Content Release Notes

Printer Friendly Page

Content Release Notes

 

July 11, 2019 Release
  • Added 5 new medium-severity BIOC rules for detecting credential dumping:
    • Credential dumping via gsecdump.exe (ca11656e-2c37-4089-94e3-f659ba50d792) - added a new medium-severity alert
    • Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - added a new medium-severity alert
    • Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - added a new medium-severity alert
    • Dumping lsass.exe memory for credential extraction (cb05480f-17d8-4138-aa38-f0f9fb50b671) - added a new medium-severity alert
    • Credential dumping via fgdump.exe (eebd92ac-c37f-4e7a-b37d-5c0189ddedcb) - added a new medium-severity alert
  • Improved the detection logic of 7 BIOC rules:
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic, increased severity to high and changed the metadata
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - improved detection logic
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, increased severity to medium and changed the metadata
    • PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - improved detection logic
    • Communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved detection logic
    • Adobe Acrobat Reader drops an executable file to disk (61f01972-e07f-46d7-ba75-f1ec1309625a) - improved detection logic
July 9, 2019 Release
  • Changed the logic of 1 BIOC rule and added 16 informational BIOC rules:
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic
    • Active Directory enumeration via command-line tool (136788a7-717a-49e2-9e0a-76f00eb60ed6) - added a new informational alert
    • Logged on users enumeration via query.exe (375cb7bf-400e-4fbf-9755-693d80a5a54a) - added a new informational alert
    • Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - added a new informational alert
    • Attempted to dump ntds.dit (73a6f03c-d459-4314-8213-3b69c9aa69c8) - added a new informational alert
    • Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - added a new informational alert
    • Creation of volume shadow copy using vssadmin.exe (8dd80937-96d8-4ecf-9f44-29a46e0cb5d9) - added a new informational alert
    • Modification of NTLM restrictions in the registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - added a new informational alert
    • Logged on users enumeration via quser.exe (6b228541-9610-4e6f-ad5d-dc6b8d027405) - added a new informational alert
    • Active directory enumeration using builtin nltest.exe (216e4145-0656-47c9-b4b3-40f362e133bc) - added a new informational alert
    • Clear Windows event logs using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - added a new informational alert
    • Clear Windows event logs using PowerShell.exe (d9321f3f-d32e-4aa9-8f88-22b03c36139d) - added a new informational alert
    • Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - added a new informational alert
    • Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - added a new informational alert
    • Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - added a new informational alert
    • Addition or replacement of password filter DLL(s) through registry modification (ea98601c-e552-4b9b-8164-f085a38d383d) - added a new informational alert
    • Dumping registry hives with passwords via reg.exe (824a3186-b262-4e01-b45c-35cca8efa233) - added a new informational alert

July 7, 2019 Release

  • 11 BIOC rule changes - note that for this content release, and for future ones, global rule IDs are listed in parentheses next to the BIOC names:
    • Microsoft HTML Application Host spawns from CMD or Powershell (bfca0d1c-91f9-4ed3-b812-f207ba100a3b) - decreased severity to informational
    • Microsoft Office process spawns a commonly abused process (c043b141-83d4-4158-a573-c1e348bb2ad9) - decreased severity to informational
    • Web server spawns an unsigned process (bd23f54a-2bd4-417e-80ea-9dd7dcea54f4) - decreased severity to informational
    • PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - decreased severity to informational
    • Cleartext password harvesting using find tools (7ac5c888-838d-489c-a6a9-2bab9cec7e9d) - decreased severity to informational
    • Compiler process started by an Office process (9b8c5e4f-1b36-49ad-b2c4-155f244ea0ac) - decreased severity to informational
    • New local user created via command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - decreased severity to informational
    • Unsigned process injects code into a process (5c3624c9-b234-49b3-b6c1-beae8d9891f8) - decreased severity to informational
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - decreased severity to informational
    • Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - decreased severity to informational
    • Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - decreased severity to informational

June 19, 2019 Release

  • 27 BIOC rule changes:
    • Manipulation of Windows settings using bcdedit.exe - decreased severity to informational
    • Bypassing Windows UAC using disk cleanup - decreased severity to low
    • Commonly abused process executes by a remote host using psexec - decreased severity to informational
    • Compiled HTML (help file) writes a binary file to disk - decreased severity to medium
    • Cscript connects to an external network - decreased severity to informational
    • Windows process masquerading by an unsigned process - decreased severity to informational
    • Windows Powershell Logging being disabled via registry - decreased severity to informational
    • Binary file being created to disk with a double extension - decreased severity to medium
    • Outlook creates an executable file on disk - decreased severity to low
    • Executable created to disk by lsass.exe - decreased severity to medium
    • Microsoft Office process spawns a commonly abused process - decreased severity to low
    • Powershell runs with known Mimikatz arguments - decreased severity to medium
    • Process attempts to kill a known security/AV tool- decreased severity to medium, improved detection logic
    • Process runs from the recycle bin - decreased severity to medium
    • Process runs with a double extension - decreased severity to medium
    • Enumeration of installed AV or FW products using WMIC - decreased severity to informational
    • Powershell process makes network connections to the internet - decreased severity to informational
    • Powershell runs base64 encoded commands - decreased severity to informational
    • Communication over email ports to external email server by unsigned process - decreased severity to informational
    • PowerShell calling Invoke-Expression argument - improved detection logic
    • Compiler process started by a commonly abused shell process - decreased severity to informational
    • Unsigned process executing whoami command - decreased severity to informational
    • Scripting engine called to run in the command line - decreased severity to informational
    • Unsigned process injects code into a process - decreased severity to low
    • Sensitive Google Chrome files access by a non-Google process - decreased severity to informational
    • Script file entry written to startup related registry keys - decreased severity to informational
    • Adobe Acrobat Reader drops an executable file to disk - decreased severity to low, improved detection logic

 

April 15-16, 2019 Release

  • Adobe Acrobat Reader drops an executable file to disk - ignore acrord32.exe as causality process to reduce false positives

 

Initial Release

  • 198 BIOC rules:
    • 12 high severity
    • 11 medium severity
    • 53 low severity
    • 122 informational
Labels (2)
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
14 of 14
Last update:
Thursday
Updated by:
 
Labels