CylanceGUARD protection enhancements Skip Navigation
  1. BlackBerry Docs
  2. CylanceGUARD
  3. CylanceGUARD Release Notes
  4. CylanceGUARD protection enhancements

CylanceGUARD
 protection enhancements

Due to some emerging threats,
CylanceGUARD
 has implemented the following
CylanceOPTICS
 rules for improved security and telemetry for analysts. These rules are already in effect and no further action is required from your organization.

Latest enhancements (June 2023)

Threat or vulnerability
Description
Advanced detection of AMSI bypass through PowerShell Command Execution activity
  • Rule Name
    : “AMSI Bypass PowerShell Command Execution”
  • MITRE Technique
    : T1562.001
  • Description
    : This rule detects the bypassing of AMSI through PowerShell by setting amsiInitFailed to "true" or by removing the registry key in
    HKLM\Software\Microsoft\AMSI
    . The Windows Anti-malware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any anti-malware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. Adversaries disable AMSI to avoid possible detection of their malware tools and activities. False positives are not likely.
  • Platform
    : Windows
  • Additional references
    : GitHub and GitHub
  • Date added
    : June 2023
Advanced detection of lateral movement through WMI and WinRM activity
  • Rule Name
    : “Lateral Movement via WMI/WinRM 2”
  • MITRE Techniques
    : T1021.006, T1047
  • Description
    : This rule detects a Logon Type 3 event and subsequent remote command execution by the user through WMI and WinRM. WMI uses WinRM to enter and control remote systems on a network. Generally, remote WMI and WinRM commands are spawned from WmiPrvSE on the target host. Threat actors can abuse WMI and WinRM to move laterally across the network. System administrators may also use WMI and WinRM for remote management.
  • Platform
    : Windows
  • Additional reference
    : Red Canary
  • Date added
    : June 2023
Advanced detection of Impacket SMBExec module execution activity
  • Rule Name
    : “Impacket SMBExec Module Execution”
  • MITRE Techniques
    : T1569.002, T1021.002
  • Description
    : This rule detects Impacket's SMBExec module execution where services.exe launches cmd.exe with command lines similar to "/Q /c echo 127.0.0.1". Impacket is a collection of Python classes for working with network protocols and is commonly weaponized by adversaries. Impacket's SMBExec module allows remote code execution through a semi-interactive shell by creating services that execute commands on the remote host. It is uncommon, but legitimate system admin tools may exhibit the same behavior.
  • Platform
    : Windows
  • Additional reference
    : u0041
  • Date added
    : June 2023
Advanced detection of MOVEit Transfer vulnerability (CVE-2023-34362)
  • Rule Name
    : "MOVEit Transfer Vulnerability Indicators of Compromise"
  • MITRE Techniques
    : T1190, T1505
  • Description
    : This rule detects w3wp.exe spawning csc.exe and the creation of human2.aspx files in
    C:\MOVEitTransfer\wwwroot
    . This may indicate exploitation of CVE-2023-34362. Adversaries can exploit this vulnerability to gain unauthenticated access to MOVEit Transfer's database. Adversaries may then be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. False positives may arise if this detection occurs around an initial MOVEit installation or software update.
  • Platform
    : Windows
  • Additional reference
    : National Vulnerability Database
  • Date added
    : June 2023
Advanced detection of Papercut (CVE-2023-27350, CVE-2023-27351)
  • Rule Name
    : "Papercut CVE-2023-27350 CVE-2023-27351 Indicators of Compromise"
  • MITRE Technique
    : T1190
  • Description
    : This rule detects the Papercut app spawning lolbas processes. This may indicate a threat actor is exploiting CVE-2023-27350 and/or CVE-2023-27351. False positives are not likely.
  • Platform
    : Windows
  • Additional reference
    : MITRE
  • Date added
    : June 2023
Advanced detection of UAC Bypass via Fodhelper.exe activity
  • Rule Name
    : "UAC Bypass via Fodhelper.exe"
  • MITRE Technique
    : T1548.002
  • Description
    : This rule detects a Privilege Escalation technique of bypassing UAC using PowerShell to modify registry keys for fodhelper.exe. Threat actors exploit this bypass to launch malware with administrative privileges. False positives are not likely.
  • Platform
    : Windows
  • Additional reference
    : Penetration Testing Lab
  • Date added
    : June 2023
Advanced detection of credential dumping through comsvcs.dll activity
  • Rule Name
    : "Credential dumping via comsvcs.dll"
  • MITRE Technique
    : T1003.001
  • Description
    : This rule detects Local Security Authority Subsystem Service (LSASS) credential dumping through the "MiniDump" exported function of comsvcs.dll. Adversaries may attempt to access credential material stored in the process memory of the LSASS. False positives are not likely.
  • Platform
    : Windows
  • Additional reference
    : GitHub
  • Date added
    : June 2023

Previous enhancements

Threat or vulnerability
Description
Cyber actors exploiting 3CX desktop app vulnerability (CVE-2023-29059)
  • Rule Name
    : “SmoothOperator 3CX Indicators of Compromise”
  • MITRE Technique
    : T1195.002
  • Description
    : This rule detects DNS requests from the 3CX desktop app to domains associated with the "SmoothOperator" supply chain attack.
  • Platform
    : Windows
  • Additional reference
    : National Vulnerability Database
  • Date added
    : April 2023
Cyber actors exploiting Microsoft Outlook Vulnerability (CVE-2023-23397) 
  • Rule Name
    : “CVE-2023-23397 Indicators of Compromise (Process)”
  • MITRE Technique
    : T1212
  • Description
    : This rule detects process execution behavior that is indicative of CVE-2023-23397. For example, this may indicate an attempt to steal password hashes.
  • Platform
    : Windows
  • Date added
    : March 2023
Cyber actors exploiting Microsoft Outlook Vulnerability (CVE-2023-23397) (Secondary)
  • Rule Name
    : “CVE-2023-23397 Indicators of Compromise (Network)”
  • MITRE Technique
    : T1212
  • Description
    : This rule detects outbound connections on port 445 to non-private (i.e. external) IP addresses. For example, this may indicate an attempt to steal password hashes.
  • Platform
    : Windows
  • Date added
    : March 2023
Suspicious Microsoft HTML application (Mshta) execution
  • Rule Name
    : “Suspicious Mshta.exe Execution”
  • MITRE Technique
    : T1218.005
  • Description
    : This rule detects the use of JavaScript and VBScript command line arguments, as well as remote execution of .hta files. Understanding that
    mshta.exe
     is a trusted utility that executes Microsoft HTML Applications (HTA), adversaries can use it to proxy execution of malicious .hta files and JavaScript or VBScript. False positives can only be determined after analyzing the command or .hta file for malicious code.
  • Platform
    : Windows
  • Additional reference
    : Cyble
  • Date added
    : February 2023 (update)
Microsoft Office products executing uncommon processes
  • Rule Name
    : “Suspicious process execution from Microsoft Office products”
  • MITRE Technique
    : T1559.002, T1204.002
  • Description
    : This rule detects Microsoft Office products executing uncommon processes. Uncommon processes executed from Office products may be indicative of malicious VBA or DDE code inside the offending document.
  • Platform
    : Windows
  • Additional reference
    : Cyble
  • Date added
    : February 2023 (update)
Execution of suspicious disk image phishing attachment
  • Rule name
    : "Suspicious Disk Image Phishing Attachment Executed"
  • MITRE Techniques
    : T1204.002, T1566.001
  • Description
    : This rule detects the mounting of disk image attachments with malicious payloads. This is a common technique for phishing attacks. 
  • Platform
    : Windows
  • Additional reference
    : GitHub
  • Date added
    : January 2023
Ransomware activity based on shadow copy and backup deletions
  • Rule name
    : "Shadow Copy Removal Command Execution"
  • MITRE Technique
    : T1490
  • Description
    : This rule detects when a shadow or backup catalog removal command is executed through vssadmin.exe, wbadmin.exe, wmic.exe, or PowerShell. Threat actors often delete backups to remove evidence of their presence, or to prevent recovery in ransomware attacks. 
  • Platform
    : Windows
  • Additional reference
    : MITRE T1490
  • Date added
    : January 2023
Lateral movement through WMI or WinRM
  • Rule name
    : "Lateral Movement via WMI/WinRM"
  • MITRE Techniques
    : T1021.006, T1047
  • Description
    : This rule detects when a user executes a remote command through WMI or WinRM, which are used to remotely take control of devices on the network. 
  • Platform
    : Windows
  • Additional reference
    : Red Canary
  • Date added
    : January 2023
Cyber actors using malicious PowerShell Cmdlets
  • Rule name
    : "PowerShell Command Execution with Identified Malicious Cmdlets"
  • MITRE Techniques
    : T1059.001
  • Description
    : This rule detects usage of malicious PowerShell Cmdlets identified via Open-Source Intelligence (OSINT) in base64 encoded commands or plain-text commands.
  • Platform
    : Windows
  • Additional reference
    : Red Canary
  • Date added
    : January 2023
Cyber actors using Base64 Encoded PowerShell Execution to evade detection (Secondary)
  • Rule Name
    : “Base64 Encoded PowerShell Execution”
  • MITRE Technique
    : T1027
  • Description
    : This rule detects the usage of Base64 encoded PowerShell commands and a long Base-64 encoded string using variations of the
    -encodedCommand
     argument and
    Convert.FromBase64String(String)
     method. Adversaries may use Base64 to encode malicious commands to evade detection. Benign usage is common with enterprise software and deployment tools
  • Platform
    : Windows
  • Additional reference
    : Medium Blog
  • Date added
    : January 2023 (update)
Cyber actors exploiting Microsoft Exchange (CVE-2021-34473) and Fortinet vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591)
  • Rule name
    : "Fast Reverse Proxy (FRP) Tool Execution"
  • MITRE Techniques
    : T1588.001, T1588.002
  • Description
    : This rule detects execution of the Fast Reverse Proxy (FRP) tool. FRP is an open-source tool that enables external access to an intranet PC that cannot be accessed directly. Adversaries may use FRP to expose a local server to external access, bypassing the firewall/NAT. 
  • Platform
    : Windows
  • Additional reference
    : CISA article AA21-321A
  • Date added
    : December 2022
Jupyter infostealer
  • Rule Name
    : "Jupyter Infostealer Indicators of Compromise"
  • MITRE Technique
    : T1059
  • Description
    : This rule detects the execution of PowerShell commands indicative of the Jupyter infostealer. Jupyter is a highly modular malware that hides deep within legitimate installer packages. When executed, it can receive further malicious components via its command-and-control (C2) server to enhance its capabilities. These components can include executables and malicious PowerShell scripts.
  • Platform
    : Windows
  • Additional reference
    : BlackBerry Blog
  • Date added
    : December 2022
Log4Shell VMware Horizon vulnerabilities (CVE-2021-44228 and CVE-2021-45046)
  • Rule Name
    : "Log4Shell VMware Horizon Indicator of Compromise "
  • MITRE Technique
    : T1059
  • Description
    : This rule detects the execution of a PowerShell command that exploits a log4j vulnerability in VMware Horizon.
  • Platform
    : Windows
  • Additional reference
    : VMware KB article 87073
  • Date added
    : December 2022
Apache Log4J vulnerability (CVE-2021-44228)
  • Rule Name
    : “Log4J Indicators of Compromise”
  • MITRE Technique
    : T1059
  • Description
    : This rule detects common Java processes connecting to non-RFC1918 IP addresses on ports associated with Log4J.
  • Platforms
    : Windows, macOS, and Linux
  • Date added
    : December 2022
Cyber actors using Base64 Encoded PowerShell Execution to evade detection
  • Rule Name
    : “Suspicious Certutil.exe Execution”
  • MITRE Techniques
    : T1027, T1140, T1105
  • Description
    : This rule detects the usage of the
    -encode
     or
    -decode
     arguments of
    certutil.exe
    . It also detects file downloads via
    certutil.exe
    . Adversaries may use certutil to encode and decode malicious Base64 commands to evade detection and/or to download malicious payloads.
  • Platform
    : Windows
  • Additional reference
    : GitHub (certutil)
  • Date added
    : December 2022
Cyber actors using Base64 Encoded PowerShell Execution to evade detection (Secondary)
  • Rule Name
    : “Base64 Encoded PowerShell Execution”
  • MITRE Technique
    : T1027
  • Description
    : This rule detects the usage of Base64 encoded PowerShell commands and a long Base-64 encoded string using variations of the
    -encodedCommand
     argument and
    Convert.FromBase64String(String)
     method. Adversaries may use Base64 to encode malicious commands to evade detection. Benign usage is common with enterprise software and deployment tools
  • Platform
    : Windows
  • Additional reference
    : Medium Blog
  • Date added
    : December 2022
Cyber actors decoding Base64 command and piping the output to another process to evade detection
  • Rule Name
    : “Base64 String Decoded via the \"base64\" Process”
  • MITRE Technique
    : T1027
  • Description:
    : This rule detects the usage of the
    -d
     or
    --decode
     arguments of the
    base64
     binary. Adversaries may decode malicious Base64 commands and pipe the output to another process to evade detection. Benign usage is common with enterprise software and deployment tools.
  • Platforms
    : macOS and Linux
  • Additional reference
     GIAC Certification Paper
  • Date added
    : December 2022
Microsoft Office products executing uncommon processes
  • Rule Name
    : “Suspicious process execution from Microsoft Office products”
  • MITRE Technique
    : T1105, T1036
  • Description
    : This rule detects Microsoft Office products executing uncommon processes. Uncommon processes executed from Office products may be indicative of malicious VBA or DDE code inside the offending document.
  • Platform
    : Windows
  • Additional reference
    : Medium Blog
  • Date added
    : December 2022
Suspicious Microsoft HTML application (Mshta) execution
  • Rule Name
    : “Suspicious Mshta.exe Execution”
  • MITRE Technique
    : T1218.005
  • Description
    : This rule detects the use of JavaScript and VBScript command line arguments, as well as remote execution of .hta files. Understanding that
    mshta.exe
     is a trusted utility that executes Microsoft HTML Applications (HTA), adversaries can use it to proxy execution of malicious .hta files and JavaScript or VBScript. False positives can only be determined after analyzing the command or .hta file for malicious code.
  • Platform
    : Windows
  • Additional reference
    : MITRE T1218.005
  • Date added
    : December 2022
Suspicious modification of file ownership and file permissions in macOS and Linux
  • Rule Name
    : “Chmod modified Setuid and Setgid bits of file”
  • MITRE Technique
    : T1548
  • Description
    : This rule detects the use of
    chmod
     to modify the
    setuid
     and
    setgid
     bits of a file. Chmod manages file and folder permissions\\security. An adversary may abuse chmod to apply
    setuid
     and
    setgid
     bits to a file in order to get code running in a privileged user/group context.
  • Platforms
    : macOS and Linux
  • Additional reference
    : MITRE T1548
  • Date added
    : December 2022
Malware delivered in ISO formats
  • Rule name
    : "Disk image phishing attachment downloaded and/or mounted by user T1204.002/T1566.001"
  • Description
    : This rule detects the creation of disk image files (.iso, .img, .vhd, or .vhdx) in common temporary directories for downloads, and the creation of shortcut files (.lnk) pointing to disk image files. The shortcut files indicate that the user recently mounted the respective disk image file. This is a common technique for phishing attacks. This can be benign on server systems but on workstations, users should rarely mount disk image files.
  • Platform
    : Windows
  • Additional reference
    : Github
  • Date added
    : October 2022
ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082)
  • Rule name
    : "ProxyNotShell Indicators of Compromise. T1190/T1505.003"
  • Description
    : This rule detects file creation events for files with the following extensions: "dll.dll", "errorEE.aspx", "pxh4HG1v.ashx", "Xml.ashx". Files ending with these extensions may be malicious IIS webshells that indicate a ProxyNotShell exploit.
  • Platform
    : Windows
  • Date added
    : October 2022