Bitdefender GravityZone
Overview
Bitdefender GravityZone is an enterprise-level cybersecurity solution offering advanced threat prevention, detection, and response for endpoints, networks, and cloud environments. It features centralized management for streamlined security oversight.
- Vendor: Bitdefender
- Supported environment: Cloud
- Version compatibility: 6.55, 6.56 (Latest version as of now)
- Detection based on: Telemetry / Alert
- Supported application or feature:
- Antiphishing
- Application Control
- Application Inventory
- Antimalware
- Advanced Threat Control
- Data Protection
- Exchange Malware Detected
- Invalid Exchange user credentials
- Firewall
- Hyper Detect
- Sandbox Analyzer Detection
- Antiexploit
- Network Attack Defense
- User Control/Content Control
- Storage Antimalware Event
- Login from new device
- Authentication audit
- SMTP Connection
- Internet Connection
- Malware Outbreak
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Configure
This setup guide will show you how to forward your Bitdefender GravityZone events to Sekoia.io.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Bitdefender GravityZone [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Bitdefender GravityZone [BETA] on ATT&CK Navigator
Burp Suite Tool Detected
Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
- Effort: intermediate
CVE-2020-0688 Microsoft Exchange Server Exploit
Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.
- Effort: elementary
CVE-2020-17530 Apache Struts RCE
Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).
- Effort: intermediate
CVE-2021-20021 SonicWall Unauthenticated Administrator Access
Detects the exploitation of SonicWall Unauthenticated Admin Access.
- Effort: advanced
CVE-2021-20023 SonicWall Arbitrary File Read
Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.
- Effort: advanced
CVE-2021-22893 Pulse Connect Secure RCE Vulnerability
Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.
- Effort: intermediate
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Detect requests to Konni C2 servers
This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.
- Effort: elementary
Discord Suspicious Download
Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.
- Effort: intermediate
Download Files From Suspicious TLDs
Detects download of certain file types from hosts in suspicious TLDs
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Koadic MSHTML Command
Detects Koadic payload using MSHTML module
- Effort: intermediate
Possible Malicious File Double Extension
Detects request to potential malicious file with double extension
- Effort: elementary
Process Trace Alteration
PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process.
- Effort: advanced
ProxyShell Microsoft Exchange Suspicious Paths
Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.
- Effort: elementary
Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL
Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts.
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
Remote Monitoring and Management Software - Atera
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
SecurityScorecard Vulnerability Assessment Scanner New Issues
Raises an alert when SecurityScorecard Vulnerability Assessment Scanner find new issues.
- Effort: master
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
SolarWinds Wrong Child Process
Detects SolarWinds process starting an unusual child process. Process solarwinds.businesslayerhost.exe and solarwinds.businesslayerhostx64.exe created an unexepected child process which doesn't correspond to the legitimate ones.
- Effort: intermediate
Suspicious Download Links From Legitimate Services
Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
- Effort: intermediate
Suspicious PROCEXP152.sys File Created In Tmp
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
- Effort: advanced
Suspicious TOR Gateway
Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: advanced
Suspicious URI Used In A Lazarus Campaign
Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.
- Effort: intermediate
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
WAF Correlation Block actions
Detection of multiple block actions (more than 30) triggered by the same source by WAF detection rules
- Effort: master
Steps to follow
Create a BitDefender GravityZone API key
- Log in the BitDefender GravityZone console
- On the top-right bar, open your personal panel and click
My Accout
- Scroll down to the
API keyssection and click+ Add
- Type a name for the API Key, select the
Event Push Servicecheckbox and clickGenerate
- Save the API Key
Create an intake
Go to the intake page and create a new intake from the format Bitdefender GravityZone. Copy the intake key.
Set the push events settings
Bitdefender GravityZone have an ability to setup push events settings using http request.
Two ways are suggested in order to set up the forwarding of your events to Sekoia.io.
If you are not a shell expert, we recommend to use the "pyton script" way as it is easier to set up.
So you can setup it in two ways:
- Open terminal
- Create virtual env and install requests library:
$ python3 -m venv /tmp/venv $ /tmp/venv/bin/pip install requests - Export your API Key and Intake key to environment variables:
$ export BITDEFENDER_APIKEY="your_api_key" $ export SEKOIAIO_INTAKE_KEY="your_intake_key" - Create python script with the following content:
import base64 import sys import argparse import requests BITDEFENDER_PUSH_URL = "https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push" def activate_forwarding(apikey: str, intake_key: str): key = base64.b64encode(b':'+intake_key.encode('utf-8')) payload = { "id": "be630db8-24c2-481c-b150-a79807dd6f7d", "jsonrpc": "2.0", "method": "setPushEventSettings", "params": { "status": 1, "serviceType": "cef", "serviceSettings": { "url": "https://intake.sekoia.io/jsons?path=%24.events&status_code=200", "requireValidSslCertificate": True, "authorization": f"Basic {key}" }, "subscribeToEventTypes": { "adcloud": True, "antiexploit": True, "aph": True, "av": True, "avc": True, "dp": True, "endpoint-moved-in": True, "endpoint-moved-out": True, "exchange-malware": True, "exchange-user-credentials": True, "fw": True, "hd": True, "hwid-change": True, "install": False, "modules": False, "network-monitor": True, "network-sandboxing": True, "new-incident": True, "ransomware-mitigation": True, "registration": True, "security-container-update-available": False, "supa-update-status": False, "sva": False, "sva-load": False, "task-status": False, "troubleshooting-activity": True, "uc": True, "uninstall": False } } } response = requests.post( url=BITDEFENDER_PUSH_URL, auth=requests.auth.HTTPBasicAuth(apikey,""), json=payload, ) if response.status_code == 200: setting_id = response.json().get("id") print(f"The push setting was successfully created. ID: {setting_id}") else: print(f"The creation of the forwarding failed. Reason: {response.content}") if __name__ == '__main__': parser = argparse.ArgumentParser(prog=sys.argv[0], description='activate the forwarding of events to Sekoia.io') parser.add_argument('apikey') parser.add_argument('intake_key') args = parser.parse_args() activate_forwarding(args.apikey, args.intake_key) - Run the script with the following command:
$ /tmp/venv/bin/python3 bitdefender_activate_forwarding.py "${BITDEFENDER_APIKEY}" "${SEKOIAIO_INTAKE_KEY}"
- Open your terminal
- Export your API Key and Intake key to environment variables:
$ export BITDEFENDER_APIKEY="your_api_key" $ export SEKOIAIO_INTAKE_KEY="your_intake_key" - Convert the Bitdefender APIKey into base64:
$ echo -n '${BITDEFENDER_APIKEY}:' | base64 - Convert the Intake Key into base64:
$ echo -n ':${SEKOIA_INTAKE_KEY}' | base64 - Create
payload.jsonwith following content ( replacebase64_intake_keywith the value from the previous steps):{ "id": "be630db8-24c2-481c-b150-a79807dd6f7d", "jsonrpc": "2.0", "method": "setPushEventSettings", "params": { "status": 1, "serviceType": "cef", "serviceSettings": { "url": "https://intake.sekoia.io/jsons?path=%24.events&status_code=200", "authorization": "Basic <base64_intake_key>", "requireValidSslCertificate": true }, "subscribeToEventTypes": { "adcloud": false, "antiexploit": true, "aph": true, "av": true, "avc": true, "dp": true, "endpoint-moved-in": true, "endpoint-moved-out": true, "exchange-malware": true, "exchange-user-credentials": true, "fw": true, "hd": true, "hwid-change": true, "install": false, "modules": false, "network-monitor": true, "network-sandboxing": true, "new-incident": true, "ransomware-mitigation": true, "registration": true, "security-container-update-available": false, "supa-update-status": false, "sva": false, "sva-load": false, "task-status": false, "troubleshooting-activity": true, "uc": true, "uninstall": false } } } - Send the payload to the Bitdefender API (replace
base64_api_keywith the value from the previous steps):$ curl -k -X POST \ https://cloudgz.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push \ -H "Authorization: Basic <base64_api_key>" \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -d @payload.json