Content Release Notes

Printer Friendly Page

Cortex XDR Content Release Notes

June 21, 2020 Release:

  • Increased the severity to medium for a BIOC rule:
    • Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - increased the severity to medium, improved detection logic, and changed metadata
  • Improved detection logic for a low-severity BIOC rule:
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and changed metadata
  • Added 6 new informational BIOC rules:
    • Manipulation of the 'SilentProcessExit' Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - added a new informational alert
    • Creation of a new Microsoft Office default template (3272b10a-d3f1-4bef-82c6-4502eab0eaef) - added a new informational alert
    • Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - added a new informational alert
    • WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - added a new informational alert
    • Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - added a new informational alert
    • Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - added a new informational alert
  • Improved detection logic for an informational BIOC rule:
    • Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - improved detection logic, and changed metadata
    • Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - improved detection logic, and changed metadata

 

June 7, 2020 Release:

  • Added 17 new informational BIOC rules:
    • Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - added a new informational alert
    • Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - added a new informational alert
    • Possible user enumeration via finger (84b6d1e8-812a-4ac7-a977-b88f26d32342) - added a new informational alert
    • Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - added a new informational alert
    • Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - added a new informational alert
    • Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - added a new informational alert
    • Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - added a new informational alert
    • UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - added a new informational alert
    • SMB enumeration via command-line tool (a8480241-6aa6-43d1-aae2-a53b22220b1d) - added a new informational alert
    • Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - added a new informational alert
    • DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - added a new informational alert
    • Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - added a new informational alert
    • Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - added a new informational alert
    • Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - added a new informational alert
    • Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - added a new informational alert
    • Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - added a new informational alert
    • Possible ARP reconnaissance via netdiscover (304eb4e4-1052-416e-8a13-1222a61bc672) - added a new informational alert
  • Improved detection logic for 2 high-severity BIOC rules:
    • Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, and changed metadata
  • Improved detection logic for 4 medium-severity BIOC rules:
    • Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic, and changed metadata
    • Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
    • Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - improved detection logic, and changed metadata
  • Improved detection logic for a low-severity BIOC rule:
    • Notepad process makes a network connection (558de43f-e8ff-4222-bb82-4419868088cd) - improved detection logic, and changed metadata
  • Improved detection logic for 9 informational BIOC rules:
    • Commonly abused process launches as a system service (3a426a71-9c12-4146-a916-c2db387280ed) - improved detection logic, and changed metadata
    • Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - improved detection logic, and changed metadata
    • Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - improved detection logic, and changed metadata
    • Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - improved detection logic, and changed metadata
    • Dllhost.exe makes network connections (d4b8bd1d-f1fb-4fde-9547-33494049c44a) - improved detection logic, and changed metadata
    • Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic, and changed metadata
    • Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - improved detection logic, and changed metadata
    • Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - improved detection logic
    • Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - improved detection logic, and changed metadata

 

May 31, 2020 Release

  • Improved detection logic for a high-severity BIOC rule:
    • Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic

May 24, 2020 Release

  • Improved detection logic for 3 medium-severity BIOC rules:
    • Process runs with a double extension (f8890ac0-dc0b-4bd2-915f-932145147d73) - improved detection logic, and changed metadata
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and changed metadata
    • LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic
  • Added 5 new informational BIOC rules:
    • Fontdrvhost.exe makes network connections (7d43a35a-d5f1-4d00-b755-3e62db2e70db) - added a new informational alert
    • Unusual process spawned by fontdrvhost.exe (3e6054cf-8ba3-4550-ba4f-9308a537342f) - added a new informational alert
    • Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - added a new informational alert
    • Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - added a new informational alert
    • Bypass UAC using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - added a new informational alert
  • Changed metadata for a BIOC rule:
    • Psexesvc.exe executes a command from a remote host (ced869bc-88ee-4c67-a6d9-92002800403a) - changed metadata 

 

May 17, 2020 Release

  • Increased the severity to medium for 2 BIOC rules:
    • WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium
    • Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium
  • Improved detection logic for a medium-severity BIOC rule:
    • Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - improved detection logic
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic
    • Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic
    • Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic
    • Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic
  • Improved detection logic for a low-severity BIOC rule:
    • Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic
  • Added 11 new informational BIOC rules:
    • Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert
    • LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert
    • SmartScreen disabled via Registry (51680cd3-af12-4140-ab98-af8694e36409) - added a new informational alert
    • Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - added a new informational alert
    • Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - added a new informational alert
    • Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert
    • MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - added a new informational alert
    • Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - added a new informational alert
    • Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - added a new informational alert
    • Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - added a new informational alert
    • Microsoft Office executes an unsigned process under a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - added a new informational alert
  • Improved detection logic for an informational BIOC rule:
    • Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved detection logic, and changed metadata
    • Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic
    • Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - improved detection logic, and changed metadata

 

May 10, 2020 Release

  •  Increased the severity to medium for 2 BIOC rules:
    •  WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium
    • Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium
  • Added 3 new informational BIOC rules:
    • Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert
    • Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert
    • LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert

 

May 3, 2020 Release
  • Increased the severity to high for 2 BIOC rules:
    • Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - changed metadata, and increased the severity to high
    • Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - increased the severity to high
  • Increased the severity to medium for 2 BIOC rules:
    • Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic, and increased the severity to medium
    • AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - increased the severity to medium

 

April 26, 2020 Release
  • Increased the severity to medium for 2 BIOC rules:
    • Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - increased the severity to medium, changed metadata, and improved detection logic
    • Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - increased the severity to medium, and changed metadata
  • Improved detection logic for a medium-severity BIOC rule:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic
  • Added 3 new informational BIOC rules:
    • Access to Opera browser credentials file (01de8317-d3e7-4d4b-871f-e86a775a1c1e) - added a new informational alert
    • Memory dumping with comsvcs (9873cd8b-2220-4384-a99f-712ad0ccfb45) - added a new informational alert
    • SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - added a new informational alert

 

April 19, 2020 Release
  • Added 3 new informational BIOC rules:
    • Modification of default Windows startup path via Registry (fbacd7dc-f835-436b-9e83-9c20d74732e2) - added a new informational alert
    • Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - added a new informational alert
    • Password-related Mozilla files were read by a non-Mozilla process (4d52183d-193b-4cca-8e17-d4dcfb5a388c) - added a new informational alert
  • Improved detection logic for a medium-severity BIOC rule:
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
  • Changed metadata for 8 BIOC rules:
    • Executable file written to a temporary folder (73adac7b-e1c0-47d0-9767-f491e92008eb) - changed metadata
    • Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - changed metadata
    • Unsigned process running from a temporary directory (e9d12cc6-69a2-4cce-b58e-4db58b9176cf) - changed metadata
    • DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - changed metadata
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata
    • PowerShell possibly attempting to execute as administrator (765c164d-7170-4e1c-a463-a5ecf41617dd) - changed metadata
    • Process calls ActiveX Object with a shell command (82485794-7e5b-48da-aacf-926d031b8f62) - changed metadata
    • Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - changed metadata

 

April 12, 2020 Release
  • Increased the severity to medium for a BIOC rule:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to medium, and changed metadata
  • Changed metadata for 5 BIOC rules:
    • Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - changed metadata
    • Shutdown command issued (6c60836a-382a-460e-9208-4b59f4fc68a9) - changed metadata
    • Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata
    • Manipulation of Volume Shadow Copy configuration (ceaedeba-68c1-4c99-87b2-98872b4aeca3) - changed metadata
    • Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata

 

April 6, 2020 Release
  • Increased the severity to high for a BIOC rule:
    • Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic, increased the severity to high, and changed metadata
  • Increased the severity to low for a BIOC rule:
    • Manipulation of Windows DNS configuration using WMIC (ff9612ae-22ca-4ac2-bd3b-6bf1244dad8a) - improved detection logic, increased the severity to low, and changed metadata
  • Added 3 new informational BIOC rules:
    • Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - added a new informational alert
    • WMI access to shadow copy interface (b6cd123b-e5a0-4aa3-ac43-3398d6a93ca7) - added a new informational alert
    • Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - added a new informational alert
  • Decreased the severity to informational for a BIOC rule:
    • Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - decreased the severity to informational
  • Removed 2 BIOC rule:
    • PowerShell enumerates running processes (932681e4-919a-4151-921f-adcb1088bb86) - removed
    • Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - removed
  • Changed metadata for 118 BIOC rules

 

March 30, 2020 Release
  • Increased the severity to high for 2 BIOC rules:
    • Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - improved detection logic, changed metadata, and increased the severity to high
    • Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic, changed metadata, and increased the severity to high
  • Increased the severity to medium for 5 BIOC rules:
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic, changed metadata, and increased the severity to medium
    • Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved detection logic, changed metadata, and increased the severity to medium
    • Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - improved detection logic, and increased the severity to medium
    • LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - improved detection logic, and increased the severity to medium
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved detection logic, and increased the severity to medium
  • Increased the severity to low for 6 BIOC rules:
    • Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - improved detection logic, changed metadata, and increased the severity to low
    • Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - improved detection logic, changed metadata, and increased the severity to low
    • Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - improved detection logic, and increased the severity to low
    • Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - improved detection logic, and increased the severity to low
    • Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved detection logic, changed metadata, and increased the severity to low
    • Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - improved detection logic, and increased the severity to low
  • Added 4 new informational BIOC rules:
    • Direct scheduled task creation via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - added a new informational alert
    • Disable outlook security via Registry (a6311886-ab62-4df9-862f-b999a0c3a995) - added a new informational alert
    • Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - added a new informational alert
    • File renamed to have a script extension (51bd180f-ae84-450d-b0a6-b1a67300ef4d) - added a new informational alert
  • Removed a BIOC rule:
    • Common Google process name missing Google digital signature (417426e1-363c-4dbc-928d-ff7cd5f114d0) - removed
  • Changed the metadata for 115 BIOC rules

 

March 24, 2020 Release
  • Decreased the severity to informational for a BIOC rule:
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and decreased the severity to informational

 

March 23, 2020 Release
  • Increased the severity to low for a BIOC rule:
    • Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - increased the severity to low, and improved detection logic
  • Improved detection logic for a high-severity BIOC rule:
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - changed metadata, and improved detection logic
  • Improved detection logic for a medium-severity BIOC rule:
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - changed metadata, and improved detection logic
  • Improved detection logic for an informational BIOC rule:
    • Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata, and improved detection logic
  • Added 7 new informational BIOC rules:
    • Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - added a new informational alert
    • Suspicious file created in AppData directory (b2ad90f1-11ac-4a98-9c85-0526953f2879) - added a new informational alert
    • Root certificate installed (c7f92662-5a28-48da-845a-34a7876c3eb3) - added a new informational alert
    • Injection into ping.exe (cc960d74-2582-42cd-aaa7-6ef1282e5029) - added a new informational alert
    • MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - added a new informational alert
    • Persistence via Registry screensaver key change (dac7763e-7a68-43b0-98eb-e79e7f80db76) - added a new informational alert
    • Root certificate installed (e48ab0ac-e71b-40b1-8035-cc5033b7dd87) - added a new informational alert
  • Changed metadata for 43 BIOC rules:
    • New certificate added to the trusted root store (01c10219-918d-4c45-bd0d-daf63ef6903c) - changed metadata
    • Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - changed metadata
    • Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - changed metadata
    • Commonly-abused process executes as a scheduled task (1fe9ecf8-64e7-4547-8a67-9f188d694550) - changed metadata
    • WMI terminated a process (5c93679e-ea6c-4b88-8ba9-24446f6665dd) - changed metadata
    • Chrome launched in Incognito mode (5119f194-5362-4141-8212-cba47a3530b9) - changed metadata
    • Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata
    • Registry change to hide known file extension (6110979a-b0ba-4384-955c-a73438ef38a9) - changed metadata
    • PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - changed metadata
    • Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata
    • Unsigned process spawned a browser (3baa64a2-09b6-4af7-9305-0a0dd2297b15) - changed metadata
    • Enumeration of running processes via command line (621fe652-fc63-4eae-9a29-6a436b70e985) - changed metadata
    • Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - changed metadata
    • New scheduled task created (00e82bfd-a179-4293-b1e0-976ba382e136) - changed metadata
    • Driver written to a temporary directory (5edceb49-5371-476e-94d5-442337a14cff) - changed metadata
    • Manipulation of LSA 'Authentication Packages' Registry key (4f133949-205d-4abf-bbf6-4fc6e48bc6c4) - changed metadata
    • Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - changed metadata
    • Windows hosts file written to (54d01b86-4b6a-4554-81f8-214f2d7d6c32) - changed metadata
    • Unsigned process creates an Alternate Data Stream (ADS) (51be6542-3345-464a-8c0a-11f90fb97331) - changed metadata
    • Ping executed with loopback address (363bfa0b-95f7-43c8-a699-0670f9bbebfe) - changed metadata
    • Wget connecting to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - changed metadata
    • Tampering with Windows Security Support Provider DLLs  (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - changed metadata
    • PowerShell running with download in the command line (59de217d-211f-468b-a2a8-60324a305513) - changed metadata
    • Excel Web Query file created on disk (5f29933c-46ae-45f4-b5ce-fc59f12240bf) - changed metadata
    • Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata
    • Unsigned process executes as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata
    • Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - changed metadata
    • New environment variable set (0df2d00a-e4eb-4198-8573-962de02885ff) - changed metadata
    • Unsigned process executing whoami (690a8894-5827-4f70-ac30-61f26feb1e34) - changed metadata
    • PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata
    • Windows 10 Developer Mode enabled (4e4a3361-3863-4a98-a08c-4992b43ca7e4) - changed metadata
    • Commonly-abused process spawned by web server (0e2c294f-cd18-44bf-8d93-edf98c4a41c3) - changed metadata
    • Modification of Windows boot configuration using bcdedit.exe (154dbe5f-ba64-4c31-899a-f64bc9983d12) - changed metadata
    • PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata
    • Changing permissions or ownership of a file or folder (0c6d31b7-78c5-4244-90ac-5fb26952d54f) - changed metadata
    • Execution of commonly-abused AutoIT script (13b17653-c885-4d10-bce2-51a63419cf8f) - changed metadata
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata
    • Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - changed metadata
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - changed metadata
    • PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata
    • Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - changed metadata
    • Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - changed metadata

 

March 15, 2020 Release
  • Improved detection logic for a low-severity BIOC rule:
    • Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - improved detection logic
  • Added 10 new informational BIOC rules:
    • System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - added a new informational alert
    • WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - added a new informational alert
    • Usage of tracing tool (4446f8cf-6859-4af0-8da0-17f4503077d5) - added a new informational alert
    • Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - added a new informational alert
    • Reverse shell one-liner using a scripting engine (59be79be-d4e3-41f8-ba81-08ff8f5830f1) - added a new informational alert
    • Office process writes an executable file to disk (235ffb55-8b93-4ff0-b5b1-f6ed864995e0) - added a new informational alert
    • Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - added a new informational alert
    • Suspicious usage of cytool.exe (9e389768-e7ad-428c-9e2b-916a979950ca) - added a new informational alert
    • Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - added a new informational alert
    • Suspicious access to /etc/shadow (e5fa37b4-939d-434e-9065-9723c06790fb) - added a new informational alert
  • Improved detection logic for an informational BIOC rule:
    • Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - improved detection logic, and changed metadata
 
March 8, 2020 Release
  • Increased the severity to medium for 2 BIOC rules:
    • Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved detection logic, increased the severity to medium, and changed metadata
    • Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - increased the severity to medium
  • Increased the severity to low for a BIOC rule:
    • RDP connections enabled via Registry by unsigned process (6d432610-7ee0-4857-a8f5-009dfd4bde14) - improved detection logic, increased the severity to low, and changed metadata
  • Added 13 new informational BIOC rules:
    • WMI execution of cmd.exe with output redirection (af8d1cd7-7e8f-4084-b698-b47ca9e2c8b2) - added a new informational alert
    • Discovery of files with setgid or setuid bits (6e873af1-fa2b-46f2-b641-f64b55db5db2) - added a new informational alert
    • Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - added a new informational alert
    • Remote RDP session enumeration via query.exe (ba98e718-1bc4-427d-9ccf-44c80b40f2b7) - added a new informational alert
    • Command-line creation of a RAR archive (0276283f-7696-45d4-82dc-a4195d9b849b) - added a new informational alert
    • NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - added a new informational alert
    • Possible UAC bypass using Eventvwr.exe (55644e90-38b9-4233-aa11-eefe85561184) - added a new informational alert
    • Kernel modules loaded via compiled loader and .ko file (371c8d3b-560a-456e-802d-394aea248f1d) - added a new informational alert
    • Potential web shell installation (4cc829d5-6fba-4167-8c4c-25e538bcd993) - added a new informational alert
    • Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - added a new informational alert
    • Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - added a new informational alert
    • Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - added a new informational alert
    • Remote RDP session enumeration via qwinsta.exe (5f017d4f-f526-46f6-9f32-a63d16639637) - added a new informational alert
  • Improved detection logic for a medium-severity BIOC rule:
    • Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - improved detection logic, and changed metadata
  • Improved detection logic for a low-severity BIOC rule:
    • Dumping Registry hives with passwords (824a3186-b262-4e01-b45c-35cca8efa233) - improved detection logic

 

February 23, 2020 Release
  • Increased the severity to medium for a BIOC rule:
    • Possible ping sweep (362649fe-9028-4166-baf8-b58c8dab8bee) - improved detection logic, and increased the severity to medium
  • Added 2 new informational BIOC rules:
    • PsExec runs with System privileges (b834289d-44f9-4e05-9411-4dd8dfff8959) - added a new informational alert
    • Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - added a new informational alert

 

February 16, 2020 Release
  • Increased the severity to high for a BIOC rule:
    • Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - increased the severity to high
  • Increased the severity to medium for 9 BIOC rules:
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved detection logic, increased the severity to medium, and changed metadata
    • Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - increased the severity to medium, and changed metadata
    • Multiple RDP sessions enabled via Registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - increased the severity to medium, and changed metadata
    • Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - increased the severity to medium, and changed metadata
    • Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic, increased the severity to medium, and changed metadata
    • Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic, increased the severity to medium, and changed metadata
    • Unsigned integer Sudo privilege escalation (1974dd9e-20c1-11ea-ab34-8c8590c9ccd1) - increased the severity to medium
    • Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - improved detection logic, increased the severity to medium, and changed metadata
    • Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - improved detection logic, and increased the severity to medium
  • Increased the severity to low for a BIOC rule:
    • Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - improved detection logic, and increased the severity to low
  • Added 9 new informational BIOC rules:
    • Execution of regsvcs/regasm with uncommon paths (a1ce5d8b-5ea0-49d2-8d91-8ae4ea752ec0) - added a new informational alert
    • Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - added a new informational alert
    • WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - added a new informational alert
    • LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - added a new informational alert
    • Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - added a new informational alert
    • Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - added a new informational alert
    • Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - added a new informational alert
    • AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - added a new informational alert
    • VBScript execution from the command line (e71d7a58-f4c9-4582-bdb9-e86beb803d0c) - added a new informational alert

 

February 9, 2020 Release
  • Increased the severity to medium for a BIOC rule:
    • Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - increased the severity to medium, changed metadata, and improved detection logic
  • Added a new informational BIOC rule:
    • Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - added a new informational alert

 

February 2, 2020 Release

  • Increased the severity to medium for 4 BIOC rules:
    • Hash cracking using Hashcat tool (f09765e8-105f-11ea-af82-8c8590c9ccd1) - improved detection logic, increased the severity to medium, and changed metadata
    • Non-browser failed access to a pastebin-like site (c1f7607b-e56c-43ca-b072-5b266bb4133b) - improved detection logic, increased the severity to medium, and changed metadata
    • Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic, increased the severity to medium, and changed metadata
    • RDP connections enabled via Registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - improved detection logic, increased the severity to medium, and changed metadata
  • Decreased the severity to medium for 4 BIOC rules:
    • Microsoft Office Equation Editor spawns a commonly abused process (68d5ddf7-50b4-49e0-be96-863cf763a2b1) - decreased the severity to medium
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - decreased the severity to medium
    • Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - decreased the severity to medium
    • Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - decreased the severity to medium
  • Added 46 new informational BIOC rules:
    • Setgid on file (0826210d-ddd8-44e7-98fb-399083b15e97) - added a new informational alert
    • Impersonation using Rubeus tool (0e6a7a3a-1059-11ea-b96d-8c8590c9ccd1) - added a new informational alert
    • Write to .bash_profile (1119d1ec-cdfb-404b-ae82-475b8fcf8ddc) - added a new informational alert
    • OS information listing via uname (1170aaf5-cac9-452b-bd8d-25712b06007b) - added a new informational alert
    • Setuid on file (17da1f84-5419-4fd6-ade0-ce5bad273c21) - added a new informational alert
    • Kerberos brute-force attack using Rubeus (2823e64c-105b-11ea-b732-8c8590c9ccd1) - added a new informational alert
    • Account creation via command-line tool (28b4bc7c-4c08-43fb-b9e8-8798ef0c8684) - added a new informational alert
    • Possible sudoers enumeration (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - added a new informational alert
    • Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - added a new informational alert
    • OS information listing via distro version file (3a85fbc4-a63f-4e0d-8c06-af22383db482) - added a new informational alert
    • Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - added a new informational alert
    • Grepping for passwords (4ab8f6a2-9aea-4e6f-a2e5-1e8530a3ed7d) - added a new informational alert
    • User and/or group enumeration via command-line tools (4ae09e1b-999d-47e1-8aca-aba083b96c90) - added a new informational alert
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - added a new informational alert
    • User creation or modification via /etc file (4d411087-50ed-461e-83fc-17e76cb092f4) - added a new informational alert
    • Password policy discovery via command-line tool (4e9766dd-2530-4fe9-920f-1b8a7ec29b8e) - added a new informational alert
    • Log deletion via command-line tool (55ed9a90-b68b-4e55-a165-eda5d1cab906) - added a new informational alert
    • Linux screen capture via command-line tool (593bc5d9-8bdf-482a-8d84-34b6045cf4d8) - added a new informational alert
    • Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - added a new informational alert
    • File timestamp tampering (624b8f91-842c-4f04-87e1-71aa7bdb727c) - added a new informational alert
    • Bash history access (735fd839-4959-4e5d-9207-fdf517b977a1) - added a new informational alert
    • SSH key pair discovery (76d3e2e8-77dc-47a4-902f-f8189da8e883) - added a new informational alert
    • Hardware information gather via command-line tool (7d710f85-8712-4357-9fe3-c26740a5bfd8) - added a new informational alert
    • Encryped zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - added a new informational alert
    • Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - added a new informational alert
    • Document discovery (90eadd45-60c0-40e0-9df8-c5185ed8496e) - added a new informational alert
    • Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - added a new informational alert
    • Persistence using .bashrc (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - added a new informational alert
    • Possible user enumeration via /etc/passwd (b8bdaf34-b94c-45c6-aaba-c7032d32f0b9) - added a new informational alert
    • Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - added a new informational alert
    • Process discovery via ps (c5ece13d-a2ff-465c-af4c-0424ae00559f) - added a new informational alert
    • Persistence through service registration (c69ed984-a260-4ba9-990f-bc762a4a3223) - added a new informational alert
    • Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - added a new informational alert
    • Network share discovery via command-line tool (c8a48667-d44e-4ffb-b6f7-2b42a3bf6328) - added a new informational alert
    • Shell binary copied to another location (cd582eaf-1497-4bbd-9361-79c7a18050fa) - added a new informational alert
    • Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - added a new informational alert
    • Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - added a new informational alert
    • Network configuration discovery (d69c1be0-a351-469d-a47c-34e1f0562690) - added a new informational alert
    • Mounted NFS share discovery (de770795-9c63-463f-a7bd-427b21807b28) - added a new informational alert
    • Security services stopped (e126fe04-a77a-46d7-9b49-f032b20b828e) - added a new informational alert
    • Interrupt trap registration (e74fcf13-6b1e-48ca-8b43-a50dacf9ecf2) - added a new informational alert
    • Password complexity enumeration (e86d9dc7-e59d-44d0-a611-5480d390eff0) - added a new informational alert
    • Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - added a new informational alert
    • Compressed archive created using tar (e9e007db-a8a7-4ae5-b758-5cacbe0ab46e) - added a new informational alert
    • Logged in user enumeration via command-line (f47ea4fa-0265-4e3d-b65b-213a24493c71) - added a new informational alert
    • Kerberos brute-force attack using Kerbrute (f8836c4f-0a03-11ea-84d4-acde48001122) - added a new informational alert
  • Improved detection logic for a BIOC rule:
    • Process termination by WMI (5c93679e-ea6c-4b88-8ba9-24446f6665dd) - improved detection logic, and changed metadata
  • Changed metadata for a BIOC rule:
    • Commonly-abused process spawns from Scripted Diagnostics Host (f1c690ce-5475-4d44-8d68-5e0ce2882b1a) - changed metadata

 

January 26, 2020 Release
  • Increased the severity to high for 2 BIOC rules:
    • Command-line arguments match Mimikatz execution (5f426ff8-fefa-4a17-91f2-25bd081c0a7a) - increased the severity to high, and changed metadata
    • Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - increased the severity to high, and changed metadata
  • Increased the severity to medium for 7 BIOC rules:
    • PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - improved detection logic, increased the severity to medium, and changed metadata
    • LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic, increased the severity to medium, and changed metadata
    • Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - improved detection logic, increased the severity to medium, and changed metadata
    • Kerberos ticket forging using Impacket ticketer (08222430-105d-11ea-8d11-8c8590c9ccd1) - increased the severity to medium, and changed metadata
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic, increased the severity to medium, and changed metadata
    • Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic, increased the severity to medium, and changed metadata
    • Reverse shell using PowerShell (9d4f3b07-77ea-4d29-904c-c2b485ebc113) - improved detection logic, increased the severity to medium, and changed metadata
  • Increased the severity to low for 3 BIOC rules:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to low, and changed metadata
    • Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - improved detection logic, increased the severity to low, and changed metadata
    • Accessing Linux bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - increased the severity to low, and changed metadata
  • Improved detection logic for a low-severity BIOC rule:
    • Dumping Registry hives with passwords (824a3186-b262-4e01-b45c-35cca8efa233) - improved detection logic, and changed metadata
  • Improved detection logic for an informational BIOC rule:
    • Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - improved detection logic, and changed metadata
  • Added 5 new informational BIOC rules:
    • Fltmc.exe used to unload filter driver (a2dcfb49-57eb-4aa8-8128-d7ec307d4d18) - added a new informational alert
    • Scripting engine creates an Alternate Data Stream (ADS) (76edcbf3-4f54-45e2-abc3-b7b8725d5658) - added a new informational alert
    • PsExec executed with plain-text credentials in command line (a783f9ec-30b3-41be-a8f8-7bba9553dc32) - added a new informational alert
    • Non-PowerShell process loading a known PowerShell DLL (d2d23fdd-5fcb-4483-a14e-a187e87a58c7) - added a new informational alert
    • Bypassing Windows UAC using sysprep (dbefa4ae-3797-11ea-a926-f218983c2a51) - added a new informational alert

 

January 12, 2020 Release
  • Updated the names and descriptions for multiple BIOCs
    • Where names are concerned - only capitalization changes were made

 

January 5, 2020 Release
  • Increased the severity to medium for 2 BIOC rules:
    • Encoded information using Windows certificate management tool (ed18908a-2d6a-4d7d-a754-0a8ce32051a1) - increased severity to medium, improved detection logic, and changed metadata
    • Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - increased severity to medium, improved detection logic, and changed metadata
  • Increased the severity to low for a BIOC rule:
    • Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - increased severity to low, and changed metadata
  • Added 4 new informational BIOCs:
    • Scripting engine reads document files from local system (80956b85-286b-4b3a-9adf-355a18484ab8) - added a new informational alert
    • Unsigned process reads document files from local system (0b13ab84-47d7-4fae-a764-699a646fffd1) - added a new informational alert
    • Scripting process reads Outlook data files (e1ffaea1-c6eb-45ad-83aa-c7b40e3a7cb9) - added a new informational alert
    • Scripting engine creates a compressed file under a suspicious folder (e3f936b0-3fc1-4305-a02b-f5af1ae38abf) - added a new informational alert
  • Deleted a BIOC rule:
    • Bypassing Windows UAC using disk cleanup (ec03c0fd-03df-4963-b5c7-e665c853a6cd) - removed the alert
Tags (3)
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
57 of 57
Last update:
2 weeks ago
Updated by:
 
Labels