Summary:
Qualys has introduced Advanced Hunting, a feature in its Endpoint Detection and Response (EDR) platform that empowers security teams to proactively search for threats and identify potential breaches. Utilizing the Qualys Query Language (QQL), analysts can leverage predefined hunting queries to uncover malicious activities that may evade traditional detection methods. This approach enhances overall security and incident response capabilities.
#ThreatHunting #QualysEDR #ProactiveSecurity
Qualys has introduced Advanced Hunting, a feature in its Endpoint Detection and Response (EDR) platform that empowers security teams to proactively search for threats and identify potential breaches. Utilizing the Qualys Query Language (QQL), analysts can leverage predefined hunting queries to uncover malicious activities that may evade traditional detection methods. This approach enhances overall security and incident response capabilities.
#ThreatHunting #QualysEDR #ProactiveSecurity
Keypoints:
Advanced Hunting allows security teams to actively search for potential threats and breaches.
Utilizes Qualys Query Language (QQL) for flexible and expressive query capabilities.
Curated hunting queries are provided to streamline threat investigations.
Investigations can reveal suspicious activities, such as registry modifications linked to malware.
Examples of hunting queries include detection of suspicious processes, abnormal scheduled tasks, and known malicious file hashes.
Advanced Hunting enhances incident response and helps prevent costly security breaches.
MITRE Techniques
Registry Run Keys Modification (T1060): Detects modifications to registry run keys that may indicate persistence mechanisms used by malware.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Process Injection (T1055): Involves injecting malicious code into legitimate processes to evade detection.
Data Encrypted for Impact (T1486): Refers to the encryption of data to disrupt operations, often associated with ransomware attacks.
IoC:
[file name] WinUpdater.exe
[file name] bmatter.exe
[registry key] HKUS-1-5-21-3319599449-2141404066-4016250668-1608SoftwareMicrosoftWindowsCurrentVersionRun
[file hash] ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
[process name] powershell.exe
[process name] cmd.exe
[process name] firefox.exe
[process name] vssadmin.exe
[process name] curl.exe
Full Research: https://blog.qualys.com/product-tech/2024/11/26/elevate-cyber-defense-with-qualys-advanced-hunting