![]() ![]() Behavioral analytics allows Cortex XDR to uncover stealthy attacker tactics and techniques with an exceptionally low rate of false positives. The behavioral analytics engine works by profiling the behavior of users, hosts, endpoint processes, and more using machine learning and then generates an alert if it detects anomalous activity indicative of attacks. ![]() The Cortex XDR behavioral analytics engine detected this command invocation as an anomaly based on its machine learning models. 0 other such command invocations were made in the last 30 days ![]() Child process command line: net group "Exchange Organization administrators" administrator /del /domain. This immediately caught our attention because adversaries often abuse the net utility tool. In several of the cases we investigated, the Cortex XDR analytics engine raised an “ Uncommon net group execution” alert. This step by step deep dive will hopefully give readers a glimpse into how the critical combination of machine learning in Cortex XDR and human expertise help identify and action zero-day threats. In this section we will be walking through how MTH team members identified and investigated a number of incidents tied to the ongoing exploitation of the recent Microsoft Exchange Server vulnerabilities. The Cortex XDR Managed Threat Hunting (MTH) team is a group of cybersecurity specialists that provide threat hunting services to a subset of Cortex XDR customers. This naturally resulted in our clients being able to prevent these threat actors from conducting post-exploit activity before many of their peers in the industry. In this blog post, our goal is to highlight how our Managed Threat Hunting team was able to detect these zero-day threats using Cortex XDR before the Microsoft Exchange vulnerabilities were publicly disclosed. Shortly after the public disclosure, we published a Threat Assessment and a threat hunting blog post explaining how to actively defend against these specific vulnerabilities. Since the initial attacks, Unit 42 and a number of other threat intelligence teams have observed multiple threat actors exploiting these zero-day vulnerabilities in the wild. On March 2, Microsoft released security updates to mitigate four critical zero-day Microsoft Exchange Server vulnerabilities that were actively exploited by a threat group they call HAFNIUM. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |