the sources for exporting and broadening your detection scope today.
References
We are eager to hear your feedback. Ask Questions, Post Comments, and Keep in Touch with Cisco Secure on social media!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
About Author
