Secure Cloud Analytics Release Notes

AWS Potential Privilege Escalation Alert: This new alert indicates an Amazon Web Services (AWS) Application Programming Interface (API) call was made that can be utilized to escalate privileges. While these API calls can be invoked legitimately, they are also known to be utilized by threat actors. This alert requires AWS CloudTrail Logs and is disabled by default.

Certify Active Directory CS Enumeration Alert: This new alert indicates the Certify.exe C# tool was used to enumerate AD Certificate Services or abuse a vulnerable certificate template using default low-privileged groups. Adversaries can use this tool to confirm discovery of vulnerable certificate templates and use them as an alternative means of authentication for unauthorized system access and further lateral network movement. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Exploitation of Web Shell through CVE-2025-31324 Alert: This new alert indicates adversaries may have exploited a remote file inclusion (RFI) vulnerability in SAP Visual Composer component of SAP NetWeaver 7.xx. This vulnerability allows them to upload arbitrary files without authentication, which later leads to establishing of web shells on victim systems. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Kerberos Relay Attempt Using KrbRelayUp Alert: This new alert indicates adversaries may have coerced their victims to generate a service ticket. Later they can relay victim's AP_REQ message to a different service to establish an authenticated session as the victim client. KrbRelayUp is a popular tool to exploit this technique through Resource Based Constrained Delegation (RBCD), Shadow Credentials or vulnerable Active Directory Certificate Templates. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Pass the Hash Attempt Alert: This new alert indicates a process was executed with arguments matching patterns of a "pass the hash" attempt using tools such as Impacket or Rubeus. Pass the hash is a method of authenticating as a user without having access to the user's cleartext password. Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Potential AWS CLI Exfiltration Alert: This new alert indicates the Amazon Web Services (AWS) Command Line Interface (CLI) was utilized to transfer data to a Simple Storage Service (S3) bucket that is not usually contacted. While S3 is itself perfectly legitimate, it is frequently misused for Exfiltration. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Potential Lateral Movement through Runas Alert: This new alert indicates threat actors may have abused Runas to perform lateral movement and privilege escalation within a network. Runas is a legitimate tool commonly used for changing user context within Windows environments, allowing users to run programs as a different user without logging out. By executing commands as different users with valid credentials, attackers can gain unauthorized access to sensitive systems, escalate their privileges, and bypass security controls. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Potential Misuse of the Dropbox API for Exfiltration Alert: This new alert indicates an application that does not normally connect to the Dropbox Application Programming Interface (API) utilized it to send data outbound. Threat actors have been known to exfiltrate data using this service. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Suspicious Active Directory Certificate Request Alert: This new alert indicates Active Directory Certificate Services (AD CS), which facilitates the issuance and management of Public Key Infrastructure (PKI) certificates, may have been exploited by adversaries to request and obtain certificates in the Personal Information Exchange (PFX) format. Once acquired, these certificates can enable persistence, lateral movement, and privilege escalation within the environment. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.