Secure Cloud Analytics Release Notes

AWS IAM Role Creation Backdoor Alert: This new alert indicates adversaries may have assumed roles on the victim account using external identities. They create a new role attached to AssumeRole permission, this allows them to achieve persistence on the victim account. This alert requires AWS CloudTrail Logs and is disabled by default.

New Active Directory Hidden User Account Added Alert: This new alert indicates adversaries may have added hidden user accounts that will not show up in certain places, such as the output of the net user utility. This is legitimately useful for some system services, but can also be utilized for Defense Evasion and Persistence by threat actors. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious Use of Discovery Tools Alert: This new alert indicates suspicious behaviors were detected on the endpoint that are known to be used by threat actors to conduct discovery and enumeration of an environment. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

GCP Anomalous IAM Modification Alert: This new alert indicates a user or Service Account that does not normally modify Identity and Access Management (IAM) policies or invite new users to a project successfully performed one of those actions. This may be legitimate activity, but if not can indicate Persistence. This alert requires Google Cloud Platform (GCP) Audit Logs and is disabled by default.

Network Traffic Observed from Service Host Child Process Alert: This new alert indicates the Service Host (svchost.exe) process has been observed initiating a child process that established a network connection with elevated administrator privileges. While this behavior can be associated with legitimate system operations, it is also a known tactic employed by threat actors to facilitate malicious activities such as Persistence and Defense Evasion. This detection should be scrutinized for anomalies, such as unusual parent-child process relationships, which may indicate potential misuse by adversaries. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Residential Proxy Application Utilized Alert: This new alert indicates a process known to be utilized for residential or peer to peer proxy services was executed on a device where that was anomalous. While these utilities have legitimate personal use cases, they are generally not allowed in enterprise environments and can introduce various risks. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Potential Lateral Movement through PsExec Alert: This new silent alert indicates adversaries may have used the PsExec tool to perform lateral movement by executing commands or deploying payloads on remote systems using stolen credentials. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and will not be visible unless correlated with another alert.

NTLM Relay Exploitation via Inveigh Alert: This new alert indicates adversaries may have created a malicious relay for common name resolution protocols such as Link-Local Multicast Name Resolution (LLMNR) or Network Basic Input/Output System Name Service (NBT-NS), allowing them to steal credentials or poison responses. Inveigh is a popular open source project that facilitates this technique on Windows devices. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.