Secure Cloud Analytics Release Notes

Sensor OS update: We've released version 5.1.3 of the ONA on-prem sensor, ona-24.04.1-server-amd64.iso, which is based on Ubuntu 24.04. Sensors running on Ubuntu version 20 or earlier should be refreshed to an updated Ubuntu version to continue receiving security updates for the operating system. To download the newest sensor, log in to your Secure Cloud Analytics portal and select Help (?) > On-Prem Sensor Install.

AWS S3 Bucket Policy Backdoor Alert: This new alert indicates adversaries may have altered bucket access policies in order to exfiltrate victim data to their infrastructure. This alert requires AWS CloudTrail Logs and is disabled by default.

Download of Executable Files using WebDAV Alert: This new alert indicates an executable file has been downloaded utilizing the WebDAV protocol, which could be legitimate use, but has also been used for threat actor campaigns. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

GCP Compute Engine Password Reset Alert: This new alert indicates a password for a Windows Compute Engine instance was reset via a GCP API call, rather then locally or via a domain. This may be legitimate behavior, but has been utilized by threat actors for Lateral Movement in real world incidents. This alert requires GCP Audit Logs and is disabled by default.

MSIExec Proxy Network Connection Alert: This new alert indicates msiexec.exe was used to download content in quiet mode. This activity has legitimate purposes, but threat actors have been known to use it to evade defenses. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

NSCurl Download Activity Alert: This new alert indicates binaries downloaded using NScurl do not have the quarantine flag added, which can subvert security controls. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Persistent High Throughput Connection Alert: This new alert indicates long lasting high throughput connections detected, which could be used by adversaries to exfiltrate large amount of sensitive data from victim environments. This alert requires NetFlow and is disabled by default.

Potential Enterprise Chat Command and Control Alert: This new alert indicates adversaries may have leveraged enterprise chat applications to perform their command and control communications. This may be done in an attempt to evade detection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

PowerSharpPack Activity Alert: This new alert indicates PowerSharpPack activity has been detected. Though primarily intended for red teaming or penetration testing, they can also be utilized by threat actors. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Powershell Commands Executed in Non-PowerShell Processes Alert: This new alert focuses on common Powershell techniques executed through non-Powershell processes, which may indicate malicious activity. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

System Binary Executed from an Unusual Location Alert: This new alert indicates a known system binary was executed from an unusual location. This can be an indicative of adversary masquerading their malicious activity. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

The Anomalous Domain Controller Activity alert has been removed and split into the following three new alerts:

• High Throughput Detected on Domain Controller Alert: A domain controller has been detected with unusually high throughput. This may indicate data exfiltration, denial of service, or other unauthorized activities.

• New Domain Controller External Peer Detected Alert: A new domain controller has been detected that deviates from the usual behavior. This may indicate the presence of a new service or a potential compromise.

• New Domain Controller Profile Detected Alert: A new network profile has been detected that deviates from the device's usual behavior. This may indicate the presence of a new service or a potential compromise.