Positive Technologies specialists have updated their product expertise.
MaxPatrol SIEM has expanded its threat detection capabilities - 62 new rules have been added to the product. With their help, the information security event monitoring system is able to detect, among other things, the activity of cryptographers and even more signs of hacker tools.
Updates affected the following packages:
Cybercriminals are constantly improving their attack methods and creating new tools to remain invisible to the security tools. Positive Technologies experts continue to track trends in cyber attacks, study specialized forums for the development and sale of malware and tools, and analyze public reports on incident investigations (including those issued by its own security expert center). Based on up-to-date data on how attackers attack, Positive Technologies regularly updates the expertise in MaxPatrol SIEM.
Among the most important rules in published updates, MaxPatrol SIEM users can detect:
According to PT Expert Security Center, in 2021-2023, 21% of incidents were related to encryption or data mashing on corporate infrastructure nodes. The most common cryptographers were Black Basta, Rhysida, and LockBit, and ransomware operators continue to expand their arsenal. Positive Technologies notes that cryptographers quickly spread from one node to another. "With the updated expertise package, MaxPatrol SIEM users will receive a signal about the first computer attacked by the cryptographer. By removing the virus in a timely manner, they will be able to stop the attack at an early stage and promptly investigate the incident," the company added.
In order to start using the new rules and mechanisms for event enrichment, you need to update MaxPatrol SIEM to version 7.0 or higher and install updates to the expertise packages.
MaxPatrol SIEM has expanded its threat detection capabilities - 62 new rules have been added to the product. With their help, the information security event monitoring system is able to detect, among other things, the activity of cryptographers and even more signs of hacker tools.
Updates affected the following packages:
- "Attacks using specialized software",
- Brute-force attacks,
- "Investigation of running processes in Windows",
- "Network devices. Indicators of compromise",
- The tactics are "Getting Credentials", "Executing", "Preventing detection"," Collecting data"," Destructive Impact"," Moving inside the Perimeter"," Pinning"," Privilege Escalation"," Organizing Management","Exploring".
Cybercriminals are constantly improving their attack methods and creating new tools to remain invisible to the security tools. Positive Technologies experts continue to track trends in cyber attacks, study specialized forums for the development and sale of malware and tools, and analyze public reports on incident investigations (including those issued by its own security expert center). Based on up-to-date data on how attackers attack, Positive Technologies regularly updates the expertise in MaxPatrol SIEM.
Among the most important rules in published updates, MaxPatrol SIEM users can detect:
- typical actions of cryptographers, such as mass creation of files or their modification by the same process;
- additional signs of activity of hacker tools that were previously covered with detectors; among them, for example, PPLBlade, Powermad, NimExec and SharpHound, which is still actively used in attacks;
- Popular techniques are "Loading third-party DLLs" (malware and APT groups use it to break into the network and increase privileges) and "Spoofing the parent PID" (used by attackers to hide malicious actions by changing the parent of the process). Prevention of Detection tactics based on the MITRE ATT&CK matrix.
According to PT Expert Security Center, in 2021-2023, 21% of incidents were related to encryption or data mashing on corporate infrastructure nodes. The most common cryptographers were Black Basta, Rhysida, and LockBit, and ransomware operators continue to expand their arsenal. Positive Technologies notes that cryptographers quickly spread from one node to another. "With the updated expertise package, MaxPatrol SIEM users will receive a signal about the first computer attacked by the cryptographer. By removing the virus in a timely manner, they will be able to stop the attack at an early stage and promptly investigate the incident," the company added.
In order to start using the new rules and mechanisms for event enrichment, you need to update MaxPatrol SIEM to version 7.0 or higher and install updates to the expertise packages.
