CylanceGUARD protection enhancements
CylanceGUARD
protection enhancementsDue to some emerging threats,
CylanceGUARD
has implemented the following CylanceOPTICS
rules for improved security and telemetry for analysts. These rules are already in effect and no further action is required from your organization.Latest enhancements (March 2024)
Threat or vulnerability | Description |
---|---|
Updated rule for advanced detection of payload creation via compiled HTML (.chm) file |
|
Updated rule for advanced detection of payload execution from Appdata\Local\Temp Directory |
|
Updated rule for advanced detection of Windows Defender service shutdown via net.exe |
|
Updated rule for advanced detection of port forwarding SSH tunnel command execution |
|
Updated rule for advanced detection of Windows Defender Antivirus Engine restored to default settings |
|
Updated rule for advanced detection of obfuscated Bash History deletion |
|
Previous enhancements
Threat or vulnerability | Description |
---|---|
Updated rule for advanced detection of Bash History modification and deletion |
|
Updated rule for advanced detection of critical Cylance binaries moved |
|
Updated rule for advanced detection of process execution via compiled HTML (.chm) file |
|
Updated rule for advanced detection of Svchost launching Rundll32 via scheduled task |
|
Updated rule for advanced detection of debugger registry value modification for accessibility features |
|
Updated rule for advanced detection of obfuscated Base64 decoding method executed via PowerShell |
|
Updated rule for advanced detection of UAC Bypass via fodhelper.exe activity |
|
Updated rule for advanced detection of payload creation via compiled HTML (CHM) file |
|
Advanced detection of AMSI bypass through PowerShell command execution activity |
|
Advanced detection of lateral movement through WMI and WinRM activity |
|
Advanced detection of Impacket SMBExec module execution activity |
|
Advanced detection of MOVEit Transfer vulnerability (CVE-2023-34362) |
|
Advanced detection of Papercut (CVE-2023-27350, CVE-2023-27351) |
|
Advanced detection of UAC Bypass via fodhelper.exe activity |
|
Advanced detection of credential dumping through comsvcs.dll activity |
|
Cyber actors exploiting 3CX desktop app vulnerability (CVE-2023-29059) |
|
Cyber actors exploiting Microsoft Outlook Vulnerability (CVE-2023-23397) |
|
Cyber actors exploiting Microsoft Outlook Vulnerability (CVE-2023-23397) (Secondary) |
|
Suspicious Microsoft HTML application (Mshta) execution |
|
Microsoft Office products executing uncommon processes |
|
Execution of suspicious disk image phishing attachment |
|
Ransomware activity based on shadow copy and backup deletions |
|
Lateral movement through WMI or WinRM |
|
Cyber actors using malicious PowerShell Cmdlets |
|
Cyber actors using Base64 Encoded PowerShell Execution to evade detection (Secondary) |
|
Cyber actors exploiting Microsoft Exchange (CVE-2021-34473) and Fortinet vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) |
|
Jupyter infostealer |
|
Log4Shell VMware Horizon vulnerabilities (CVE-2021-44228 and CVE-2021-45046) |
|
Apache Log4J vulnerability (CVE-2021-44228) |
|
Cyber actors using Base64 Encoded PowerShell Execution to evade detection |
|
Cyber actors using Base64 Encoded PowerShell Execution to evade detection (Secondary) |
|
Cyber actors decoding Base64 command and piping the output to another process to evade detection |
|
Microsoft Office products executing uncommon processes |
|
Suspicious Microsoft HTML application (Mshta) execution |
|
Suspicious modification of file ownership and file permissions in macOS and Linux |
|
Malware delivered in ISO formats |
|
ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) |
|