Cortex XDR Articles

  December 15, 2019 Release Increased the severity to medium for an Analytics BIOC rule: Script Connecting to Rare External Host ( 86889630-e953-11e9-b74e-8c8590c9ccd1) -  improved logic, changed metadata, and increased the severity to medium Improved the logic of 2 informational BIOC rules: Service enumeration via sc ( f5ad264a-fc27-4cef-9a94-245150ace5b1) -  improved logic and changed metadata changed Kerberos service ticket request in PowerShell command ( 90e50124-8bf2-4631-861e-4b3e1766af5f) -  improved logic and changed metadata Changed the metadata for a BIOC rule: Excel Web Query file created on disk ( 5f29933c-46ae-45f4-b5ce-fc59f12240bf) -  changed metadata Added 9 new informational BIOC rules: Hash cracking using Hashcat tool ( f09765e8-105f-11ea-af82-8c8590c9ccd1) -  added a new informational alert Host firewall profile discovery using netsh ( 42d72b02-1751-11ea-8401-88e9fe502c1f) -  added a new informational alert Enumeration of services via wmic ( 3654c173-14e9-11ea-8723-88e9fe502c1f) -  added a new informational alert Cached credentials discovery with cmdkey ( 18087540-1443-11ea-a73b-88e9fe502c1f) -  added a new informational alert Discovery of host’s users via wmic ( 6593c57d-14fe-11ea-9297-88e9fe502c1f) -  added a new informational alert DNS resolution to the Palo Alto Networks sinkhole ( 03347621-15db-11ea-8454-88e9fe502c1f) -  added a new informational alert Enumeration of services via PowerShell ( 6977966b-14e9-11ea-b5d7-88e9fe502c1f) -  added a new informational alert Interface enumeration using netsh ( 3c63c894-1449-11ea-803f-88e9fe502c1f) -  added a new informational alert Kerberos ticket forging using Impacket ticketer ( 08222430-105d-11ea-8d11-8c8590c9ccd1) -  added a new informational alert November 3, 2019 Release Increased the severity to high for a BIOC rule: Bitsadmin.exe used to upload data ( 6ba957eb-d63e-4cee-99aa-89e21ef3acc8) -  improved logic, changed metadata and increased the severity to high Increased the severity to medium for 5 BIOC rules: Windows set to permit unsigned drivers (Test Mode) ( bc4e5b48-cd06-4eb4-a35c-3ea42bf98ff4) - changed metadata, and increased the severity to medium Delete Volume USN Journal with fsutil ( 9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - increased the  severity to medium 64-bit PowerShell spawning a 32-bit PowerShell ( 824a3186-b262-4e01-a45c-35cca8efa233) -  improved logic, and increased the severity to medium Rundll32.exe running with no command-line arguments ( 0c0a801a-06ff-4a10-b555-67e56ecbd410) -  improved logic, and increased the severity to medium Injection into rundll32.exe ( 0c0a80af-06ff-4a10-b555-67e56ecbd410) -  improved logic, and increased the severity to medium Added 3 new informational BIOC rules: Bitsadmin.exe used to download data ( 6aa957eb-d63e-4cee-99aa-89e21ef3acc8) - added a new informational alert Non-browser access to a pastebin-like site ( 6b394699-0a16-4d03-b8b4-e9a062965ad7) - added a new informational alert Non-browser failed access to a pastebin-like site ( c1e7607b-e56c-43ca-b072-5b266bb4133b) - added a new informational alert Improved the logic of an informational BIOC rule: Executable or script created in the startup folder ( 5ee4f82d-6d98-4f94-a832-a62957234d69) -  improved logic Deleted an informational BIOC rule:  Default Cobalt Strike command line for beaconing with PowerShell ( f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) -  removed the alert September 27, 2019 Release Decreased the severity to informational for a BIOC rule: Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - decreased severity to informational September 26, 2019 Release Increased the severity to high for 6 BIOC rules: Command-line creation of TCP stream ( cb05480f-17d8-4138-9902-f0f9fb50b673) - improved detection  logic, and increased severity to high Netcat shell via named pipe ( cb05480f-17d8-4138-9902-f0f9fb50b674) -  improved detection  logic, and increased severity to high Python script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b675) -  improved detection  logic, and increased severity to high Perl script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b676) -  improved detection  logic, and increased severity to high PHP script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b677) -  improved detection  logic, and increased severity to high Wbadmin.exe deletes recovery files in quiet mode ( 24be0d84-2203-4d60-a1f0-39e4f80eee3a) -  improved detection  logic, changed the metadata, and increased severity to high Increased the severity to moderate for 4 BIOC rules: User added to local administrator group using a PowerShell command ( 7135da01-046f-452b-99d3-974795aca8c6) - changed the metadata, and increased severity to medium Scheduled task created with HTTP or FTP reference ( 3c888671-03a0-4e8f-8192-c7a6e031712c) -  improved detection logic, changed the metadata, and increased severity  to medium Powershell downloads files via BITS ( ed10c4cc-867c-4318-aa9d-59d57d6934bb) -  improved detection logic, changed the metadata, and increased severity  to medium Clear Windows event logs using PowerShell.exe ( d9321f3f-d32e-4aa9-8f88-22b03c36139d) -  increased severity to medium Improved the detection logic and increased the severity to low for 2 BIOC rules: Reading bash command history file ( cb05480f-17d8-4138-9902-f0f9fb50b672) -  improved detection logic, and increased severity to low Reading .ssh files ( cb05480f-17d8-4138-9905-f0f9fb50b671) -  improved detection logic, and increased severity to low Improved the detection logic of a low-severity BIOC rules: Image File Execution Options registry key injection by unsigned process ( 98430360-5b37-465e-acd6-bafa9325110c) -  improved detection logic Improved the detection logic of 4 informational BIOC rules: Default Cobalt Strike command line for beaconing with PowerShell ( f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - improved detection logic Curl connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190323) -  improved detection logic Wget connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190322)  - improved detection logic Accessing Linux bash history file ( cb05480f-17d8-4138-9902-f0f9fb50b671) -  improved detection logic Added a new informational BIOC rule: Accessing Linux bash history file using bash commands ( cb05480f-17d8-4138-9992-f0f9fb50b671) - added a new informational alert September 25, 2019 Release Added 7 new informational BIOC rules: Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - added a new informational alert Rundll32.exe running with no command-line arguments ( 0c0a801a-06ff-4a10-b555-67e56ecbd410) -  added a new informational alert Injection into rundll32.exe ( 0c0a80af-06ff-4a10-b555-67e56ecbd410) -  added a new informational alert Unsigned process injecting into a windows system binary with no command line ( 0c0a801f-06ff-4a10-b555-67e5aecbd410)  -  added a new informational alert RDP connections enabled via registry by unsigned process ( 6d432610-7ee0-4857-a8f5-009dfd4bde14) -  added a new informational alert RDP connections enabled via registry from a script host or rundll32.exe ( 0f705be9-8cd2-4263-9735-6d394f08b974) -  added a new informational alert 64-bit PowerShell spawning a 32-bit PowerShell ( 824a3186-b262-4e01-a45c-35cca8efa233) -  added a new informational alert Reduced the severity of 1 BIOC rule to informational: Outlook creates an executable file on disk ( deafab32-3050-467d-a742-92f6453a152e) -  decreased severity to informational September 5, 2019 Release Added a new BIOC rule: Image File Execution Options registry key injection by scripting engine ( f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - added a new low severity alert Improved the detection logic and increased the severity of 2 BIOC rules: Image File Execution Options registry key injection by unsigned process ( 98430360-5b37-465e-acd6-bafa9325110c) -  improved detection logic, changed the metadata, and increased severity to low WebDAV drive mounted from net.exe over HTTPS ( 0c0a801f-06ff-4a10-b555-67e56ecbd410) -  improved detection logic, and increased severity to low Improved the detection logic of 3 informational BIOC rules: Executable moved to system32 folder ( 045190df-f5ab-491a-b214-199dc17f9e3b) -  improved detection logic RDP enabled via registry ( 6d432610-7ee0-4857-a8f5-009dfd4bde14) -  improved detection logic Multiple RDP sessions enabled via registry ( b1ac2867-7f82-4d99-b565-2fb5425c1bb5) -  improved detection logic August 8, 2019 Release Improved the detection logic of 7 BIOC rules: Cscript.exe connects to an external network ( 9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic Windows Firewall disabled via registry ( 31796d2e-08a9-4047-8f37-3a0c2aad8f67) -  improved detection logic and changed the metadata Process attempts to kill a known security/AV tool ( e33072a2-ae58-43a0-bd05-08e986732f03) -  improved detection logic Wscript.exe connects to an external network ( deef10e3-42b1-45fa-a957-9713755fa514) -  improved detection logic PowerShell process connects to the internet ( 5e1b87b5-e0db-4ff9-806b-ed73a5190222) -  improved detection logic Communication over email ports to external email server by unsigned process ( 7b424216-fe61-4589-bcee-67e9e7b267be) -  improved detection logic New local user created via Powershell command line ( 8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) -  improved detection logic and changed the metadata Decreased severity of 2 BIOC rules: Microsoft Office process spawns an unsigned process ( da9356d9-f8fa-4d32-a6eb-a79a2590816e) - decreased severity to informational Web server process drops an executable to disk ( 20a37717-dd61-4fe5-a73b-80d9fb2a8862) -  decreased severity to informational Added 18 new informational BIOC rules: Windows Firewall notifications disabled via registry ( 31796d2e-08a9-4047-8f37-3a0c2aa11702) - added a new informational alert Windows Firewall policy edited via registry ( 31796d2e-08a9-4047-8f37-3a0c2aa11703) -  added a new informational alert Curl connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190323) -  added a new informational alert Wget connects to an external network ( 5e1b87b5-e0db-4ff9-9901-ed73a5190322) -  added a new informational alert Accessing Linux bash history file ( cb05480f-17d8-4138-9902-f0f9fb50b671) -  added a new informational alert Reading bash command history file ( cb05480f-17d8-4138-9902-f0f9fb50b672) -  added a new informational alert Reading .ssh files ( cb05480f-17d8-4138-9905-f0f9fb50b671) -  added a new informational alert Command-line creation of TCP stream ( cb05480f-17d8-4138-9902-f0f9fb50b673) -  added a new informational alert Netcat shell via named pipe ( cb05480f-17d8-4138-9902-f0f9fb50b674) -  added a new informational alert Python script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b675) -  added a new informational alert Perl script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b676) -  added a new informational alert PHP script connecting to network ( cb05480f-17d8-4138-9902-f0f9fb50b677) -  added a new informational alert Image File Execution Options registry key injection ( 98430360-5b37-465e-acd6-bafa9325110c) -  added a new informational alert Executable moved to system32 folder ( 045190df-f5ab-491a-b214-199dc17f9e3b) -  added a new informational alert RDP enabled via registry ( 6d432610-7ee0-4857-a8f5-009dfd4bde14) -  added a new informational alert Multiple RDP sessions enabled via registry ( b1ac2867-7f82-4d99-b565-2fb5425c1bb5) -  added a new informational alert Outlook data files accessed by an unsigned process ( ea7088cd-90e4-4750-b65c-61743e3c4bb3) -  added a new informational alert WebDAV drive mounted from net.exe over HTTPS ( 0c0a801f-06ff-4a10-b555-67e56ecbd410) -  added a new informational alert July 18, 2019 Release Modified 6 BIOC rules: Privilege escalation using local named pipe impersonation ( dd0ac223-8aaa-4630-988d-de39eba83d29) - increased  severity to medium Privilege escalation using local named pipe impersonation through DLL ( d915cff3-5ce9-493f-9973-808a93ed50ad) - increased  severity to medium New entry added to startup related registry keys by unsigned process ( a09c90f7-0b45-4f2a-ac71-96170f047921 ) - decreased severity to informational Windows Firewall being disabled via registry ( 31796d2e-08a9-4047-8f37-3a0c2aad8f67) -  decreased severity to informational Outlook creates an executable file on disk ( deafab32-3050-467d-a742-92f6453a152e) -  improved detection logic Web server process drops an executable to disk ( 20a37717-dd61-4fe5-a73b-80d9fb2a8862) -  improved detection logic Deleted 2 BIOC rules: Execution of network debugging/tunnelling tool ( 56a93227-73d7-42e5-936c-0a3de691b7c6) -  removed the alert Explorer spawned from commonly abused host process ( 7b2e9352-20cf-4c52-94e9-b01fac10753a) - removed the alert July 11, 2019 Release Added 5 new medium-severity BIOC rules for detecting credential dumping: Credential dumping via gsecdump.exe ( ca11656e-2c37-4089-94e3-f659ba50d792) - added a  new medium-severity alert Credential dumping via pwdumpx.exe ( 8e3f6394-1633-47c9-8ca8-63b5c0187983) -  added a  new medium-severity alert Credential dumping via wce.exe ( 0c468243-6943-4871-be10-13fb68c0a8ef) -  added a  new medium-severity alert Dumping lsass.exe memory for credential extraction ( cb05480f-17d8-4138-aa38-f0f9fb50b671) -  added a  new medium-severity alert Credential dumping via fgdump.exe ( eebd92ac-c37f-4e7a-b37d-5c0189ddedcb) -  added a  new medium-severity alert Improved the detection logic of 7 BIOC rules: Cscript.exe connects to an external network ( 9410a485-491b-42e4-af6c-de4a76e12f0c) -  improved detection logic Windows Event Log cleared using wevtutil.exe ( 938176d0-d14a-49a0-9159-6081627eba03) -  improved detection logic, increased severity to high and changed the metadata Wscript.exe connects to an external network ( deef10e3-42b1-45fa-a957-9713755fa514) -  improved detection logic Wbadmin.exe deletes recovery files in quiet mode ( 24be0d84-2203-4d60-a1f0-39e4f80eee3a) -  improved detection logic, increased severity to medium and changed the metadata PowerShell process connects to the internet ( 5e1b87b5-e0db-4ff9-806b-ed73a5190222) -  improved detection logic Communication over email ports to external email server by unsigned process ( 7b424216-fe61-4589-bcee-67e9e7b267be) -  improved detection logic Adobe Acrobat Reader drops an executable file to disk ( 61f01972-e07f-46d7-ba75-f1ec1309625a) -  improved detection logic July 9, 2019 Release Changed the logic of 1 BIOC rule and added 16 informational BIOC rules: Windows Event Log cleared using wevtutil.exe ( 938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic Active Directory enumeration via command-line tool ( 136788a7-717a-49e2-9e0a-76f00eb60ed6) - added a new informational alert Logged on users enumeration via query.exe ( 375cb7bf-400e-4fbf-9755-693d80a5a54a) -  added a new informational alert Delete Volume USN Journal with fsutil ( 9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) -  added a new informational alert Attempted to dump ntds.dit ( 73a6f03c-d459-4314-8213-3b69c9aa69c8) -  added a new informational alert Kerberos service ticket request in PowerShell command ( 90e50124-8bf2-4631-861e-4b3e1766af5f) -  added a new informational alert Creation of volume shadow copy using vssadmin.exe ( 8dd80937-96d8-4ecf-9f44-29a46e0cb5d9) -  added a new informational alert Modification of NTLM restrictions in the registry ( 207bde33-2c02-4aa7-ae4f-e22146b79ba6) -  added a new informational alert Logged on users enumeration via quser.exe ( 6b228541-9610-4e6f-ad5d-dc6b8d027405) -  added a new informational alert Active directory enumeration using builtin nltest.exe ( 216e4145-0656-47c9-b4b3-40f362e133bc) -  added a new informational alert Clear Windows event logs using wmic.exe ( 7316c8d9-07d8-40aa-b074-b452bc3d355c) -  added a new informational alert Clear Windows event logs using PowerShell.exe ( d9321f3f-d32e-4aa9-8f88-22b03c36139d) -  added a new informational alert Indirect command execution using the Program Compatibility Assistant ( 18447eac-7ad6-44a8-aaf5-7e75b0151166) -  added a new informational alert Privilege escalation using local named pipe impersonation ( dd0ac223-8aaa-4630-988d-de39eba83d29) -  added a new informational alert Privilege escalation using local named pipe impersonation through DLL ( d915cff3-5ce9-493f-9973-808a93ed50ad) -  added a new informational alert Addition or replacement of password filter DLL(s) through registry modification ( ea98601c-e552-4b9b-8164-f085a38d383d) -  added a new informational alert Dumping registry hives with passwords via reg.exe ( 824a3186-b262-4e01-b45c-35cca8efa233) -  added a new informational alert July 7, 2019 Release 11 BIOC rule changes - note that f or this content release, and for future ones, global rule IDs are listed in parentheses next to the BIOC names: Microsoft HTML Application Host spawns from CMD or Powershell ( bfca0d1c-91f9-4ed3-b812-f207ba100a3b) -  decreased severity to informational Microsoft Office process spawns a commonly abused process ( c043b141-83d4-4158-a573-c1e348bb2ad9) -  decreased severity to informational Web server spawns an unsigned process ( bd23f54a-2bd4-417e-80ea-9dd7dcea54f4) -  decreased severity to informational PowerShell calling Invoke-Expression argument ( d9e32419-d8f0-4b2b-b395-6c27be156d56) -  decreased severity to informational Cleartext password harvesting using find tools ( 7ac5c888-838d-489c-a6a9-2bab9cec7e9d) -  decreased severity to informational Compiler process started by an Office process ( 9b8c5e4f-1b36-49ad-b2c4-155f244ea0ac) -  decreased severity to informational New local user created via command line ( 8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) -  decreased severity to informational Unsigned process injects code into a process ( 5c3624c9-b234-49b3-b6c1-beae8d9891f8) -  decreased severity to informational Scripting engine injects code to a process ( 1f985402-f4a4-4132-b74b-18a04a3620cd) -  decreased severity to informational Unsigned process makes connections over DNS ports ( 99470a0e-c311-42a1-872f-74fde3326794) -  decreased severity to informational Scripting engine makes connections over DNS ports ( b3779123-e79d-43b5-b1f5-2fb41093afef) -  decreased severity to informational June 19, 2019 Release 27 BIOC rule changes: Manipulation of Windows settings using bcdedit.exe - decreased severity to informational Bypassing Windows UAC using disk cleanup - decreased severity to low Commonly abused process executes by a remote host using psexec - decreased severity to informational Compiled HTML (help file) writes a binary file to disk - decreased severity to medium Cscript connects to an external network - decreased severity to informational Windows process masquerading by an unsigned process - decreased severity to informational Windows Powershell Logging being disabled via registry - decreased severity to informational Binary file being created to disk with a double extension - decreased severity to medium Outlook creates an executable file on disk - decreased severity to low Executable created to disk by lsass.exe - decreased severity to medium Microsoft Office process spawns a commonly abused process - decreased severity to low Powershell runs with known Mimikatz arguments - decreased severity to medium Process attempts to kill a known security/AV tool- decreased severity to medium, improved detection logic Process runs from the recycle bin - decreased severity to medium Process runs with a double extension - decreased severity to medium Enumeration of installed AV or FW products using WMIC - decreased severity to informational Powershell process makes network connections to the internet - decreased severity to informational Powershell runs base64 encoded commands - decreased severity to informational Communication over email ports to external email server by unsigned process - decreased severity to informational PowerShell calling Invoke-Expression argument - improved detection logic Compiler process started by a commonly abused shell process - decreased severity to informational Unsigned process executing whoami command - decreased severity to informational Scripting engine called to run in the command line - decreased severity to informational Unsigned process injects code into a process - decreased severity to low Sensitive Google Chrome files access by a non-Google process - decreased severity to informational Script file entry written to startup related registry keys - decreased severity to informational Adobe Acrobat Reader drops an executable file to disk - decreased severity to low, improved detection logic   April 15-16, 2019 Release Adobe Acrobat Reader drops an executable file to disk - ignore acrord32.exe as causality process to reduce false positives   Initial Release 198 BIOC rules: 12 high severity 11 medium severity 53 low severity 122 informational
View full article
yesterday
2,166 Views
0 Replies
6 Likes
Ask Questions Get Answers Join the Live Community
Labels