Secure Cloud Analytics Release Notes

Command-Line Arguments Associated with AdFind Execution Alert: This new alert indicates an executable with command-line arguments specific to AdFind was executed on a Windows device and made a network connection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Execution of AdFind Binary for Discovery Alert: This new alert indicates the utility AdFind was executed on a Windows host and made a network connection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

File Download from Code Repository using BITSAdmin Alert: This new alert indicates the Service Host (svchost.exe) process has been observed executing with BITS (Background Intelligent Transfer Service) arguments. While BITS is a legitimate Windows service used for background file transfers (e.g., Windows updates), adversaries may abuse it by creating jobs via bitsadmin to deliver tools or malware from external platforms such as Github or Bitbucket. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Network Connection Made by NetCat Alert: This new alert indicates the utility NetCat was executed and made a network connection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Network Traffic from Child Process of screensaver.exe Alert: This new alert indicates outbound network activity originated from a process spawned by parent process screensaver.exe. Threat actors may drop tools or payloads exhibiting this behavior in an effort to conceal the activity on the endpoint. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Renamed Command Prompt Execution on Windows Alert: This new alert indicates a utility not named cmd.exe but with command line arguments specific to the Windows Command Processor was executed on Windows and made a network connection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.