Jan 2026 Release Notes (RUX)

🛡️ Coverage

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

• Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic.

  • This release introduces additional detections for Cobalt Strike, Brute Ratel, and PowerShell Empire.

• Vectra AI has improved the Smash and Grab detection accuracy by ensuring destination domain names update correctly when observed later in a session. This enhancement allows whitelist logic to function as intended, reducing unnecessary alerts and improving the fidelity of Smash and Grab detections.

• Vectra AI has improved information-level detections for Remote Management and Monitoring (RMM) tools by correctly populating application protocol details in detection metadata. This enhancement provides clearer context on Host pages when RMM activity is observed, improving investigative clarity while maintaining a low-noise, non-scoring alerting experience.

• Vectra AI has refined its Mythic C2 detection logic to reduce false positives by tightening how server certificate fields are evaluated. This update narrows overly broad pattern matching, preventing benign domains containing similar terms from triggering alerts and improving overall detection fidelity.

New Detection: Azure Suspect Operation - DNS Security Policy Modification

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications network flow logging. The new Azure Suspect Operation - DNS Security Policy Modification detection is designed to surface actions where an entity was observed deleting or modifying a resource associated with a DNS Security Policy. This could disable the logging of DNS queries or otherwise tamper with DNS resolution within the Azure environment. Threat actors use this technique to impair logging and evade detection.

New Detection: Azure Suspect Operation - Flow Logs Disabled

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications network flow logging. The new Azure Suspect Operation - Flow Logs Disabled detection is designed to surface actions where an entity was observed deleting an Azure flow log resource. This indicates removal of flow logging for a VNet, subnet or NIC and is a well-known cloud defense evasion technique leveraged by attacked to impair visibility and auditability of actions.

New Detection: Azure Suspect Operation - Network Security Config Change

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with modifications of network security configurations. The new Azure Suspect Operation - Network Security Config Change detection is designed to surface actions where an entity is unexpectedly creating or modifying an Azure network security group (NSG) or modifying an Azure firewall resource. This may indicate lateral movement within the network or an attempt to impair defenses.

New Detection: Azure Suspect Operation - High-Risk Deletion

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with high-risk deletions in an Azure environment. The new Azure Suspect Operation - High-Risk Deletion detection is designed to surface actions such as removal of sensitive backups and immutability policies that threat actors may use to blind defenses and cause impact. This detection strengthens coverage against cloud threat actors like Storm-0501 that have leveraged these techniques in documented attacks.

Detection Enhancement: Azure TOR Activity

Enhancements have been introduced to the Azure TOR activity detection model to improve prioritization of the entities associated with this behavior. Moving forward, Vectra AI is adding impetus to the entities that showcase this behavior so that they are promptly surfaced in the Respond page. Customers may observe a minor increase in prioritized entities as a result of this change.

New Detection: Azure AD Suspect Operation: Guest User Added

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with initial access. The new Azure AD Suspect Operation: Guese User Added detection is designed to surface behaviors where a principal is observed inviting an external guest user into the environment which is inconsistent with the observed principal's behavioral profile. This method is used by threat actors in a social engineering campaign to establish access and maintain persistence into a victim's environment.

New Detection: Azure AD Suspect Operation: Unusual Sign-On from a Proxy

Vectra AI has introduced a new detection that surfaces suspicious behaviors associated with initial access. The new Azure AD Suspect Operation: Unusual Sign-On from a Proxy detection is designed to surface actions where a principal is observed signing in using a proxy or a VPN that is inconsistent with its normal behavior. This is a method used by threat actors to mask their true location. This detection is the first to leverage Vectra AI's new Threat Intelligence engine - a collection of private and licensed threat feeds designed to provide rich contextual and reputational information for the highest possible signal clarity.

Improved Kerberos Cipher Visibility

We enhanced how Kerberos encryption metadata is reported to provide more accurate visibility into authentication activity.

The platform now clearly distinguishes between:

• The encryption ciphers requested by the client

• The cipher used to protect the Kerberos session key

• The cipher used to encrypt the Kerberos ticket

This improvement strengthens the investigation of Kerberos-based attack techniques, including AS-REP Roasting and Kerberoasting, by ensuring the correct encryption context is surfaced for each authentication stage.

Security teams performing threat hunting or reviewing authentication telemetry may notice updated Kerberos cipher fields beginning at the end of January. No action is required, but existing queries or workflows should be reviewed to account for the updated metadata.

Enhanced Kerberos Pre-Authentication Visibility

We introduced improved visibility into Kerberos pre-authentication (PA-DATA) exchanges during AS-REQ and AS-REP flows.

The platform now exposes both the types and counts of pre-authentication data used by the client and returned by the KDC. This provides additional context for understanding how Kerberos authentication is negotiated and helps security teams identify abnormal or unexpected pre-authentication behavior.

These enhancements support more effective investigation of Kerberos-based attacks and misconfigurations, particularly those involving modified or bypassed pre-authentication mechanisms.

Threat hunters and analysts reviewing Kerberos authentication telemetry may observe new pre-authentication metadata beginning at the end of January.

🔒 Vulnerability Fixes

CVE-2025-11839

Addressed a medium-severity vulnerability related to GNU Binutils that could allow a local attacker to exploit an unchecked return value. Vectra has applied the appropriate package updates to remediate the issue and reduce potential exploitability.

CVE-2025-11840

Resolved a medium-severity vulnerability in GNU Binutils caused by an out-of-bounds read condition. Vectra has updated the affected components to address the issue and improve overall platform security.

🐞 Bug Fixes

Please log in to https://support.vectra.ai/vectra/ and search "Respond UX Bug Fixes" to view the latest bug fixes.