Secure Cloud Analytics Release Notes

GoodSync Utilized for Outbound File Transfer Alert: This new silent alert indicates threat actors may have used the GoodSync tool to exfiltrate stolen victim data to unusual destinations. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and will not be visible unless correlated with another alert.

Outbound File Transfer using S3 Browser Alert: This new alert indicates a S3 Browser was executed in a manner that is not consistent with typical utilization patterns. S3 Browser is a legitimate third party tool for managing Amazon Web Services (AWS) that is known to have been misused by threat actors. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Potential Lateral Movement via DCOM MMC Execution Alert: This new alert indicates the Microsoft Management Console (MMC) was spawned using Distributed COM (DCOM). MMC is a legitimate Windows framework used by administrators to manage system settings, services, and resources. Due to its capabilities and support for remote management, MMC has been used by threat actors to laterally move within a network. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Quick Assist Executed via Uniform Resource Indicator Alert: This new alert indicates Microsoft Quick Assist, a Remote Management Tool that is built in on Windows, was executed via a Uniform Resource Indicator (URI) from another application. Threat actors utilize social engineering to convince users to open Quick Assist sessions in this manner as a means of Initial Access. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Silent Uninstalling of Security Tools Alert: This new alert indicates the process of removing protective software from a system without showing any prompts or alerts to the user was detected. Attackers use this technique to weaken system defenses and operate undetected, avoiding interference from security mechanisms. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious AnyDesk Execution Alert: This new alert indicates an AnyDesk execution was detected that is consistent with known misuse. The Remote Monitoring and Management (RMM) tool AnyDesk is legitimately utilized by administrators, but is also known to be misused by threat actors. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.