Summary
Several changes have been made to the Threat Detection Content in Live.
Additions
Detection
- Webshell Pattern ESA Rule - This ESA rule helps escalate suspected webshell activity. It looks for multiple sessions (3) between the same source and destination IP addresses that contain webshell indicators. The number of sessions and time window is configurable so it can be adjusted per environment.
Changes
Hunting
- HTML_Threat Lua Parser - Hidden 'DIV' and 'SPAN' tags are now noted as meta. These HTML elements can be used to hide elements from the browser window and are often used to help hide redirection to exploit kits. While not worth investigating on their own they provide additional visibility and accuracy for downstream analysis.
Detection
- Locky App Rule - Additional logic was added to help differentiate Locky related traffic from Cryptoshield traffic. This should lead to better identification of Locky so analysts know what they need to triage.
- Cerber Ransomware App Rule - The pay sites related to Cerber have shifted as part of the on-going campaign. The rule was updated with these pay sites to provide continued detection of this threat.
- Cerber 6 ESA Rule - The ports that Cerber uses post infection changed. The rule was updated to reflect that change in ports to provide on-going detection.
Retired
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
- Fake Codec Malware Indicators - The app rule proved to be inaccurate under most circumstances, and is not a common threat vector.
- Skype Login - Skype logins are now encrypted rendering this application rule unnecessary and unable to detect to logins.
EOPS Policy
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
