The Attack Hunter engine, designed to address highly advanced and emerging threats while keeping pace with evolving cyber trends worldwide, has been modified recently to deal with many new forms of malicious network activities, including shellcode injection, post-exploitation enumeration, suspicious file transfers, and critical vulnerability exploits.
The CYFOX research team has added new rules to help organizations significantly improve their threat detection and response mechanisms, thereby strengthening their overall cybersecurity posture.
Note: Customers with a physical server who want to ensure they receive the new rules must make sure their XDR server supports version 2.03.16 or above. Clients using CYFOX servers (CYFOX Cloud) do not need to perform any checks as they are always updated to the latest version.
Below is the complete list of the new rules.
Rule | Description | Impact |
ET SHELLCODE Rothenburg Shellcode | This rule identifies the presence of Rothenburg Shellcode, which is a type of malicious code used to exploit vulnerabilities in systems. | Detects attempts to inject shellcode into a system, providing early warning of potential exploitation attempts. |
ET ATTACK_RESPONSE Net User Command Response | This rule detects the response from the 'net user' command, which attackers often use to enumerate user accounts on a compromised system. | Helps identify post-exploitation activities where attackers gather information about user accounts. |
ET HUNTING SUSPICIOUS IRC - PRIVMSG .(exe|tar|tgz|zip) download command | This rule flags suspicious IRC messages that attempt to download executable files, archives, or compressed files | Aids in the detection of malicious file transfers over IRC, a common tactic used by attackers to distribute malware. |
ET EXPLOIT Malformed HeartBeat | This rule identifies malformed Heartbeat messages, which can be indicative of exploitation attempts against vulnerabilities such as the Heartbleed bug. | Provides early detection of attempts to exploit Heartbeat message handling vulnerabilities. |
ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) | This rule detects attempts to exploit the remote code execution vulnerability in Apache Log4j via TCP LDAP traffic. | Critical detection of attempts to exploit CVE-2021-44228, a high-severity vulnerability in the Log4j library. |
Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228) | This rule identifies potential remote code execution attempts against Apache Log4j over any TCP protocol. | Broad detection capability for various exploitation attempts targeting CVE-2021-44228. |
GPL ATTACK_RESPONSE id check returned root | This rule flags responses to the 'id' command that return 'root', indicating that the attacker has gained root privileges on the system. | Critical alert for unauthorized elevation of privileges to root, a major security breach. |
โ