Several changes have been made to the Threat Detection Content in Live.
In order to facilite a hunting workflow we've added the following pieces of content:
- IDN Homograph Parser - This flags punycode encoded International Domain Names (IDNs) with glyphs (characters) that resemble Latin Unicode characters. For example: "www.xn--80ak6aa92e.com" looks like "www.apple.com". In addition to flagging a possible homograph, the decoded hostname is registered as well.
Based on our research into Exploit Kits we're pushing a number of signatures that will provide insight and detection for various Exploit Kit behavior and related activity.
- RIG Exploit Kit App Rule - This rule looks for specific anchor patterns in URLs that are found in RIG Exploit Kit related URLs.
- RIG Exploit Kit ESA Rule - This rule functions by looking for the presence of an iframe with an external source (IP/Host) followed by certain patterns within a query string (flagged by the RIG App Rule) or a match to a shadow domain pattern that was discovered during infrastructure analysis.
- Dreambot Application Rule - RIG EK has been found distributing this banking trojan, but it's also distributed via SPAM e-mails. The trojan communicates via Tor. This rule detects the beaconing activity from an infected host.
In addition other vulnerabilities, exploits, malware, and requests has surfaced via public and private research channels.
- SuperCMD Parser - A trojan dropped by a dropper that uses legitimate signed Novell drivers that are vulnerable to a privilege escalation. The trojan is then written as a rootkit to the kernel without triggering WIndows UAC. This parser detects the custom communication protocol, and decodes and registers the infected system's hostname, MAC, and IP address as additional meta-data.
- ESA Event Source Monitor ESA Rule - This rule monitors logs being ingested into the system and will create an alert that has an 'event time' of one hour or greater (in the past) relative to the current ESA processing time. This could indicate a lag in processing time or a skew in device time.
In addition other vulnerabilities, exploits and malware has surfaced via public and private research channels.
- HTTP Lua Parser - Updated to include detection of the Apache Struts Vulnerability
- RTF Fingerprint Parser - The parser was updated to look for embedded 'script' or 'CreateObject' attributes within an RTF document (https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/)
Other bug fixes and changes
- pvid Lua Parser - bug fixes
- traffic_flow - bug fixes
- Hunting Feed - removes stale entries that are no longer relevant given the new meta-keys.
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
- Fake AntiVirus App Rule - This rule flagged too many sessions/logs, and provided very little contextual value.
- Escalation - Multiple Informational - This rule provided very little contextual value.
- Escalation - Multiple Suspicious - This rule provided very little contextual value.
- Escalation - Multiple Blacklist Feed Hits - This rule provided very little contextual value.
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.