Skip Navigation
  1. BlackBerry Docs
  2. CylanceMDR
  3. CylanceMDR Release Notes
  4. CylanceMDR protection enhancements

CylanceMDR
 protection enhancements

Due to some emerging threats,
CylanceMDR
 has implemented the following
CylanceOPTICS
 rules for improved security and telemetry for analysts. These rules are already in effect and no further action is required from your organization.

Latest enhancements (April and May 2024)

Threat or vulnerability
Description
Updated rule for advanced detection of the execution of a Stager payload from PowerShell Empire
  • Rule Name
    : “PowerShell Empire Stager Payload Executed”
  • MITRE Techniques
    : T1059, T1059.001, T1071, T1071.001
  • Description
    : This rule detects the execution of a Stager related to Powershell Empire command and control activity. The rule pays attention to commonly used web requests such as /admin/get.php, /admin/news.php, and /login/process.php. PowerShell Empire is a post-exploitation framework used by security professionals and hackers to facilitate remote access and control of compromised systems through PowerShell scripts.
  • Platform
    :
    Windows
  • Additional reference
    : Red Team Notes
  • Date added
    : May 2024
Updated rule for advanced detection of the Csvde.exe export command
  • Rule Name
    : “Csvde.exe Export Command”
  • MITRE Techniques
    : T1087, T1069, T1018, T1087.002, T1119
  • Description
    : This rule detects the use of Csvde.exe for export data. Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifiers on a network that may be used for lateral movement from the current system. Cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use command line functionality to identify accounts.
  • Platform
    :
    Windows
  • Additional reference
    : MITRE
  • Date added
    : May 2024
Updated rule for advanced detection of local credential dump from NTDS, SAM or LSA using SecretsDump
  • Rule Name
    : “Local Credential Dump from NTDS, SAM or LSA via SecretsDump”
  • MITRE Techniques
    : T1003, T1003.002, T1003.003, T1003.004, T1059, T1059.006
  • Description
    : Adversaries may attempt to steal credential information from the NTDS file (%SystemRoot%\NTDS\Ntds.dit) or from the Windows Registry hives which store the Security Account Manager (SAM) database and Local Security Authority (LSA) secrets. This rule detects the usage of a tool called secretsdump.py, which can be used to locally dump the credential information like domain hashes from the NTDS.dit file, SAM, and LSA secrets from the exported registry hives.
  • Platform
    :
    Windows
  • Date added
    : May 2024
Updated rule for advanced detection of a remote credential dump from the registry hive
  • Rule Name
    : “Remote Credential Dump from Registry Hive”
  • MITRE Techniques
    : T1003, T1003.002
  • Description
    : This rule detects a Logon Type 3 event, a 'Remote Registry Service' start, and the creation of 8-character .tmp files. These are indicative of a credential dump from the registry. Threat actors can use tools like impacket to query the registry hive remotely, dump the SAM and SYSTEM hives into memory, and exfiltrate to a C2 Server. Verify user login activity and any network connections to internal/external hosts to determine if activity is malicious.
  • Platform
    :
    Windows
  • Additional reference
    : Medium
  • Date added
    : May 2024
Updated rule for enhanced investigation of system information discovery through service enumeration
  • Rule Name
    : “System Information Discovery via Service Enumeration”
  • MITRE Techniques
    : T1082, T1007
  • Description
    : This rule detects registered local system services usage of 'tasklist /svc', or 'net start' by a non-administrator user. Adversaries may obtain information about services using tools as well as OS utility commands. Adversaries may use the commands to get a list of the services on the system.
  • Platform
    :
    Windows
  • Additional reference
    : MITRE
  • Date added
    : April 2024
Updated rule for advanced detection of the extraction of the domain database (including password hashes) using ntdsutil.exe
  • Rule Name
    : “Domain Database including Password Hashes Extracted via ntdsutil.exe”
  • MITRE Techniques
    : T1003, T1003.003
  • Description
    : Adversaries may attempt to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, groups, and access rights. By default, the NTDS file is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. This rule detects the use of the built-in Windows tool, ntdsutil.exe, to extract a copy of the AD domain database (which includes the password hashes for all the users of the domain). Hashes can then be exfiltrated from the host and be used for brute force attacks offline.
  • Platform
    :
    Windows
  • Additional reference
    : MITRE
  • Date added
    : April 2024
Updated rule for advanced detection of enumeration of browser bookmarks
  • Rule Name
    : “Enumeration of Browser Bookmarks"
  • MITRE Techniques
    : T1217, T1555, T1555.003
  • Description
    : This rule detects the enumeration or discovery of web browser bookmark database files. Adversaries may enumerate browser bookmarks to discover more information about a compromised host. Browser bookmarks can show a user's personal information and information about internal network resources.
  • Platform
    Linux
  • Additional reference
    : MITRE
  • Date added
    : April 2024
Updated rule for advanced detection of Windows Defender registry key modification
  • Rule Name
    : “Windows Defender Registry Key Modifications”
  • MITRE Techniques
    : T1562, T1562.001, T1112
  • Description
    : This rule detects the modification of Windows Defender registry keys, which may be used to disable or modify security tools.
  • Platform
    Windows
  • Additional reference
    : MITRE
  • Date added
    : April 2024
Updated rule for enhanced investigation of account or group discovery via dscl
  • Rule Name
    : “Account or Group Discovery via dscl”
  • MITRE Techniques
    : T1069.002, T1087, T1087.001, T1087.002
  • Description
    : This rule detects evidence of account or group discovery, according to MITRE techniques T1087 and T1069.
  • Platform
    macOS
  • Additional reference
    : MITRE T1087, MITRE T1069
  • Date added
    : April 2024
Updated rule for enhanced investigation of file and directory discovery through the Windows command line
  • Rule Name
    : “File and Directory Discovery via Cmd”
  • MITRE Techniques
    : T1083
  • Description
    : This rule detects file and directory discovery through the Windows command line (cmd). Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
  • Platform
    Windows
  • Additional reference
    : MITRE
  • Date added
    : April 2024
Updated rule for advanced detection of the ScreenConnect authentication bypass vulnerability CVE-2024-1709
  • Rule Name
    : “ScreenConnect Authentication Bypass Vulnerability CVE-2024-1709”
  • MITRE Techniques
    : T1556
  • Description
    : This rule detects potential activities associated with the successful exploitation of CVE-2024-1709.
  • Platform
    Windows
  • Additional reference
    : Huntress
  • Date added
    : April 2024