All news with #detection rule tag

🛡️ Google has made its AI-powered Google Drive ransomware detection generally available and enabled it by default for paying Workspace customers. The feature scans files as they sync from desktop computers and pauses Drive syncing when ransomware-encrypted files are detected, alerting users and admins. It provides guided instructions and a Drive restoration tool to recover corrupted files, and Google says its latest model detects 14x more infections. Admins may disable the feature in the Admin console, and endpoints need Drive for desktop v.114+ for full alerting functionality.

🔒 The Microsoft Defender Security Research Team describes the top 10 misconfigurations that make Copilot Studio agents risky across enterprises. The post explains how small choices — broad sharing, weak authentication, raw HTTP calls, hard-coded secrets, orphaned agents, and unconstrained orchestration — create exploitable paths. It includes Advanced Hunting Community Queries to detect these issues and a short mitigation checklist to reduce exposure. The guidance stresses treating agents as production assets with lifecycle governance and least-privilege controls.

🔒 Kaspersky has released a set of SIEM correlation rules to detect exploitation of FortiCloud SSO authentication bypasses in Fortinet products. The rules target activity related to CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, which allow an attacker with a FortiCloud account to access devices when SSO is enabled. The downloadable package ([OOTB] FortiCloud SSO abuse package – ENG) contains IOC, critical admin action, and suspicious activity rule groups; administrators should tune exceptions to reduce false positives and ensure Fortinet events are fully normalized with the "Extra" field populated for effective detection.

🔐 Mandiant and Google Cloud published a comprehensive dataset of Net-NTLMv1 rainbow tables to accelerate defender validation and mitigation of this long-deprecated protocol. The tables make known-plaintext attacks trivial, enabling recovery of authenticating password hashes in under 12 hours on consumer hardware costing less than $600. The release includes SHA512 checksums, usage guidance with tools like rainbowcrack and ntlmv1-multi, and prescriptive remediation steps to disable Net-NTLMv1 and monitor for coercion-based authentications.

🛡️ Today, CISA, the NSA, and the Canadian Centre for Cyber Security released an update to the Malware Analysis Report for the BRICKSTORM backdoor. The update adds indicators of compromise (IOCs) and two new YARA detection signatures to cover additional samples, including Rust-based variants. Analysts observed advanced persistence and defense-evasion behaviors (including running as background services) and improved command-and-control via encrypted WebSocket channels. Organizations are strongly urged to deploy the updated IOCs and signatures, follow the detection guidance to scan and remediate affected systems, and report suspected infections to CISA’s 24/7 Operations Center.

🔔 SecAlerts provides a streamlined, cloud-native vulnerability notification service that maps new advisories directly to the software you run, avoiding intrusive scans or local installs. Using near-real-time sources rather than relying solely on the NVD, it reduces alert noise through configurable Stacks, Channels, and Alerts, so teams only receive actionable notifications. The platform includes a searchable Feed, visualised severity metrics, per-client properties for MSSPs, an API for integrations, and audit-ready reporting to accelerate remediation.

🔍 GreyNoise Labs has launched GreyNoise IP Check, a free scanner that lets users determine whether an IP address has been observed performing malicious scanning activity, including botnets and residential proxy traffic. The web tool returns one of three statuses — Clean, Malicious/Suspicious, or Common Business Service — and, when applicable, provides a 90-day activity timeline to help pinpoint potential infection points. A rate-limit-free JSON API is available for integration, and GreyNoise recommends conducting malware scans, updating device firmware, securing router credentials, and disabling unneeded remote access when an IP appears suspicious.

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

🔍 Intruder’s security team tested whether large language models can write Nuclei vulnerability templates and found one-shot LLM prompts often produced invalid or weak checks. Using an agentic approach with Cursor—indexing a curated repo and applying rules—yielded outputs much closer to engineer-written templates. The current workflow uses standard prompts and rules so engineers can focus on validation and deeper research while AI handles repetitive tasks.