Secure Cloud Analytics Release Notes

Outbound File Transfer using Renamed Rclone Alert: This new alert indicates adversaries may have leveraged a renamed instance of rclone to exfiltrate sensitive victim data. By masquerading as a legitimate system process, they aim to evade detection and blend into normal system activity. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

NinjaRMM Spawning an Interactive Shell Alert: This new alert indicates the Remote Monitoring and Management (RMM) tool NinjaRMM may have been used by adversaries to launch an interactive shell. It enables them to execute commands and gain unauthorized remote control over target systems. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Pass the Hash Attempt Alert: This new alert indicates a process was executed with arguments matching patterns of a "pass the hash" attempt using tools such as Impacket or Rubeus. Pass the hash is a method of authenticating as a user without having access to the user's cleartext password. Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.