Detect Suspicious Communication with a Public DNS Resolver 

We are excited to announce a new capability to detect unusual DNS resolver activity. This detection notifies you of unusual behavior by a virtual machine or container in your cloud environment, which is communicating with a public DNS resolver that it hasn’t communicated with recently. DNS Resolvers Trusting your DNS resolvers is a critical part […]

Detect Malicious Port Sweep Activities

We are excited to announce support for a new detection type – the identification of malicious port sweeps. Port sweeps can occur when compromised hosts or containers within your environment probe a port on a large number of publicly routable IP addresses or a large number of internal IP addresses. This type of activity is […]

Detect Unusual DoT Communications

We are excited to announce a new detection type, identifying unusual DoT activity. This detection notifies you of unusual DNS over TLS (Transport Layer Security) communication, often referred to as DoT, which could indicate attempts to blend malicious communications with regular encrypted web traffic to evade detection. DNS over TLS (DoT)  DNS is a crucial […]

Detect Exposed Kubernetes Dashboards

We are excited to announce a new threat detection, with the ability to identify an exposed Kubernetes Dashboard. This threat detection will inform you when the Kubernetes dashboard for your cluster is exposed to the internet by a Load Balancer.  Exposing your dashboard to the internet makes the management interface of your cluster vulnerable to […]

How We Impersonated Cloud Code by Google Cloud and Took Over GCP Accounts

The Upwind security research team is constantly examining threat landscapes and potential attack paths. In one of our recent searches, we discovered an anomaly in the authentication behavior of Google Developer tools that security practitioners should be aware of.  We discovered this threat landscape by running scans on GCP Cloud Code, during which we found […]

Detect Suspicious ‘exec’ Commands in kube-system Namespace

We are excited to announce the release of a new threat detection type – exec command in a kube-system namespace. This detection alerts you that kubectl exec has run a command in your environment in the kube-system namespace, which may indicate a suspicious activity.  What is Kubectl Exec? Kubectl is a command line tool used […]

Detect Suspicious Spambot Port 25 Communication

We are excited to announce the release of a new threat detection type – Spambot detection that targets suspicious activity on Port 25. A Spambot detection alerts you that a resource in your environment is abnormally communicating with a remote host most commonly via port 25. What is SMTP? Simple Mail Transfer Protocol (SMTP) is […]

Detect Suspicious Fileless Process Execution

We’re excited to announce the ability to monitor and detect malicious “fileless execution” events. This capability enables alerting when a process is executed without using an executable file on a disk or file system. Fileless Execution The action of a process being executed using an in-memory executable file is a common defense evasion technique used […]

Streamline Auditing and Secure Your Infrastructure with Upwind’s SSH Session Monitoring 

We are excited to announce the release of a significant new capability – SSH session monitoring.  In the dynamic landscape of remote system management, Secure Shell (SSH) serves as a pivotal tool, providing seamless access and control. However, this convenience also presents a Pandora’s box of potential security risks when SSH sessions go unmonitored. SSH, […]

Detect Suspicious Cloud Instance Metadata Activities

We’re excited to release  a new detection type, allowing you to detect advanced metadata DNS rebind activities in real time. A metadata DNS rebind detection alerts you that a virtual machine or a container is querying a domain that resolves to the metadata service IP address (169.254.169.254).  What is Cloud Instance Metadata Service (IMDS)? When […]