Overview of default apps

The SOC uses specific RocketCyber apps to effectively monitor your account. These apps are automatically enabled by default and cannot be disabled.

Each app is described below:

Advanced Breach Detection

Using the Advanced Breach Detection app, the RocketCyber agent utilizes proprietary technology to monitor Windows, Mac, and Linux devices for indications that a device has been compromised. Leveraging the MITRE ATT&CK® framework, the agent collects activity data on each device and forwards the data to the SOC where it is triaged and analyzed.

MITRE ATT&CK® framework

The MITRE ATT&CK® framework identifies the reasons, known as tactics, that an adversary performs an action (techniques) to achieve a goal. The techniques convey how an adversary may attempt to achieve a goal.

By default, the following techniques are monitored for Windows OS with a subset for MacOS.

Breach detection table

Intrusion monitoring apps

RocketCyber employs these apps to monitor incoming and outgoing network traffic:

  • Cyber Terrorist Network Connections: This app detects network connections to various nation states that have been known to engage in cyber terrorist activities. It compares IP address communications against real-time threat feeds to discover connections to malicious IPs, C2 servers, botnets and other backdoor services.
  • Suspicious Network Services: This app monitors network protocols for signs of unusual activity on devices. While there are 65,535 available network services for legitimate use, suspicious detections are defined as well known ports and services that are used for malicious intent.

    Monitored protocols include Chargen, FTP, Telnet, SMTP, Finger, POP3, SOCKS, DOOM, VNC, Bit Torrent, IRC, Tor, Netbus, RDP and SSH/SFTP.

Endpoint Event Log Monitor

With this app, the agent monitors the Microsoft Windows, macOS and Linux Event Logs for suspicious events. Examples of suspicious events include failed logins, cleared security logs, and unauthorized activity. The logs are forwarded to the SOC for analysis and logs are stored for historical auditing purposes.

The events collected for each operating system are listed below:

Windows OS

  • 104: System Security Log was cleared.
  • 1102: Security - Audit Log was cleared.
  • 4722: Security - A user account was enabled.
  • 4735: Security - Local Group Changed.
  • 7040: System - Service was changed from auto start to disabled.
  • 7034: System - Services Terminated Unexpectedly.
  • 4702: Security - A scheduled task was modified.
  • 5142: Security - A network share object was added.
  • 5144: Security - A network share object was deleted.
  • 4625: Security - An account failed to login.
  • 7036: System - A defensive service was stopped.
  • 5145: Security - A network share object was checked by PsExec.
  • 4649: Security - A replay attack was detected.
  • 64004: System - Windows File Protection was unable to restore file to its original version.
  • 5143: Security - A network share object was modified.
  • 4740: Security - A user account was locked out.
  • 4698: Security - A new scheduled task was created.
  • 7031: System - Service terminated unexpectedly.
  • 4738: Security - User account password was changed.
  • 4724: Security - An attempt was made to reset an account's password.
  • 4720: Security - Test user account created.
  • 1100: System - Event logging was shut down.

Mac OS

  • Log Privacy: Privatize log content that contains usernames, ip addresses, and other sensitive information.
  • Watch_Logon: User logins to the system.
  • SSH_connection: Inbound SSH connections to the Mac.
  • Watch_Logout: User logouts from the system.
  • Failed_Auth: User authentication failure.
  • Sudo_Usage: Privilege Escalation using sudo.

Linux OS

  • Sudo_Usage: Privilege Escalation using sudo.
  • SSH_login: Inbound SSH connections to the Mac.
  • SSH_failed login: Inbound SSH logins failed.
  • User_add: A new user account was created.
  • Password_change: A user's password was changed.
  • Group_change: A group was changed.
  • Del_user_group: A user was removed from a group.
  • Failed_Auth: User authentication failure.
  • SSH_login_pkey: Successfully public key login via ssh was detected.
  • SSH_login_pkey_failed: A public key login via ssh failed.
  • user_del: A user account was deleted.
  • new_group: A new group was created.
  • add_user_group: A user was added to a group.

Firewall Log Analyzer

The RocketCyber agent on Windows OS can serve a secondary purpose as a firewall analyzer. When enabled, the agent will provide a syslog interface to collect logs from local firewalls, parse the data in real-time, and forward a subset of security related events to the RocketCyber SOC for triage and storage.

Logs not related to security events can be stored locally on the device and/or be forwarded to an additional log storage location. In addition, RocketCyber can alert on firewall traffic based on geography. Plus, it can analyze the trustworthiness of IP addresses using threat intelligence feeds, augmenting the firewall’s built-in capabilities.

The following firewalls are supported:

  • Cisco (Meraki, ASA, Firepower)
  • Fortinet
  • Sonicwall
  • Sophus XG and UTM
  • WatchGuard
  • Untangle
  • Barracuda
  • Ubiquiti
  • PfSense
  • Juniper
  • Zyxel
  • Mikrotik
  • Check Point
  • Palo Alto

Malicious File Detection

Through the Malicious File Detection app, the RocketCyber agent monitors and detects malicious files that are written to disk or executed. Also, it monitors file communications that indicate crypto mining software activity. This additional layer of protection serves as a backup for detecting malicious files that slip past your primary antivirus and anti-malware solution.

Suspicious Tools

This app detects programs that can negatively impact the security of the system and business network. Detected suspicious tools should be investigated and are categorized as hacking utilities, password crackers, or other tools used by attackers for malicious purposes.

Office 365 Apps

  • Office 365 Login Analyzer: This app detects logins coming from unexpected countries and unknown malicious IP addresses.
  • Office 365 Log Monitor: This is a multi-tenant event log monitor representing all accounts that are linked to Microsoft 365.
  • Office 365 Risk Detection: This app monitors the riskiest accounts, users, and behaviors. Risk is determined using industry heuristics and machine learning.
  • Office 365 Secure Score: This provides an overall description of cloud security posture with itemized remediation plans across all Office 365 tenants.