Content Release Notes

cancel
Showing results for 
Search instead for 
Did you mean: 
L3 Networker
Did you find this article helpful? Yes No
92% helpful (32/35)

Cortex XDR Content Release Notes

January 16, 2022 Release:

  • Added a new High Analytics BIOC:

    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - added a new High alert

  • Increased the severity to Medium for an Analytics BIOC:

    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - increased the severity to Medium, and improved detection logic

  • Added a new Medium Analytics BIOC:

    • Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - added a new Medium alert

  • Changed metadata of an Informational BIOC:
    • Network Packet Capture: tshark/tcpdump (9e72d135-0782-48dd-8b4f-da2dd4d1599f) - changed metadata of an Informational BIOC
  • Added a new Informational Analytics BIOC:
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - added a new Informational alert

January 9, 2022 Release:

  • Changed metadata of 5 High Analytics BIOCs:

    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs

    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs

    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs

    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs

    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs

  • Changed metadata of a High Analytics Alert:

    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert

  • Improved logic of 3 Medium Analytics BIOCs:

    • Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - improved logic of a Medium Analytics BIOCs

    • TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs

    • TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs

  • Changed metadata of 2 Medium Analytics BIOCs:
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs
    • Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Changed metadata of 4 Medium Analytics Alerts:
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts
  • Changed metadata of 23 Low Analytics BIOCs:
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
    • User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs
    • Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
    • A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs
    • Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs
    • Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of a Low Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert
  • Changed metadata of 13 Low Analytics Alerts:
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
    • Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts
    • A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts
  • Changed metadata of 16 Informational Analytics BIOCs:
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOC
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of an Informational Analytics BIOCs
    • A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
    • Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs
    • User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
  • Changed metadata of 7 Informational Analytics Alerts:
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts

January 2, 2022 Release:

  • Removed an old High BIOC:
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - removed an old High alert
  • Increased the severity to High for an Analytics BIOC:
    • Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - increased the severity to High
  • Changed metadata of a High Analytics Alert:
    • Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert
  • Improved logic of a Medium Analytics BIOC:
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOC:
  • Changed metadata of a Medium Analytics BIOC:
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
  • Added a new Low Analytics BIOC:
    • Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - added a new Low alert
  • Improved logic of a Low Analytics BIOC:
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOC
  • Improved logic of 3 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
  • Improved logic of 9 Informational Analytics BIOCs:
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Suspicious remote execution from a vCenter server (6213c66f-e269-4d16-9db7-86015b5a2f4d) - improved logic of an Informational Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of an Informational Analytics BIOCs
    • IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • First session from external IP to vCenter (4ad03760-f701-4f40-b01f-d1ddefda4002) - improved logic of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
  • Removed 2 old Informational Analytics BIOCs:
    • Signed process performed an unpopular DLL injection (5109a2c2-9bd6-4ef0-ad3e-4bd8b1b683aa) - removed an old Informational alert
    • Signed process performed an unpopular injection (3ee6d300-7fbe-4281-8de8-3d1016663931) - removed an old Informational alert
  • Decreased the severity to Informational for 2 Analytics Alerts:
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - decreased the severity to Informational, and improved detection logic
    • Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - decreased the severity to Informational, and improved detection logic
  • Changed metadata of an Informational Analytics Alert:
    • Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alert
  • Removed an old Informational Analytics Alert:
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - removed an old Informational alert

December 27, 2021 Release:

  • Changed metadata of 14 High Analytics BIOCs
  • Removed an old High Analytics BIOC:
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - removed an old High alert
  • Changed metadata of a High Analytics Alert:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
  • Added 3 new Medium Analytics BIOCs:
    • TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - added a new Medium alert
    • TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - added a new Medium alert
    • Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - added a new Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 62 Medium Analytics BIOCs
  • Improved logic of a Medium Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
  • Changed metadata of 10 Medium Analytics Alerts
  • Added a new Low Analytics BIOC:
    • Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - added a new Low alert
  • Improved logic of 2 Low Analytics BIOCs:
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 88 Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Changed metadata of 19 Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - added a new Informational alert
  • Improved logic of an Informational Analytics BIOC:
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOC
  • Changed metadata of 113 Informational Analytics BIOCs
  • Changed metadata of 11 Informational Analytics Alerts

December 21, 2021 Release:

  • Changed metadata of 15 High Analytics BIOCs:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs
    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs
    • PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs
    • Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
    • Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a High Analytics BIOCs
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs
    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs
    • Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of a High Analytics BIOCs
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
    • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs
    • Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
  • Changed metadata of a High Analytics Alert:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
  • Added a new Medium Analytics BIOC:
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - added a new Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 61 Medium Analytics BIOCs:
    • Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs
    • Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs
    • Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of a Medium Analytics BIOCs
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Medium Analytics BIOCs
    • PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs
    • External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs
    • Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs
    • Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Possible DCSync Attempt (a420aa30-20c3-11ea-b525-8c8591c0ccb0) - changed metadata of a Medium Analytics BIOCs
    • Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs
    • Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - changed metadata of a Medium Analytics BIOCs
    • Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs
    • Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs
    • Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs
    • Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs
    • Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs
    • Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs
    • Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs
    • LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs
    • Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs
    • Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs
    • Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Medium Analytics BIOCs
    • PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs
    • Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Medium Analytics BIOCs
    • Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Medium Analytics BIOCs
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - changed metadata of a Medium Analytics BIOCs
  • Changed metadata of 11 Medium Analytics Alerts:
    • Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Medium Analytics Alerts
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - changed metadata of a Medium Analytics Alerts
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts
  • Removed an old Low BIOC:
    • New addition to Windows Defender exclusion list (419ff8cf-dc92-4f24-8665-3415fcdd0074) - removed an old Low alert
  • Added 5 new Low Analytics BIOCs:
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - added a new Low alert
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - added a new Low alert
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - added a new Low alert
    • New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - added a new Low alert
    • Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - added a new Low alert
  • Improved logic of a Low Analytics BIOC:
    • A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - improved logic of a Low Analytics BIOC
  • Changed metadata of 84 Low Analytics BIOCs
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs
    • Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of a Low Analytics BIOCs
    • System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs
    • MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs
    • Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs
    • PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs
    • Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs
    • Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of a Low Analytics BIOCs
    • Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
    • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - changed metadata of a Low Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of a Low Analytics BIOCs
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs
    • Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs
    • Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of a Low Analytics BIOCs
    • Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs
    • MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs
    • Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs
    • Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs
    • A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
    • Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs
    • Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs
    • Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of a Low Analytics BIOCs
    • Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - changed metadata of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
    • Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs
    • Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs
    • Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs
    • Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - changed metadata of a Low Analytics BIOCs
    • Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs
    • Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
  • Removed 3 old Low Analytics BIOCs:
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - removed an old Low alert
    • Unsigned and unpopular process performed an injection (30f78c0f-4f8b-4969-bb00-809cf72a3eed) - removed an old Low alert
    • Unsigned and unpopular process performed a DLL injection (6cbd636f-6f55-480c-872d-7611840a7f0a) - removed an old Low alert
  • Improved logic of a Low Analytics Alert:
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alert
  • Changed metadata of 23 Low Analytics Alerts:
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts
    • Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
    • Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts
    • Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
    • Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts
    • A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts
  • Added 6 new Informational BIOCs:
    • System owner/user discovery (12d9aab2-f990-4696-b05c-1657791a4f3c) - added a new Informational alert
    • Remote file copy (97b353d8-4995-41ee-b27b-dc0d91b3a493) - added a new Informational alert
    • System information discovery (63e963e1-81be-4b5f-991f-e93b76898def) - added a new Informational alert
    • Remote system discovery (f6c6e30a-f616-4e07-bb34-351abdb48eb5) - added a new Informational alert
    • System network configuration discovery (7d9524ea-a458-46e5-a954-2442a294e583) - added a new Informational alert
    • Linux network share discovery (5ce678af-ca4b-4c5a-bc5b-8725b50f6047) - added a new Informational alert
  • Improved logic of an Informational BIOC:
    • Password complexity enumeration (e86d9dc7-e59d-44d0-a611-5480d390eff0) - improved logic of an Informational BIOC
  • Added a new Informational Analytics BIOC:
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - added a new Informational alert
  • Improved logic of an Informational Analytics BIOC:
    • First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - improved logic of an Informational Analytics BIOC
  • Changed metadata of 112 Informational Analytics BIOCs:
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
    • AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs
    • Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs
    • AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs
    • A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs
    • Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs
    • Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs
    • Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs
    • AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs
    • GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs
    • Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs
    • GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
    • Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs
    • Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs
    • Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs
    • Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs
    • First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs
    • MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs
    • Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs
    • Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs
    • IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs
    • Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs
    • An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs
    • IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs
    • System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs
    • VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs
    • An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs
    • Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs
    • Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs
    • Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs
    • A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs
    • Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs
    • AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs
    • WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs
    • AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs
    • Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
    • Hiding a user as a computer account (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs
    • Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs
    • User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
    • Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs
    • PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs
    • GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs
    • Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs
    • New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs
  • Changed metadata of 11 Informational Analytics Alerts:
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts
    • Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - changed metadata of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of an Informational Analytics Alerts
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - changed metadata of an Informational Analytics Alerts

December 13, 2021 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - improved logic of a High Analytics BIOCs
    • Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of a High Analytics BIOCs
  • Improved logic of a High Analytics Alert:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alert
  • Changed metadata of 6 Medium BIOCs:
    • Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - changed metadata of a Medium BIOCs

    • Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - changed metadata of a Medium BIOCs
    • DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - changed metadata of a Medium BIOCs
    • Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - changed metadata of a Medium BIOCs
    • PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - changed metadata of a Medium BIOCs
    • Possible ping sweep (362649fe-9028-4166-baf8-b58c8dab8bee) - changed metadata of a Medium BIOCs
  • Removed 2 old Medium BIOCs:
    • MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - removed an old Medium alert
    • Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - removed an old Medium alert
  • Added 2 new Medium Analytics BIOCs:
    • MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - added a new Medium alert
    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - added a new Medium alert
  • Improved logic of 4 Medium Analytics BIOCs:
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
  • Improved logic of 2 Medium Analytics Alerts:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts
  • Changed metadata of 4 Low BIOCs:
    • Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - changed metadata of a Low BIOCs
    • UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - changed metadata of a Low BIOCs
    • Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - changed metadata of a Low BIOCs
    • Network share discovery via command-line tool (c8a48667-d44e-4ffb-b6f7-2b42a3bf6328) - changed metadata of a Low BIOCs
  • Improved logic of 5 Low Analytics BIOCs:
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
    • Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
  • Improved logic of 3 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
  • Changed metadata of 29 Informational BIOCs
  • Improved logic of 4 Informational Analytics BIOCs:
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
  • Improved logic of an Informational Analytics Alert:
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alert

 

December 06, 2021 Release:

  • Increased the severity to High for a BIOC:
    • EventLog service disabled by a Registry operation (b7c919b6-b653-49c6-bd20-2441160ec75e) - increased the severity to High
  • Improved logic of a High BIOC:
    • Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - improved logic of a High BIOC
  • Improved logic of 2 High Analytics BIOCs:
    • Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a High Analytics BIOCs
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs
  • Changed metadata of a High Analytics BIOC:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOC
  • Added a new Medium Analytics BIOC:
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - added a new Medium alert
  • Improved logic of 16 Medium Analytics BIOCs:
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs
    • Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs
    • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Medium Analytics BIOCs
    • Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs
    • Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs
    • PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Improved logic of a Medium Analytics Alert:
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert
  • Removed an old Low BIOC:
    • Screensaver process executed from users or temporary folder (e07f68e2-27bb-46fa-97b1-a7b6b59feb16) - removed an old Low alert
  • Increased the severity to Low for an Analytics BIOC:
    • Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - increased the severity to Low, and improved detection logic
  • Added a new Low Analytics BIOC:
    • Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - added a new Low alert
  • Improved logic of 17 Low Analytics BIOCs:
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
    • Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
    • Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs
    • SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
    • Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs
  • Improved logic of 4 Low Analytics Alerts:
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
  • Added a new Informational BIOC:
    • Possible web shell command execution (3be30b63-d245-4ef7-b806-16f42247af50) - added a new Informational alert
  • Removed 2 old Informational BIOCs:
    • Remote wmiexec execution (070094f8-87c3-47c4-92c8-82bcad12116f) - removed an old Informational alert
    • Credential dumping via LaZagne (8e9e0996-eb08-48b2-a234-730c8227bbdd) - removed an old Informational alert
  • Added a new Informational Analytics BIOC:
    • Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - added a new Informational alert
  • Improved logic of 10 Informational Analytics BIOCs:
    • Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 3 Informational Analytics Alerts:
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts

 

November 28, 2021 Release:

  • Changed metadata of 2 High Analytics BIOCs:
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs
  • Changed metadata of a High Analytics Alert:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
  • Increased the severity to Medium for an Analytics BIOC:
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - increased the severity to Medium, and improved detection logic
  • Improved logic of 4 Medium Analytics BIOCs:
    • Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - improved logic of a Medium Analytics BIOCs
    • Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 2 Medium Analytics BIOCs:
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - removed an old Medium alert
  • Improved logic of a Medium Analytics Alert:
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert
  • Changed metadata of a Medium Analytics Alert:
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alert
  • Increased the severity to Low for an Analytics BIOC:
    • A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - increased the severity to Low, and improved detection logic
  • Decreased the severity to Low for an Analytics BIOC:
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - decreased the severity to Low, and improved detection logic
  • Added 3 new Low Analytics BIOCs:
    • WmiPrvSe.exe Rare Child Command Line - Test (940d6895-b1e1-4bcc-9325-ccd1169574a9) - added a new Low alert
    • Unsigned and unpopular process performed a DLL injection - Multi Severity (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - added a new Low alert
    • Unsigned and unpopular process performed an injection - Multi Severity (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - added a new Low alert
  • Improved logic of 5 Low Analytics BIOCs:
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
    • Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 2 Low Analytics BIOCs:
    • SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Changed metadata of 2 Low Analytics Alerts:
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
    • Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts
  • Decreased the severity to Informational for a BIOC:
    • Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - decreased the severity to Informational
  • Added 4 new Informational Analytics BIOCs:
    • VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - added a new Informational alert
    • Signed process performed an unpopular DLL injection - Multi Severity (9e699960-30e7-4b6e-bb71-30cdbf635307) - added a new Informational alert
    • Signed process performed an unpopular injection - Multi Severity (365bfca2-a3e1-4a44-9487-1353903a6c61) - added a new Informational alert
    • VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - added a new Informational alert
  • Improved logic of 5 Informational Analytics BIOCs:
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - improved logic of an Informational Analytics BIOCs
    • Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of an Informational Analytics BIOCs
    • Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 8 Informational Analytics BIOCs:
    • C2 from contextual causality signal (f53f53ae-4ccc-11ea-9102-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs
    • First session from external IP to vCenter (4ad03760-f701-4f40-b01f-d1ddefda4002) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs
    • Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of an Informational Analytics BIOCs
    • Suspicious remote execution from a vCenter server (6213c66f-e269-4d16-9db7-86015b5a2f4d) - changed metadata of an Informational Analytics BIOCs
  • Added a new Informational Analytics Alert:
    • Port Scan with partial connections (ab93cb66-1d50-4f1f-a840-15d9d7d232b8) - added a new Informational alert
  • Changed metadata of 6 Informational Analytics Alerts:
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts
    • Random-Looking Domain Names v2 (3db83477-0c4d-44ac-bc64-dbfe50c845c4) - changed metadata of an Informational Analytics Alerts
    • Weakly-Encrypted Kerberos Ticket Requested v2 (4afa8fa6-281e-4c81-a10e-b61d7de11cc6) - changed metadata of an Informational Analytics Alerts
    • Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) - changed metadata of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts

 

November 21, 2021 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) improved logic of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) improved logic of a High Analytics BIOCs
  • Improved logic of 6 Medium Analytics BIOCs:

    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs

    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) improved logic of a Medium Analytics BIOCs

    • External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) improved logic of a Medium Analytics BIOCs

    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs

    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) improved logic of a Medium Analytics BIOCs

    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) improved logic of a Medium Analytics BIOCs

  • improved logic of 2 Medium Analytics Alerts:
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) improved logic of a Medium Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of a Medium Analytics Alerts
  • Increased the severity to Low for an Analytics BIOC:
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) increased the severity to Low, and improved detection logic
  • Improved logic of 13 Low Analytics BIOCs:
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) improved logic of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs
    • Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) improved logic of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) improved logic of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs
  • Increased the severity to Low for an Analytics Alert:
    • Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) increased the severity to Low, and improved detection logic
  • Improved logic of 2 Low Analytics Alerts:
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts
    • Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of a Low Analytics Alerts
  • Added 3 new Informational Analytics BIOCs:
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) added a new Informational alert
    • VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) added a new Informational alert
    • First VPN access from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) added a new Informational alert
  • Improved logic of 70 Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) changed metadata of an Informational Analytics BIOCs
    • Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) changed metadata of an Informational Analytics BIOCs
  • Added a new Informational Analytics Alert:
    • Possible LDAP enumeration by unsigned process-multi severity (85c187ec-80d1-464e-ab1e-a9aa5af7f191) added a new Informational alert
  • Improved logic of 2 Informational Analytics Alerts:
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) improved logic of an Informational Analytics Alerts
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) improved logic of an Informational Analytics Alerts

 

November 15, 2021 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
    • Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs
  • Improved logic of a Medium BIOC:
    • Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) improved logic of a Medium BIOC
  • Improved logic of 3 Medium Analytics BIOCs:
    • External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) improved logic of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) improved logic of a Medium Analytics BIOCs
  • Improved logic of 4 Medium Analytics Alerts:

    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) improved logic of a Medium Analytics Alerts

    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) improved logic of a Medium Analytics Alerts

    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) improved logic of a Medium Analytics Alerts

    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of a Medium Analytics Alerts

  • increased the severity to Low for an Analytics BIOC:

    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) increased the severity to Low, and improved detection logic

  • Improved logic of 12 Low Analytics BIOCs:

    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) improved logic of a Low Analytics BIOCs

    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs

    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs

    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs

    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs

    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs

    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs

    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs

    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs

    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) improved logic of a Low Analytics BIOCs

    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs

    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs

  • Improved logic of 5 Low Analytics Alerts:

    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts

    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) improved logic of a Low Analytics Alerts

    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) improved logic of a Low Analytics Alerts

    • Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of a Low Analytics Alerts

    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) improved logic of a Low Analytics Alerts

  • Decreased the severity to Informational for an Analytics BIOC:

    • Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) decreased the severity to Informational, and improved detection logic

  • Added 6 new Informational Analytics BIOCs:

    • A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) added a new Informational alert

    • MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) added a new Informational alert

    • DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) added a new Informational alert

    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) added a new Informational alert

    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) added a new Informational alert

    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) added a new Informational alert

  • Improved logic of 68 Informational Analytics BIOCs

  • Added a new Informational Analytics Alert:

    • Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) added a new Informational alert

  • Improved logic of 2 Informational Analytics Alerts:

    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) improved logic of an Informational Analytics Alerts

    • Random-Looking Domain Names v2 (3db83477-0c4d-44ac-bc64-dbfe50c845c4) improved logic of an Informational Analytics Alerts

 

November 07, 2021 Release:

  • Increased the severity to Medium for an Analytics BIOC:
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - increased the severity to Medium, and improved detection logic
  • Improved logic of a Medium Analytics BIOC:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOC
  • Improved logic of 2 Medium Analytics Alerts:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts
  • Added a new Low Analytics BIOC:
    • Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - added a new Low alert
  • Improved logic of 2 Low Analytics BIOCs:
    • Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - improved logic of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alert
  • Added 2 new Informational Analytics BIOCs:
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - added a new Informational alert
    • Hiding a user as a computer account (eeb7b678-3c9b-11ec-879d-acde48001122) - added a new Informational alert
  • Improved logic of 3 Informational Analytics BIOCs:
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs

 

October 31, 2021 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • A Successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
  • Added a new Medium Analytics BIOC:
    • Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - added a new Medium alert
  • Changed metadata of 2 Medium Analytics BIOCs:
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
  • Improved logic of 9 Low Analytics BIOCs:
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of a Low Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs
    • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - improved logic of a Low Analytics BIOCs
  • Improved logic of 2 Low Analytics Alerts:
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Changed metadata of a Low Analytics Alert:
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alert
  • Decreased the severity to Informational for a BIOC:
    • Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - decreased the severity to Informational
  • Added a new Informational BIOC:
    • An executable compiled with a py2exe-like program was executed (5a1516d6-9082-4c19-8c03-8c70ddc5ce7f) - added a new Informational alert
  • Improved logic of an Informational BIOC:
    • WinPmem Forensics Tool (b66e6a72-09fd-42ad-98fe-a866907c593f) - improved logic of an Informational BIOC
  • Removed an old Informational BIOC:
    • Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - removed an old Informational alert
  • Decreased the severity to Informational for an Analytics BIOC:
    • Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - decreased the severity to Informational
  • Added 5 new Informational Analytics BIOCs:
    • New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - added a new Informational alert
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - added a new Informational alert
    • Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - added a new Informational alert
    • PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - added a new Informational alert
    • Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - added a new Informational alert
  • Improved logic of 3 Informational Analytics BIOCs:
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
  • Decreased the severity to Informational for an Analytics Alert:
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - decreased the severity to Informational
  • Added a new Informational Analytics Alert:
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - added a new Informational alert

October 24, 2021 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
  • Improved logic of 2 Medium Analytics BIOCs:
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
    • External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs
  • Increased the severity to Medium for an Analytics Alert:
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - increased the severity to Medium, and improved detection logic
  • Improved logic of a Medium Analytics Alert:
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert
  • Added 4 new Low Analytics BIOCs:
    • Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - added a new Low alert
    • Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - added a new Low alert
    • Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - added a new Low alert
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - added a new Low alert
  • Improved logic of 12 Low Analytics BIOCs:
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
    • Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of a Low Analytics BIOCs
  • Added 2 new Low Analytics Alerts:
    • A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - added a new Low alert
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - added a new Low alert
  • Improved logic of 6 Low Analytics Alerts:
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of a Low Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
  • Changed metadata of a Low Analytics Alert:
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert
  • Added a new Informational BIOC:
    • Credential dumping via LaZagne (8e9e0996-eb08-48b2-a234-730c8227bbdd) - added a new Informational alert
  • Added 4 new Informational Analytics BIOCs:
    • Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - added a new Informational alert
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - added a new Informational alert
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - added a new Informational alert
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - added a new Informational alert
  • Improved logic of 69 Informational Analytics BIOCs:
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • A cloud identity connected from a new country (19c743b0-99ca-400c-b386-bcc99d846582) - improved logic of an Informational Analytics BIOCs
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs
    • GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
    • GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
    • An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
    • Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
    • An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
    • An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
    • IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - improved logic of an Informational Analytics BIOCs
    • GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
    • GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
    • GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
    • GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
    • GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
    • GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
    • AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
    • GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
    • A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs
    • AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
    • AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
    • First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
    • AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
    • Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
    • First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - improved logic of an Informational Analytics BIOCs
    • GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
    • Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
    • AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
    • MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
    • Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
    • IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
    • Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
    • Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
    • Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
    • EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
    • S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
    • GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
    • GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
    • AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 3 Informational Analytics Alerts:
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of an Informational Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts

October 17, 2021 Release:

  • Removed an old High BIOC:
    • Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - removed an old High alert
  • Added a new High Analytics BIOC:
    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - added a new High alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs
    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOCs
  • Added a new Low Analytics BIOC:
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - added a new Low alert
  • Improved logic of a Low Analytics BIOC:
    • Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of a Low Analytics BIOC
  • Removed an old Low Analytics BIOC:
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - removed an old Low alert
  • Improved logic of a Low Analytics Alert:
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alert
  • Removed 59 old Informational BIOCs
  • Added a new Informational Analytics BIOC:
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - added a new Informational alert

October 11, 2021 Release:

  • Added 2 new Medium Analytics BIOCs:
    • The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - added a new Medium alert
    • Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - added a new Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOC
  • Decreased the severity to Low for an Analytics BIOC:
    • Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - decreased the severity to Low, and improved detection logic
  • Improved logic of a Low Analytics BIOC:
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOC
  • Improved logic of a Low Analytics Alert:
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alert
  • Removed an old Low Analytics Alert:
    • Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - removed an old Low alert
  • Added a new Informational Analytics BIOC:
    • A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - added a new Informational alert
  • Improved logic of an Informational Analytics BIOC:
    • System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOC

 

 

October 03, 2021 Release:

  • Added 3 new High Analytics BIOCs:
    • A Successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - added a new High alert
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - added a new High alert
    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - added a new High alert
  • Added a new High Analytics Alert:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - added a new High alert
  • Added 4 new Medium Analytics BIOCs:
    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - added a new Medium alert
    • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - added a new Medium alert
    • Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - added a new Medium alert
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - added a new Medium alert
  • Improved logic of 5 Medium Analytics BIOCs:
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - removed an old Medium alert
  • Added a new Medium Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - added a new Medium alert
  • Changed metadata of a Medium Analytics Alert:
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Medium Analytics Alert
  • Added 3 new Low Analytics BIOCs:
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - added a new Low alert
    • Unsigned and unpopular process performed a DLL injection (6cbd636f-6f55-480c-872d-7611840a7f0a) - added a new Low alert
    • Unsigned and unpopular process performed an injection (30f78c0f-4f8b-4969-bb00-809cf72a3eed) - added a new Low alert
  • Improved logic of 3 Low Analytics BIOCs:
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
  • Added 2 new Low Analytics Alerts:
    • Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - added a new Low alert
    • Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - added a new Low alert
  • Improved logic of a Low Analytics Alert:
    • Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alert
  • Changed metadata of a Low Analytics Alert:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert
  • Decreased the severity to Informational for an Analytics BIOC:
    • A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - decreased the severity to Informational, and improved detection logic
  • Added a new Informational Analytics BIOC:
    • Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - added a new Informational alert

 

September 19, 2021 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
  • Removed an old Medium BIOC:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - removed an old Medium alert
  • Added a new Medium Analytics BIOC:
    • Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Improved logic of a Medium Analytics Alert:
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert
  • Improved logic of 11 Low Analytics BIOCs:
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
  • Improved logic of 3 Low Analytics Alerts:
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of a Low Analytics Alerts
    • Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of a Low Analytics Alerts
  • Added 2 new Informational BIOCs:
    • Unsigned process accessed a credential locker file (4f7818dc-5c6b-49db-a716-a2dd0094a424) - added a new Informational alert
    • Unsigned process accessed a Thunderbird Mail profiles folder (c9f80771-a56a-4a13-99c9-cbd4a52187ac) - added a new Informational alert
  • Improved logic of 2 Informational BIOCs:
    • Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - improved logic of an Informational BIOCs
    • Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved logic of an Informational BIOCs
  • Decreased the severity to Informational for an Analytics BIOC:
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 66 Informational Analytics BIOCs
  • Improved logic of an Informational Analytics Alert:
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of an Informational Analytics Alert



August 29, 2021 Release:

  • Removed an old High BIOC:
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - removed an old High alert
  • Added 2 new High Analytics BIOCs:
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - added a new High alert
    • Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - added a new High alert
  • Improved logic of a High Analytics BIOC:
    • Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOC
  • Added 4 new Medium Analytics BIOCs:
    • External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - added a new Medium alert
    • Possible DHCP poisoning (e5afa116-5041-4ed9-9d0c-18eaac133173) - added a new Medium alert
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - added a new Medium alert
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - added a new Medium alert
  • Added 2 new Medium Analytics Alerts:
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - added a new Medium alert
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - added a new Medium alert
  • Removed an old Medium Analytics Alert:
    • Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - removed an old Medium alert
  • Added 16 new Low Analytics BIOCs:
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - added a new Low alert
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - added a new Low alert
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - added a new Low alert
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - added a new Low alert
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - added a new Low alert
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - added a new Low alert
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - added a new Low alert
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - added a new Low alert
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - added a new Low alert
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - added a new Low alert
    • Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - added a new Low alert
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - added a new Low alert
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - added a new Low alert
    • Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - added a new Low alert
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - added a new Low alert
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - added a new Low alert
  • Improved logic of a Low Analytics BIOC:
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOC
  • Added 3 new Low Analytics Alerts:
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - added a new Low alert
    • Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - added a new Low alert
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - added a new Low alert
  • Improved logic of 4 Low Analytics Alerts:
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Added 2 new Informational BIOCs:
    • Forensics Driver Loaded (a9da7ef7-9708-4a39-b4f1-b17ebbd8b399) - added a new Informational alert
    • WinPmem Forensics Tool (b66e6a72-09fd-42ad-98fe-a866907c593f) - added a new Informational alert
  • Added 66 new Informational Analytics BIOCs:
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - added a new Informational alert
    • GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - added a new Informational alert
    • GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - added a new Informational alert
    • AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - added a new Informational alert
    • S3 configuration was deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - added a new Informational alert
    • An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - added a new Informational alert
    • First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - added a new Informational alert
    • GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - added a new Informational alert
    • Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - added a new Informational alert
    • IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - added a new Informational alert
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - added a new Informational alert
    • An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - added a new Informational alert
    • Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - added a new Informational alert
    • GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - added a new Informational alert
    • GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - added a new Informational alert
    • AWS CloudWatch log group was deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - added a new Informational alert
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - added a new Informational alert
    • Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - added a new Informational alert
    • AWS CloudWatch log stream was deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - added a new Informational alert
    • Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - added a new Informational alert
    • GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - added a new Informational alert
    • AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - added a new Informational alert
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - added a new Informational alert
    • First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - added a new Informational alert
    • Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - added a new Informational alert
    • GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - added a new Informational alert
    • GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - added a new Informational alert
    • Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - added a new Informational alert
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - added a new Informational alert
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - added a new Informational alert
    • GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - added a new Informational alert
    • GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - added a new Informational alert
    • EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - added a new Informational alert
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - added a new Informational alert
    • Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - added a new Informational alert
    • Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - added a new Informational alert
    • GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - added a new Informational alert
    • GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - added a new Informational alert
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - added a new Informational alert
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - added a new Informational alert
    • Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - added a new Informational alert
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - added a new Informational alert
    • AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - added a new Informational alert
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - added a new Informational alert
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - added a new Informational alert
    • AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - added a new Informational alert
    • GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - added a new Informational alert
    • AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - added a new Informational alert
    • MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - added a new Informational alert
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - added a new Informational alert
    • Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - added a new Informational alert
    • An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - added a new Informational alert
    • Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - added a new Informational alert
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - added a new Informational alert
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - added a new Informational alert
    • GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - added a new Informational alert
    • AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - added a new Informational alert
    • IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - added a new Informational alert
    • Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - added a new Informational alert
    • System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - added a new Informational alert
    • AWS IAM resource group was deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - added a new Informational alert
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - added a new Informational alert
    • GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - added a new Informational alert
    • GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - added a new Informational alert
    • A cloud identity connected from a new country (19c743b0-99ca-400c-b386-bcc99d846582) - added a new Informational alert
    • GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - added a new Informational alert
  • Added a new Informational Analytics Alert:
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - added a new Informational alert

 

August 23, 2021 Release:

  • Added a new High Analytics BIOC:
    • Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - added a new High alert
  • Improved logic of 6 High Analytics BIOCs
  • Increased the severity to Medium for a BIOC:
    • Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - increased the severity to Medium
  • Removed 2 old Medium BIOCs:
    • Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - removed an old Medium alert
    • Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - removed an old Medium alert
  • Added 2 new Medium Analytics BIOCs:
    • Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - added a new Medium alert
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - added a new Medium alert
  • Improved logic of 44 Medium Analytics BIOCs
  • Improved logic of 9 Medium Analytics Alerts
  • Decreased the severity to Low for a BIOC:
    • Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - decreased the severity to Low
  • Improved logic of 58 Low Analytics BIOCs
  • Removed an old Low Analytics BIOC:
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - removed an old Low alert
  • Improved logic of 16 Low Analytics Alerts
  • Added 2 new Informational Analytics BIOCs:
    • Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - added a new Informational alert
    • VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - added a new Informational alert
  • Improved logic of 24 Informational Analytics BIOCs
  • Improved logic of 3 Informational Analytics Alerts

 

August 15, 2021 Release:

  • Increased the severity to Medium for an Analytics BIOC:
    • Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - increased the severity to Medium
  • Added 2 new Medium Analytics BIOCs:
    • Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - added a new Medium alert
    • Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - added a new Medium alert
  • Improved logic of 3 Medium Analytics BIOCs:
    • Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
    • Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Medium Analytics BIOCs
  • Increased the severity to Medium for an Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - increased the severity to Medium
  • Removed an old Low BIOC:
    • Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - removed an old Low alert
  • Added 2 new Low Analytics BIOCs:
    • PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - added a new Low alert
    • Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - added a new Low alert
  • Improved logic of 5 Low Analytics BIOCs:
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
    • Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
  • Decreased the severity to Informational for a BIOC:
    • Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - decreased the severity to Informational

August 08, 2021 Release:

  • Changed metadata of a High BIOC:
    • Kerberos service ticket request in PowerShell command (90e501248bf24631861e4b3e1766af5f) changed metadata of a High BIOC
  • Improved logic of a High Analytics BIOC:
    • Unprivileged process opened a registry hive (9937ddbfbeb949b0ac34e005d53a127b) improved logic of a High Analytics BIOC
  • Removed an old Medium BIOC:
    • Windows certificate management tool makes a network connection (0179177fe5ec4101a238c0372b239afb) removed an old Medium alert
  • Increased the severity to Medium for 3 Analytics BIOCs:
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502e95211e980aa8c8590c9ccd1) increased the severity to Medium, and improved detection logic
    • Scrcons.exe Rare Child Process (f62553d1e95211e981c48c8590c9ccd1) increased the severity to Medium, and improved detection logic
    • PowerShell suspicious flags (4ce1b55945b811ea81bb88e9fe502c1f) increased the severity to Medium, and improved detection logic
  • Improved logic of 5 Medium Analytics BIOCs:
    • Microsoft Office Process Spawning a Suspicious OneLiner (aca7aaa1436111ea8fed88e9fe502c1f) improved logic of a Medium Analytics BIOCs
    • Execution of renamed lolbin (fdb82a708f9a11ea991888e9fe502c1f) improved logic of a Medium Analytics BIOCs
    • LOLBIN connecting to a rare host (4bcc13de20b711eaa54a8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad609499a311ea854488e9fe502c1f) improved logic of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11e95411e990028c8590c9ccd1) improved logic of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics BIOC:
    • Mshta.exe launched with suspicious arguments (0b174006394643b6af3cab400e6c7a87) changed metadata of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • NTLM Hash Harvesting (3cc30c5c2d7311eba32aacde48001122) improved logic of a Medium Analytics Alert
  • Changed metadata of 2 Low BIOCs:
    • Screensaver process executed from users or temporary folder (e07f68e227bb46fa97b1a7b6b59feb16) changed metadata of a Low BIOCs
    • DLL sideloading attack using Xwizard (2b8385b9ca8346819cab739091ee2da1) changed metadata of a Low BIOCs
  • Removed 2 old Low BIOCs:
    • MSBuild.exe makes a network connection (bb459bb4e8644008a12a10ed4df3d753) removed an old Low alert
    • Visual Basic compiler makes unusual net connection (5ace24876b004582a6316e1ca419c458) removed an old Low alert
  • Added 2 new Low Analytics BIOCs:
    • Rare communication over email ports to external email server by unsigned process (7b424216fe614589bcee67e9e7b267be) added a new Low alert
    • Suspicious process executed with a high integrity level (81e70ab2b1f14a1cbf943929f6d7e1b2) added a new Low alert
  • Improved logic of 5 Low Analytics BIOCs:
    • LOLBIN process executed with a high integrity level (365221fa4c36440f824a43885e9f3a6e) improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f9cd04e26891fbe1a01652715) improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba39d4640f4909d05ee574e1f57) improved logic of a Low Analytics BIOCs
    • Suspicious process execution by scheduled task (56bc5f4ce48141de81e4ec618fb1f004) improved logic of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccfd9cb4efe8dccbcffca46d24b) improved logic of a Low Analytics BIOCs
  • Improved logic of 3 Low Analytics Alerts:
    • Multiple discovery commands (97dd1d4d602a4bc7b39a73fdad3d6053) improved logic of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308fb954d9cafc3a5ca9c7ab50d) improved logic of a Low Analytics Alerts
    • Login Password Spray (3e879bb8641211eb9fa5acde48001122) improved logic of a Low Analytics Alerts
  • Improved logic of an Informational BIOC:
    • Windows Registry Editor being disabled via Registry (7da63563a9bd46b39deb4177d2645851) improved logic of an Informational BIOC
  • Changed metadata of 5 Informational BIOCs:
    • Dllhost.exe makes network connections (d4b8bd1df1fb4fde954733494049c44a) changed metadata of an Informational BIOCs
    • Crash dump file created (e6cb68b97bb34be29b7cd66d560e5a3b) changed metadata of an Informational BIOCs
    • Compiled HTML (help file) makes network connections (858a4ed736c44c439bffd142f300035d) changed metadata of an Informational BIOCs
    • Security Support Provider (SSP) registered via a registry key (2b72b7fd5b134ff1ba5b6b149c76f032) changed metadata of an Informational BIOCs
    • Web server process drops an executable to disk (20a37717dd614fe5a73b80d9fb2a8862) changed metadata of an Informational BIOCs
  • Removed 2 old Informational BIOCs:
    • Service execution via sc.exe (a1c6c171005c403ba60bfb85e6ecb81a) removed an old Informational alert
    • Manipulation of LSA 'Authentication Packages' Registry key (4f133949205d4abfbbf64fc6e48bc6c4) removed an old Informational alert
  • Added 4 new Informational Analytics BIOCs:
    • Commonly abused process launched as a system service (3cbd172e6e2f11ea8d8e88e9fe502c1f) added a new Informational alert
    • Rare SMTP/S Session (4a634ad4e95411e9b86b8c8590c9ccd1) added a new Informational alert
    • WebDAV drive mounted from net.exe over HTTPS (233491cae95411e990bd8c8590c9ccd1) added a new Informational alert
    • Service execution via sc.exe (d25d07fa015c47a6a6a015ff46020cc5) added a new Informational alert
  • Improved logic of an Informational Analytics BIOC:
    • LDAP Traffic from NonStandard Process (5e72a7b439ed466998cab2495088f653) improved logic of an Informational Analytics BIOC

 

August 01, 2021 Release:

  • Increased the severity to High for 2 BIOCs:
    • Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - increased the severity to High
    • Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - increased the severity to High
  • Increased the severity to Medium for 15 BIOCs:
    • Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - increased the severity to Medium
    • NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - increased the severity to Medium
    • WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - increased the severity to Medium
    • Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - increased the severity to Medium
    • WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - increased the severity to Medium
    • Socat/Netcat connects to TOR domain (450e1ab2-22f5-4efd-beb9-ddd81823a5b9) - increased the severity to Medium
    • Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - increased the severity to Medium
    • Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - increased the severity to Medium
    • Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - increased the severity to Medium
    • Manipulation of Winlogon 'UserInit' autostart Registry key (d6af8739-01f2-4f29-80a0-c1b05d70b874) - increased the severity to Medium
    • PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - increased the severity to Medium
    • Impersonation using Rubeus tool (0e6a7a3a-1059-11ea-b96d-8c8590c9ccd1) - increased the severity to Medium
    • Manipulation of the sticky keys file (7a201c2e-5b4e-478d-a504-773762bd3c90) - increased the severity to Medium
    • Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - increased the severity to Medium
    • DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - increased the severity to Medium
  • Removed 2 old Medium BIOCs:
    • Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - removed an old Medium alert
    • Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - removed an old Medium alert
  • Added 2 new Medium Analytics BIOCs:
    • Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - added a new Medium alert
    • Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - added a new Medium alert
  • Improved logic of 4 Medium Analytics BIOCs:
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
    • Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
    • Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 2 Medium Analytics BIOCs:
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics Alert:
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert
  • Increased the severity to Low for 6 BIOCs:
    • Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - increased the severity to Low
    • Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - increased the severity to Low
    • UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - increased the severity to Low
    • Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - increased the severity to Low
    • Nagios enumeration (2f6f3ade-073e-11eb-9c0f-faffc26aac4a) - increased the severity to Low
    • Internet Explorer home page modification (e4cf6b6e-70cc-4b02-a82d-148e10c36f76) - increased the severity to Low
  • Removed an old Low BIOC:
    • System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - removed an old Low alert
  • Added 7 new Low Analytics BIOCs:
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - added a new Low alert
    • Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - added a new Low alert
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - added a new Low alert
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - added a new Low alert
    • Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - added a new Low alert
    • System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - added a new Low alert
    • Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - added a new Low alert
  • Improved logic of 4 Low Analytics BIOCs:
    • Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
  • Removed an old Low Analytics BIOC:
    • PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - removed an old Low alert
  • Improved logic of a Low Analytics Alert:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert
  • Changed metadata of a Low Analytics Alert:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert

July 25, 2021 Release:

  • Added a new High Analytics BIOC:
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - added a new High alert
  • Removed 2 old Medium BIOCs:
    • Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - removed an old Medium alert
    • Non-browser failed access to a pastebin-like site (c1f7607b-e56c-43ca-b072-5b266bb4133b) - removed an old Medium alert
  • Added 3 new Medium Analytics BIOCs:
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - added a new Medium alert
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - added a new Medium alert
    • Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - added a new Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
  • Added a new Low Analytics BIOC:
    • Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - added a new Low alert
  • Improved logic of 4 Low Analytics BIOCs:
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
    • Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs
    • Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
  • Removed an old Low Analytics Alert:
    • High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - removed an old Low alert

 

July 19, 2021 Release:

  • Added 4 new Medium Analytics BIOCs:
    • Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - added a new Medium alert
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - added a new Medium alert
    • Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - added a new Medium alert
    • Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - added a new Medium alert
  • Improved logic of 5 Medium Analytics BIOCs:
    • Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
    • Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Removed an old Low BIOC:
    • Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - removed an old Low alert
  • Increased the severity to Low for an Analytics BIOC:
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - increased the severity to Low
  • Decreased the severity to Low for 2 Analytics BIOCs:
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - decreased the severity to Low
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - decreased the severity to Low
  • Added 3 new Low Analytics BIOCs:
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - added a new Low alert
    • Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - added a new Low alert
    • Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - added a new Low alert
  • Improved logic of 3 Low Analytics BIOCs:
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
    • Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs
    • Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - added a new Low alert
  • Improved logic of 3 Low Analytics Alerts:
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
  • Decreased the severity to Informational for a BIOC:
    • Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - decreased the severity to Informational
  • Added 6 new Informational BIOCs:
    • Execution privileges added to a temporary file (8d888902-486c-49a5-b675-8ba9280533b6) - added a new Informational alert
    • SELinux was set to permissive mode (e1912c54-c1a4-4091-8b1d-019c3ceac2d6) - added a new Informational alert
    • Hidden file and directory creation (84de44f2-8d06-452e-8322-e36e90cf3292) - added a new Informational alert
    • Execution from inside the /tmp directory (a4e680e8-f9e8-4c58-bd29-7616a6445505) - added a new Informational alert
    • Possible log destruction using dd command (7620b496-3804-4b00-83eb-85378033b6bd) - added a new Informational alert
    • Possible XDG autostart persistency (41eac860-a716-420e-b48a-492b3142ecb6) - added a new Informational alert
  • Improved logic of 3 Informational BIOCs:
    • Persistence using bashrc files (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - improved logic of an Informational BIOCs
    • Shell history access (735fd839-4959-4e5d-9207-fdf517b977a1) - improved logic of an Informational BIOCs
    • Persistence through service registration (c69ed984-a260-4ba9-990f-bc762a4a3223) - improved logic of an Informational BIOCs
  • Removed an old Informational BIOC:
    • Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - removed an old Informational alert
  • Added 9 new Informational Analytics BIOCs:
    • Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - added a new Informational alert
    • Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - added a new Informational alert
    • Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - added a new Informational alert
    • Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - added a new Informational alert
    • Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - added a new Informational alert
    • Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - added a new Informational alert
    • Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - added a new Informational alert
    • Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - added a new Informational alert
    • Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - added a new Informational alert
  • Added a new Informational Analytics Alert:
    • Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - added a new Informational alert
  • Improved logic of an Informational Analytics Alert:
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alert

July 11, 2021 Release:

  • Added a new Medium Analytics BIOC:
    • Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - added a new Medium alert
  • Increased the severity to Low for an Analytics BIOC:
    • PowerShell suspicious flags signal (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - increased the severity to Low
  • Improved logic of 3 Low Analytics BIOCs:
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of a Low Analytics BIOCs
    • User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - improved logic of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert
  • Removed an old Informational BIOC:
    • Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - removed an old Informational alert
  • Improved logic of 2 Informational Analytics BIOCs:
    • User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
  •  

July 4, 2021 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Decreased the severity to Low for a BIOC:
    • Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - decreased the severity to Low
  • Improved logic of 2 Low Analytics Alerts:
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts

June 28, 2021 Release:

  • Changed metadata of 4 High BIOCs
  • Changed metadata of 3 High Analytics BIOCs
  • Changed metadata of 5 Medium BIOCs
  • Improved logic of a Medium Analytics BIOC:
    • Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 10 Medium Analytics BIOCs
  • Decreased the severity to Medium for an Analytics Alert:
    • Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - decreased the severity to Medium, and improved detection logic
  • Changed metadata of 5 Medium Analytics Alerts
  • Changed metadata of 3 Low BIOCs
  • Added a new Low Analytics BIOC:
    • External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - added a new Low alert
  • Changed metadata of 12 Low Analytics BIOCs
  • Changed metadata of 8 Low Analytics Alerts
  • Added 7 new Informational BIOCs:
    • Log deletion using the truncate command (1afe4c22-2163-45ad-a90a-f130eaed6ff2) - added a new Informational alert
    • Log deletion in known log file directories (4c91da94-296f-49c3-9e3d-4f040269391e) - added a new Informational alert
    • Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - added a new Informational alert
    • Clearing logs by executing cat /dev/null (787aa313-7ef6-40a9-a68c-bdcc9610c35f) - added a new Informational alert
    • Clearing logs by copying /dev/null to a log file (62affbe1-1c47-4dc1-88d2-bd701e9be6d7) - added a new Informational alert
    • Installation of networking security tools (45818abb-9462-4074-ae83-fd56f715ef11) - added a new Informational alert
    • Network Packet Capture - tshark\tcpdump (9e72d135-0782-48dd-8b4f-da2dd4d1599f) - added a new Informational alert
  • Changed metadata of 20 Informational BIOCs
  • Changed metadata of 4 Informational Analytics BIOCs
  • Changed metadata of an Informational Analytics Alert

 

June 20, 2021 Release:

  • Changed metadata of a High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC
  • Changed metadata of a Medium BIOC:
    • Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - changed metadata of a Medium BIOC
  • Added a new Medium Analytics BIOC:
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics BIOC:
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOC
  • Changed metadata of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alert
  • Improved logic of a Low BIOC:
    • Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved logic of a Low BIOC
  • Changed metadata of a Low BIOC:
    • Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata of a Low BIOC
  • Improved logic of a Low Analytics BIOC:
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOC
  • Changed metadata of a Low Analytics BIOC:
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOC
  • Changed metadata of 3 Informational BIOCs:
    • Manipulation of default file association configuration (9ac339af-aa0c-4fac-8117-33d4b4123ee3) - changed metadata of an Informational BIOCs
    • Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata of an Informational BIOCs
    • Windows process masquerading by an unsigned process (a39a60db-05a6-4b77-ab09-6bd8852e1b1d) - changed metadata of an Informational BIOCs
  • Added a new Informational Analytics BIOC:
    • UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - added a new Informational alert
  • Removed an old Informational Analytics BIOC:
    • Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - removed an old Informational alert

 

June 13, 2021 Release:

  • Improved logic of a Medium BIOC:
    • Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved logic of a Medium BIOC
  • Changed metadata of a Medium BIOC:
    • User added to local administrator group using a PowerShell command (7135da01-046f-452b-99d3-974795aca8c6) - changed metadata of a Medium BIOC
  • Improved logic of 2 Medium Analytics BIOCs:
    • Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics Alert:
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert
  • Changed metadata of a Low BIOC:
    • Remote command executed from a Linux host (e311896f-8299-4041-abd9-05db740f0ecd) - changed metadata of a Low BIOC
  • Improved logic of 2 Low Analytics BIOCs:
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alert
  • Changed metadata of 3 Informational BIOCs:
    • Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata of an Informational BIOCs
    • WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs
    • User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs

 

June 06, 2021 Release:

  • Changed metadata of a High BIOC:
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - changed metadata of a High BIOC
  • Removed an old High BIOC:
    • Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - removed an old High alert
  • Added a new High Analytics BIOC:
    • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - added a new High alert
  • Changed metadata of a High Analytics Alert:
    • Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - changed metadata of a High Analytics Alert
  • Changed metadata of 2 Medium BIOCs:
    • Rundll32.exe was used to run JavaScript (c9207f63-0b78-4488-9668-e24bc1b2f9d6) - changed metadata of a Medium BIOCs
    • Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - changed metadata of a Medium BIOCs
  • Added 2 new Medium Analytics BIOCs:
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - added a new Medium alert
    • Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - removed an old Medium alert
  • Changed metadata of a Medium Analytics Alert:
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert
  • Added a new Low Analytics BIOC:
    • User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - added a new Low alert
  • Improved logic of a Low Analytics BIOC:
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC
  • Changed metadata of a Low Analytics BIOC:
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOC
  • Improved logic of a Low Analytics Alert:
    • Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert
  • Changed metadata of a Low Analytics Alert:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert
  • Decreased the severity to Informational for a BIOC:
    • Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - decreased the severity to Informational, and improved detection logic
  • Added 5 new Informational BIOCs:
    • Reading the contents of /etc/mtab or /etc/fstab (5745ac31-522d-4d8a-b86f-b78260f6d609) - added a new Informational alert
    • Wzzip.exe execution with password protection parameters (427a5f1d-eec4-4de4-927f-58daf0a0817d) - added a new Informational alert
    • Base64 decoding using the base64 utility (1682c4a4-39ef-49ce-9cbc-cd7d08888553) - added a new Informational alert
    • 7z.exe execution with password protection parameters (edaa5d9d-9c9d-443f-bd60-f4e887d48ac9) - added a new Informational alert
    • Rar.exe execution with password protection parameters (03664565-3629-4267-91e7-a3fe7e91d4cc) - added a new Informational alert
  • Changed metadata of 5 Informational BIOCs:
    • Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata of an Informational BIOCs
    • Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - changed metadata of an Informational BIOCs
    • Service enumeration via sc (f5ad264a-fc27-4cef-9a94-245150ace5b1) - changed metadata of an Informational BIOCs
    • Enumeration of services via PowerShell (6977966b-14e9-11ea-b5d7-88e9fe502c1f) - changed metadata of an Informational BIOCs
    • PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - changed metadata of an Informational BIOCs
  • Removed 2 old Informational BIOCs:
    • Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - removed an old Informational alert
    • Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - removed an old Informational alert
  • Decreased the severity to Informational for an Analytics BIOC:
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - decreased the severity to Informational
  • Improved logic of an Informational Analytics BIOC:
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC
  • Changed metadata of an Informational Analytics BIOC:
    • User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOC

May 30, 2021 Release:

  • Changed metadata of 11 High BIOCs
  • Improved logic of 2 High Analytics BIOCs:
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) improved logic of a High Analytics BIOCs
    • Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) improved logic of a High Analytics BIOCs
  • Changed metadata of a High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) changed metadata of a High Analytics BIOC
  • Improved logic of a High Analytics Alert:
    • Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) improved logic of a High Analytics Alert
  • Changed metadata of 45 Medium BIOCs
  • Increased the severity to Medium for an Analytics BIOC:
    • Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) increased the severity to Medium, and improved detection logic
  • Added 2 new Medium Analytics BIOCs:
    • Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) added a new Medium alert
    • Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) added a new Medium alert
  • Improved logic of 12 Medium Analytics BIOCs:
    • Possible DCSync Attempt (a420aa30-20c3-11ea-b525-8c8591c0ccb0) improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) improved logic of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
    • Commonly-abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) improved logic of a Medium Analytics BIOCs
    • LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) improved logic of a Medium Analytics BIOCs
    • Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) improved logic of a Medium Analytics BIOCs
  • Changed metadata of 7 Medium Analytics BIOCs
  • Improved logic of 5 Medium Analytics Alerts:
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) improved logic of a Medium Analytics Alerts
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) improved logic of a Medium Analytics Alerts
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) improved logic of a Medium Analytics Alerts
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) improved logic of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) improved logic of a Medium Analytics Alerts
  • Changed metadata of 30 Low BIOCs
  • Removed an old Low BIOC:
    • Windows Firewall being disabled using netsh (23407a88-c820-4b42-8400-46fe6025cfe6) removed an old Low alert
  • Increased the severity to Low for an Analytics BIOC:
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) increased the severity to Low, and improved detection logic
  • Improved logic of 6 Low Analytics BIOCs:
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) improved logic of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) improved logic of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) improved logic of a Low Analytics BIOCs
    • MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) improved logic of a Low Analytics BIOCs
  • Changed metadata of 25 Low Analytics BIOCs
  • Improved logic of 11 Low Analytics Alerts:
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) improved logic of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) improved logic of a Low Analytics Alerts
    • High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) improved logic of a Low Analytics Alerts
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) improved logic of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) improved logic of a Low Analytics Alerts
  • Changed metadata of 3 Low Analytics Alerts
  • Changed metadata of 148 Informational BIOCs
  • Improved logic of an Informational Analytics BIOC:
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) improved logic of an Informational Analytics BIOC
  • Changed metadata of 6 Informational Analytics BIOCs

 

May 12, 2021 Release:

  • Added a new Medium Analytics BIOC:
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - added a new Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert
  • Changed metadata of a Medium Analytics Alert:
    • Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alert
  • Changed metadata of 4 Low Analytics BIOCs:
    • Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs

May 10, 2021 Release:

  • Improved logic of a High BIOC:
    • Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - improved logic of a High BIOC
  • Changed metadata of 3 High BIOCs:
    • Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOCs
    • Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata of a High BIOCs
    • Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of a High BIOCs
  • Removed an old High BIOC:
    • SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - removed an old High alert
  • Changed metadata of 2 Medium BIOCs:
    • Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs
    • Dumping lsass.exe memory for credential extraction (cb05480f-17d8-4138-aa38-f0f9fb50b671) - changed metadata of a Medium BIOCs
  • Improved logic of 5 Medium Analytics BIOCs:
    • LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - improved logic of a Medium Analytics BIOCs
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Improved logic of a Low Analytics BIOC:
    • MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - improved logic of a Low Analytics BIOC
  • Changed metadata of 3 Low Analytics BIOCs:
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
    • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
  • Changed metadata of 7 Informational BIOCs:
    • Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata of an Informational BIOCs
    • Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs
    • Compressed archive created using tar (e9e007db-a8a7-4ae5-b758-5cacbe0ab46e) - changed metadata of an Informational BIOCs
    • Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata of an Informational BIOCs
    • Persistence using bashrc files (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - changed metadata of an Informational BIOCs
    • Write to .bash_profile (1119d1ec-cdfb-404b-ae82-475b8fcf8ddc) - changed metadata of an Informational BIOCs
  • Improved logic of an Informational Analytics BIOC:
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC
  • Changed metadata of an Informational Analytics BIOC:
    • Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOC

 

April 28, 2021 Release:

  • Improved logic of a Medium BIOC:

    • Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved logic of a Medium BIOC

       

  • Improved logic of a Low Analytics BIOC:

    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC

  • Improved logic of 2 Low Analytics Alerts:

    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts

    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts

  • Improved logic of an Informational BIOC:

    • Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - improved logic of an Informational BIOC

  • Changed metadata of an Informational BIOC:

    • Manipulation of Windows folder options (7cb8c831-ba6e-4cde-83db-3762d94cd1fa) - changed metadata of an Informational BIOC

 

April 18, 2021 Release:

  • Improved logic of a Medium BIOC:
    • Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - improved logic of a Medium BIOC
  • Added a new Medium Analytics BIOC:
    • Execution of a password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - added a new Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC

April 11, 2021 Release:

  • Improved logic of a High Analytics BIOC:
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOC
  • Improved logic of 3 Medium Analytics BIOCs:
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs
  • Added a new Medium Analytics Alert:
    • Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - added a new Medium alert
  • Improved logic of a Medium Analytics Alert:
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert
  • Improved logic of 5 Low Analytics BIOCs:
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOC
  • Improved logic of 4 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
  • Added a new Informational BIOC:
    • SharpHound LDAP query (5f50bb22-588c-4d48-8600-446df59d8a51) - added a new Informational alert
  • Changed metadata of 3 Informational BIOCs:
    • Crash dump file created (e6cb68b9-7bb3-4be2-9b7c-d66d560e5a3b) - changed metadata of an Informational BIOCs
    • Enumeration command executes (6958a24d-f33a-45f2-819c-b47c1e03964d) - changed metadata of an Informational BIOCs
    • Enumeration command called by commonly abused CGO (e7d21bc3-3190-4b25-a2f4-20c6242b1029) - changed metadata of an Informational BIOCs
  • Improved logic of an Informational Analytics BIOC:
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC

 

April 4, 2021 Release:

  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Added a new Low Analytics BIOC:
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - added a new Low alert
  • Improved logic of 2 Low Analytics BIOCs:
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert
  • Changed metadata of a Low Analytics Alert:
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert
  • Improved logic of an Informational Analytics BIOC:
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC

 

March 29, 2021 Release:

  • Decreased the severity to Medium for an Analytics BIOC:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Medium
  • Improved logic of a Medium Analytics BIOC:
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
  • Improved logic of a Low Analytics BIOC:
    • Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Low Analytics BIOC
  • Improved logic of 2 Low Analytics Alerts:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
  • Improved logic of an Informational Analytics BIOC:
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC

 

March 22, 2021 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert
  • Improved logic of 5 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alerts
  • Removed an old Informational BIOC:
    • Network configuration discovery (d69c1be0-a351-469d-a47c-34e1f0562690) - removed an old Informational alert

March 16, 2021 Release:

  • Changed metadata of a High Analytics BIOC:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC
  • Improved logic of a Medium Analytics BIOC:
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOC

 

March 14, 2021 Release:

  • Added a new High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - added a new High alert
  • Improved logic of a High Analytics BIOC:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC
  • Removed an old Medium BIOC:
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - removed an old Medium alert
  • Added a new Medium Analytics BIOC:
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved logic of a Medium Analytics BIOCs
  • Improved logic of a Low Analytics BIOC:
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC
  • Improved logic of an Informational Analytics BIOC:
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC

 

March 3, 2021 Release:

  • Added a new High BIOC:

    • Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - added a new High alert

       

February 28, 2021 Release:

  • Changed metadata of a High Analytics BIOC:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC
  • Improved logic of a Medium BIOC:
    • LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved logic of a Medium BIOC
  • Improved logic of a Medium Analytics BIOC:
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 2 Medium Analytics BIOCs:
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs
  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Increased the severity to Low for a BIOC:
    • Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - increased the severity to Low
  • Improved logic of 2 Low Analytics BIOCs:
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOC
  • Added a new Low Analytics Alert:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - added a new Low alert

 

February 21, 2021 Release:

  • Added a new High Analytics BIOC:
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - added a new High alert
  • Improved logic of a High Analytics BIOC:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Improved logic of a Low Analytics BIOC:
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC
  • Improved logic of a Low Analytics Alert:
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert
  • Improved logic of an Informational BIOC:
    • Non-browser process downloads content from GitHub (75c22cca-c58a-4319-881b-1f7b917cdad2) - improved logic of an Informational BIOC
  • Improved logic of an Informational Analytics BIOC:
    • Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC

 

February 14, 2021 Release:

  • Added a new Medium Analytics BIOC:
    • Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 2 Medium Analytics BIOCs:
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs

  • Decreased the severity to Low for a BIOC:

    • Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - decreased the severity to Low, and improved detection logic

  • Added a new Low Analytics BIOC:

    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - added a new Low alert

  • Improved logic of a Low Analytics BIOC:

    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC

  • Decreased the severity to Informational for an Analytics BIOC:

    • Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - decreased the severity to Informational

  • Improved logic of an Informational Analytics BIOC:

    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC

 

February 07, 2021 Release:

  • Increased the severity to Medium for a BIOC:

    • Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - increased the severity to Medium

  • Removed an old Informational BIOC:

    • Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - removed an old Informational alert

  • Added a new Informational Analytics BIOC:

    • Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - added a new Informational alert

 

January 24, 2021 Release:

  • Increased the severity to High for 4 BIOCs:
    • LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - increased the severity to High, and improved detection logic
    • Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - increased the severity to High, and improved detection logic
    • Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - increased the severity to High, and improved detection logic
    • Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - increased the severity to High
  • Removed an old High BIOC:
    • Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - removed an old High alert
  • Increased the severity to Medium for 9 BIOCs:
    • Office process creates an unusual .LNK file (fc55f1f8-f1e7-11ea-84f5-faffc26aac4a) - increased the severity to Medium
    • Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - increased the severity to Medium
    • Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - increased the severity to Medium, and improved detection logic
    • Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - increased the severity to Medium
    • Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - increased the severity to Medium, and improved detection logic
    • Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - increased the severity to Medium, and improved detection logic
    • Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - increased the severity to Medium, and improved detection logic
    • Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - increased the severity to Medium
    • Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - increased the severity to Medium
  • Added 2 new Medium Analytics BIOCs:
    • LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - added a new Medium alert
    • Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
      - SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Increased the severity to Low for 7 BIOCs:
    • Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - increased the severity to Low, and improved detection logic
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - increased the severity to Low, and improved detection logic
    • System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - increased the severity to Low, and improved detection logic
    • Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - increased the severity to Low, and improved detection logic
    • Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - increased the severity to Low, and improved detection logic
    • Plink/SSH reverse tunnel (d793d95c-0236-11eb-9597-faffc26aac4a) - increased the severity to Low, and improved detection logic
    • Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - increased the severity to Low
  • Added 4 new Low Analytics BIOCs:
    • Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - added a new Low alert
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - added a new Low alert
    • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - added a new Low alert
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - added a new Low alert
  • Added 3 new Informational BIOCs:
    • Remote wmiexec execution (070094f8-87c3-47c4-92c8-82bcad12116f) - added a new Informational alert
    • Service execution via sc.exe (a1c6c171-005c-403b-a60b-fb85e6ecb81a) - added a new Informational alert
      - Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - added a new Informational alert
  • Improved logic of 4 Informational BIOCs:
    • Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - improved logic of an Informational BIOCs
    • Suspicious SDB file written to disk (cb9bd832-3391-4501-8ed3-95c56a7c3d08) - improved logic of an Informational BIOCs
    • Wget connection to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - improved logic of an Informational BIOCs
    • Print spooler set to load new DLL on boot (87bff3b7-1bdb-4e2d-8bea-36bfb0a5da11) - improved logic of an Informational BIOCs
  • Added a new Informational Analytics BIOC:
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - added a new Informational alert

January 18, 2021 Release:

  • Improved logic of a Medium BIOC:
    • Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC
  • Added 2 new Informational BIOCs:
    • Possible reverse SSH tunnel (7314accf-0f4a-4c08-a33c-f894fdd01e44) - added a new Informational alert
    • Gost Tunnel tool in the Command String (e88e4718-9211-4365-8700-103f86a39573) - added a new Informational alert

 

January 10, 2021 Release:

  • Improved logic of a Medium BIOC:
    • Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC
  • Improved logic of a Medium Analytics BIOC:
    • WmiPrvSe.exe Rare Child Process (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 2 Low BIOCs:
    • Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOCs
    • Accessing bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - changed metadata of a Low BIOCs
  • Changed metadata of 4 Informational BIOCs:
    • System package enumeration (50dd2a0c-114b-11eb-a1fc-faffc26aac4a) - changed metadata of an Informational BIOCs
    • Screen capture via command-line tool (593bc5d9-8bdf-482a-8d84-34b6045cf4d8) - changed metadata of an Informational BIOCs
    • OS information listing via distro version file (3a85fbc4-a63f-4e0d-8c06-af22383db482) - changed metadata of an Informational BIOCs
    • Collect network configuration (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs

 

December 29, 2020 Release:

  • Increased the severity to Medium for an Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - increased the severity to Medium
  • Improved logic of a Medium Analytics Alert:
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert
  • Added 2 new Low Analytics BIOCs:
    • Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - added a new Low alert
    • Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - added a new Low alert
  • Improved logic of a Low Analytics Alert:
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alert
  • Changed metadata of 3 Low Analytics Alerts:
    • High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - changed metadata of a Low Analytics Alerts
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
  • Added 4 new Informational BIOCs:
    • Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - added a new Informational alert
    • ADFind queries Active Directory for Exchange groups (f623125f-b4e5-4e47-a5be-8fa788e7bb05) - added a new Informational alert
    • PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - added a new Informational alert
    • Malicious NetSetupSvc.dll loaded into svchost.exe (495195f9-3947-4fc7-913b-6e84fc937730) - added a new Informational alert

 

December 17, 2020 Release:

  • Added 2 new High BIOCs:
    • SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - added a new High alert
    • SunBurst Module loaded (89308c56-40e9-43d4-8f0a-1c7f018a15d4) - added a new High alert
  • Improved logic of 2 Informational BIOCs:
    • Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - improved logic of an Informational BIOCs
    • Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - improved logic of an Informational BIOCs

 

December 13, 2020 Release:

  • Improved logic of a Medium BIOC:
    • Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - improved logic of a Medium BIOC
  • Improved logic of 2 Medium Analytics Alerts:
    • Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts
  • Improved logic of 2 Low Analytics BIOCs:
    • Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
  • Improved logic of 4 Low Analytics Alerts:
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Added a new Informational BIOC:
    • EventLog service disabled by a Registry operation (b7c919b6-b653-49c6-bd20-2441160ec75e) - added a new Informational alert
  • Improved logic of an Informational Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of an Informational Analytics Alert

 

December 1, 2020 Release:

  • Improved logic of a Medium BIOC:
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved logic of a Medium BIOC
  • Improved logic of 2 Medium Analytics BIOCs:
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Improved logic of a Low Analytics BIOC:
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOC

November 22, 2020 Release:

  • Improved logic of 3 Low Analytics MultiEvents:
    • High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics MultiEvents
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics MultiEvents
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics MultiEvents

 

November 8, 2020 Release:

  • Added a new Informational BIOC:
    • Lsmod execution (9e13baeb-f82d-11ea-a61b-faffc26aac4a) - added a new Informational alert
  • Improved logic of a Medium BIOC:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved logic of a Medium BIOC
  • Changed metadata of 4 High BIOCs:
    • Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOC
    • Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - changed metadata of a High BIOCs
    • Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - changed metadata of a High BIOCs
    • Bitsadmin.exe used to upload data (6ba957eb-d63e-4cee-99aa-89e21ef3acc8) - changed metadata of a High BIOCs
  • Changed metadata of 10 Medium BIOCs:
    • Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - changed metadata of a Medium BIOCs
    • WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - changed metadata of a Medium BIOCs
    • Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata of a Medium BIOCs
    • Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - changed metadata of a Medium BIOCs
    • Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs
    • Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - changed metadata of a Medium BIOCs
    • UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - changed metadata of a Medium BIOCs
    • Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - changed metadata of a Medium BIOCs
    • Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - changed metadata of a Medium BIOCs
    • Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata of a Medium BIOCs
  • Changed metadata of 6 Low BIOCs:
    • Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - changed metadata of a Low BIOCs
    • Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - changed metadata of a Low BIOCs
    • Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - changed metadata of a Low BIOCs
    • Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - changed metadata of a Low BIOCs
    • Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - changed metadata of a Low BIOCs
    • Remote process execution using WMI (5bab2bb9-882a-4101-ace1-700f84171a52) - changed metadata of a Low BIOCs
  • Changed metadata of 26 Informational BIOCs:
    • Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of an Informational BIOCs
    • Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - changed metadata of an Informational BIOCs
    • Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - changed metadata of an Informational BIOCs
    • Enumeration of services via WMIC (3654c173-14e9-11ea-8723-88e9fe502c1f) - changed metadata of an Informational BIOCs
    • Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - changed metadata of an Informational BIOCs
    • Manipulation of service imagepath configuration (73001df6-ff14-44d5-a2ed-08804880b46c) - changed metadata of an Informational BIOCs
    • Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata of an Informational BIOCs
    • Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - changed metadata of an Informational BIOCs
    • Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs
    • Bypassing Windows UAC using sysprep (dbefa4ae-3797-11ea-a926-f218983c2a51) - changed metadata of an Informational BIOCs
    • User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs
    • Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - changed metadata of an Informational BIOCs
    • PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata of an Informational BIOCs
    • Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs
    • WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs
    • Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - changed metadata of an Informational BIOCs
    • Scripting engine called to run in the command line (7e274c6d-e617-4b92-b13f-f27b882932eb) - changed metadata of an Informational BIOCs
    • Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata of an Informational BIOCs
    • MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - changed metadata of an Informational BIOCs
    • Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - changed metadata of an Informational BIOCs
    • MacOS firewall manipulation (d445a34f-07c3-11eb-82a7-faffc26aac4a) - changed metadata of an Informational BIOCs
    • Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata of an Informational BIOCs
    • PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata of an Informational BIOCs
    • Windows Firewall policy edited via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - changed metadata of an Informational BIOCs
    • Tampering with Windows Control Panel configuration (2ba4c53b-03de-4a34-92ec-225cfe1fe0b4) - changed metadata of an Informational BIOCs
    • Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs
  • Removed an old Low BIOC:
    • Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - removed an old Low alert


September 14, 2020 Release:

  • Increased the severity to medium for a BIOC rule:
    • Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - increased the severity to medium, and improved detection logic
  • Added 5 new informational BIOC rules:
    • Permissive file privileges were granted (1fc409f0-ec4e-11ea-829b-faffc26aac4a) - added a new informational alert
    • Modifying ELF file capabilities via setcap (55ed9751-ec6d-11ea-a1c2-faffc26aac4a) - added a new informational alert
    • Space after filename creation (5a1902e6-ec6b-11ea-843f-faffc26aac4a) - added a new informational alert
    • Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - added a new informational alert
    • Write to /etc/hosts file (7cf74026-ec6a-11ea-9593-faffc26aac4a) - added a new informational alert

 

August 30, 2020 Release:

  • Improved detection logic for a medium-severity BIOC rule:
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
    • Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic
  • Improved detection logic for a low-severity BIOC rule:
    • MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - improved detection logic

 

August 23, 2020 Release:

  • Improved detection logic for a medium-severity BIOC rule:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - changed metadata, and improved detection logic
  • Improved detection logic for a low-severity BIOC rule:
    • Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - changed metadata, and improved detection logic
  • Added 12 new informational BIOC rules:
    • Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - added a new informational alert
    • Certutil execution (ffe4d5cc-e0c2-11ea-84ba-faffc26aac4a) - added a new informational alert
    • Non-PowerShell process accessed the PowerShell history file (5ea6cb9c-dfc3-11ea-94f1-faffc26aac4a) - added a new informational alert
    • Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - added a new informational alert
    • Shim database registration via Registry (746eabe1-e0c3-11ea-88e5-faffc26aac4a) - added a new informational alert
    • MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - added a new informational alert
    • Wscript.exe execution (5b9151cc-e0c3-11ea-8c4b-faffc26aac4a) - added a new informational alert
    • LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - added a new informational alert
    • Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - added a new informational alert
    • Shim database file access (69db2597-e0c3-11ea-b0e2-faffc26aac4a) - added a new informational alert
    • Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - added a new informational alert
    • Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - added a new informational alert
  • Decreased the severity to informational for 2 BIOC rules:
    • Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - decreased the severity to informational
    • PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata, decreased the severity to informational, and improved detection logic

 

August 16, 2020 Release:

  • Improved detection logic for a medium-severity BIOC rule:
    • Tampering with Internet Explorer Protected Mode configuration (2875c302-c815-468d-ac43-a56bba89bfe2) - improved detection logic, and changed metadata
  • Added a new informational BIOC rule:
    • Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - added a new informational alert

 

August 09, 2020 Release:

  • Improved detection logic for a medium-severity BIOC rule:
    • Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic

 

August 02, 2020 Release:

  • Increased the severity to high for a BIOC rule:
    • Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata, and increased the severity to high
  • Increased the severity to medium for 2 BIOC rules:
    •  Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - increased the severity to medium, and improved detection logic
    • Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata, increased the severity to medium, and improved detection logic
  • Increased the severity to low for 3 BIOC rules:
    • MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - changed metadata, increased the severity to low, and improved detection logic
    • Built-in SoundRecorder tool capturing audio (d9d22a46-efbf-4d97-9e2b-625e1d6fcc91) - increased the severity to low, and improved detection logic
    • Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - changed metadata, increased the severity to low, and improved detection logic
  • Added 2 new informational BIOC rules:
    • Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - added a new informational alert
    • Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - added a new informational alert

 

July 26, 2020 Release:

  • Increased the severity to high for 3 BIOC rules:
    • Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - increased the severity to high, and changed metadata
    •  Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - increased the severity to high, and improved detection logic
    • Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - increased the severity to high, changed metadata, and improved detection logic
  • Increased the severity to medium for 6 BIOC rules:
    • Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - increased the severity to medium, and changed metadata
    • Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - increased the severity to medium
    • Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - increased the severity to medium
    • Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - increased the severity to medium, changed metadata, and improved detection logic
    •  UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - increased the severity to medium, and changed metadata
    • MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - increased the severity to medium, and improved detection logic
  • Increased the severity to low for 2 BIOC rules:
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to low, and improved detection logic
    • Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - increased the severity to low, changed metadata, and improved detection logic
  • Decreased the severity to informational for a BIOC rule:
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - decreased the severity to informational
  • Added 2 new informational BIOC rules:
    • Suspicious process loads AMSI DLL (d0ce0ecf-50f0-4dff-83f0-8bdc6b5d8dbd) - added a new informational alert
    • Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - added a new informational alert
  • Improved detection logic for an informational BIOC rule:
    • Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata, and improved detection logic
    • Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata, and improved detection logic
  • Removed a BIOC rule:
    • Manipulation of Winlogon 'Shell' autostart Registry key (f111b9b1-f9f6-464f-91a0-52abd2c5f797) - removed

July 19, 2020 Release:

  • Increased the severity to high for a BIOC rule:
    • Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - increased the severity to high
  • Increased the severity to medium for 5 BIOC rules:
    • Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - changed metadata, increased the severity to medium, and improved detection logic
    • Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - increased the severity to medium, and improved detection logic
    • Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - changed metadata, increased the severity to medium, and improved detection logic
    • Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - changed metadata, increased the severity to medium, and improved detection logic
    • Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata, increased the severity to medium, and improved detection logic
  • Increased the severity to low for a BIOC rule:
    • Microsoft Office executes an unsigned process in a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - changed metadata, increased the severity to low, and improved detection logic
  • Added 4 new informational BIOC rules:
    • Connection to a TOR anonymization proxy (a009535f-54b4-4d38-9ee7-5ea0f7431c4e) - added a new informational alert
    • Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - added a new informational alert
    • Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - added a new informational alert
    • Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - added a new informational alert

 

July 12, 2020 Release:

  • Increased the severity to medium for a BIOC rule:
    • Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata, and increased the severity to medium
  • Added 5 new informational BIOC rules:
    • LOLBAS access to database service (c115727b-a1c7-4909-88d0-e6ae866a0e7a) - added a new informational alert
    • Suspicious setspn.exe execution (09939895-1ee6-468c-9588-61a3e2d57124) - added a new informational alert
    • WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - added a new informational alert
    • BitTorrent P2P file sharing (e0879f94-a9c9-42b0-9eb7-0aa038f89dac) - added a new informational alert
    • Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - added a new informational alert
  • Improved detection logic for 2 informational BIOC rules:
    • Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic
    • Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata, and improved detection logic
  • Changed metadata for 8 BIOC rules:
    • Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - changed metadata
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - changed metadata
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata
    • Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata
    • New service created via command line (cd9af829-d0ed-4c7f-b8da-6d6d23824562) - changed metadata
    • Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata
    • Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata

June 21, 2020 Release:

  • Increased the severity to medium for a BIOC rule:
    • Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - increased the severity to medium, improved detection logic, and changed metadata
  • Improved detection logic for a low-severity BIOC rule:
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and changed metadata
  • Added 6 new informational BIOC rules:
    • Manipulation of the 'SilentProcessExit' Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - added a new informational alert
    • Creation of a new Microsoft Office default template (3272b10a-d3f1-4bef-82c6-4502eab0eaef) - added a new informational alert
    • Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - added a new informational alert
    • WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - added a new informational alert
    • Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - added a new informational alert
    • Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - added a new informational alert
  • Improved detection logic for an informational BIOC rule:
    • Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - improved detection logic, and changed metadata
    • Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - improved detection logic, and changed metadata

 

June 7, 2020 Release:

  • Added 17 new informational BIOC rules:
    • Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - added a new informational alert
    • Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - added a new informational alert
    • Possible user enumeration via finger (84b6d1e8-812a-4ac7-a977-b88f26d32342) - added a new informational alert
    • Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - added a new informational alert
    • Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - added a new informational alert
    • Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - added a new informational alert
    • Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - added a new informational alert
    • UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - added a new informational alert
    • SMB enumeration via command-line tool (a8480241-6aa6-43d1-aae2-a53b22220b1d) - added a new informational alert
    • Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - added a new informational alert
    • DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - added a new informational alert
    • Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - added a new informational alert
    • Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - added a new informational alert
    • Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - added a new informational alert
    • Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - added a new informational alert
    • Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - added a new informational alert
    • Possible ARP reconnaissance via netdiscover (304eb4e4-1052-416e-8a13-1222a61bc672) - added a new informational alert
  • Improved detection logic for 2 high-severity BIOC rules:
    • Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, and changed metadata
  • Improved detection logic for 4 medium-severity BIOC rules:
    • Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic, and changed metadata
    • Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
    • Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - improved detection logic, and changed metadata
  • Improved detection logic for a low-severity BIOC rule:
    • Notepad process makes a network connection (558de43f-e8ff-4222-bb82-4419868088cd) - improved detection logic, and changed metadata
  • Improved detection logic for 9 informational BIOC rules:
    • Commonly abused process launches as a system service (3a426a71-9c12-4146-a916-c2db387280ed) - improved detection logic, and changed metadata
    • Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - improved detection logic, and changed metadata
    • Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - improved detection logic, and changed metadata
    • Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - improved detection logic, and changed metadata
    • Dllhost.exe makes network connections (d4b8bd1d-f1fb-4fde-9547-33494049c44a) - improved detection logic, and changed metadata
    • Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic, and changed metadata
    • Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - improved detection logic, and changed metadata
    • Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - improved detection logic
    • Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - improved detection logic, and changed metadata

 

May 31, 2020 Release

  • Improved detection logic for a high-severity BIOC rule:
    • Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic

May 24, 2020 Release

  • Improved detection logic for 3 medium-severity BIOC rules:
    • Process runs with a double extension (f8890ac0-dc0b-4bd2-915f-932145147d73) - improved detection logic, and changed metadata
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and changed metadata
    • LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic
  • Added 5 new informational BIOC rules:
    • Fontdrvhost.exe makes network connections (7d43a35a-d5f1-4d00-b755-3e62db2e70db) - added a new informational alert
    • Unusual process spawned by fontdrvhost.exe (3e6054cf-8ba3-4550-ba4f-9308a537342f) - added a new informational alert
    • Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - added a new informational alert
    • Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - added a new informational alert
    • Bypass UAC using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - added a new informational alert
  • Changed metadata for a BIOC rule:
    • Psexesvc.exe executes a command from a remote host (ced869bc-88ee-4c67-a6d9-92002800403a) - changed metadata 

 

May 17, 2020 Release

  • Increased the severity to medium for 2 BIOC rules:
    • WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium
    • Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium
  • Improved detection logic for a medium-severity BIOC rule:
    • Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - improved detection logic
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic
    • Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic
    • Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic
    • Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic
  • Improved detection logic for a low-severity BIOC rule:
    • Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic
  • Added 11 new informational BIOC rules:
    • Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert
    • LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert
    • SmartScreen disabled via Registry (51680cd3-af12-4140-ab98-af8694e36409) - added a new informational alert
    • Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - added a new informational alert
    • Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - added a new informational alert
    • Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert
    • MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - added a new informational alert
    • Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - added a new informational alert
    • Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - added a new informational alert
    • Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - added a new informational alert
    • Microsoft Office executes an unsigned process under a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - added a new informational alert
  • Improved detection logic for an informational BIOC rule:
    • Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved detection logic, and changed metadata
    • Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic
    • Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - improved detection logic, and changed metadata

 

May 10, 2020 Release

  •  Increased the severity to medium for 2 BIOC rules:
    •  WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium
    • Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium
  • Added 3 new informational BIOC rules:
    • Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert
    • Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert
    • LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert

 

May 3, 2020 Release
  • Increased the severity to high for 2 BIOC rules:
    • Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - changed metadata, and increased the severity to high
    • Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - increased the severity to high
  • Increased the severity to medium for 2 BIOC rules:
    • Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic, and increased the severity to medium
    • AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - increased the severity to medium

 

April 26, 2020 Release
  • Increased the severity to medium for 2 BIOC rules:
    • Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - increased the severity to medium, changed metadata, and improved detection logic
    • Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - increased the severity to medium, and changed metadata
  • Improved detection logic for a medium-severity BIOC rule:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic
  • Added 3 new informational BIOC rules:
    • Access to Opera browser credentials file (01de8317-d3e7-4d4b-871f-e86a775a1c1e) - added a new informational alert
    • Memory dumping with comsvcs (9873cd8b-2220-4384-a99f-712ad0ccfb45) - added a new informational alert
    • SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - added a new informational alert

 

April 19, 2020 Release
  • Added 3 new informational BIOC rules:
    • Modification of default Windows startup path via Registry (fbacd7dc-f835-436b-9e83-9c20d74732e2) - added a new informational alert
    • Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - added a new informational alert
    • Password-related Mozilla files were read by a non-Mozilla process (4d52183d-193b-4cca-8e17-d4dcfb5a388c) - added a new informational alert
  • Improved detection logic for a medium-severity BIOC rule:
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
  • Changed metadata for 8 BIOC rules:
    • Executable file written to a temporary folder (73adac7b-e1c0-47d0-9767-f491e92008eb) - changed metadata
    • Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - changed metadata
    • Unsigned process running from a temporary directory (e9d12cc6-69a2-4cce-b58e-4db58b9176cf) - changed metadata
    • DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - changed metadata
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata
    • PowerShell possibly attempting to execute as administrator (765c164d-7170-4e1c-a463-a5ecf41617dd) - changed metadata
    • Process calls ActiveX Object with a shell command (82485794-7e5b-48da-aacf-926d031b8f62) - changed metadata
    • Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - changed metadata

 

April 12, 2020 Release
  • Increased the severity to medium for a BIOC rule:
    • Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to medium, and changed metadata
  • Changed metadata for 5 BIOC rules:
    • Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - changed metadata
    • Shutdown command issued (6c60836a-382a-460e-9208-4b59f4fc68a9) - changed metadata
    • Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata
    • Manipulation of Volume Shadow Copy configuration (ceaedeba-68c1-4c99-87b2-98872b4aeca3) - changed metadata
    • Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata

 

April 6, 2020 Release
  • Increased the severity to high for a BIOC rule:
    • Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic, increased the severity to high, and changed metadata
  • Increased the severity to low for a BIOC rule:
    • Manipulation of Windows DNS configuration using WMIC (ff9612ae-22ca-4ac2-bd3b-6bf1244dad8a) - improved detection logic, increased the severity to low, and changed metadata
  • Added 3 new informational BIOC rules:
    • Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - added a new informational alert
    • WMI access to shadow copy interface (b6cd123b-e5a0-4aa3-ac43-3398d6a93ca7) - added a new informational alert
    • Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - added a new informational alert
  • Decreased the severity to informational for a BIOC rule:
    • Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - decreased the severity to informational
  • Removed 2 BIOC rule:
    • PowerShell enumerates running processes (932681e4-919a-4151-921f-adcb1088bb86) - removed
    • Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - removed
  • Changed metadata for 118 BIOC rules

 

March 30, 2020 Release
  • Increased the severity to high for 2 BIOC rules:
    • Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - improved detection logic, changed metadata, and increased the severity to high
    • Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic, changed metadata, and increased the severity to high
  • Increased the severity to medium for 5 BIOC rules:
    • Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic, changed metadata, and increased the severity to medium
    • Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved detection logic, changed metadata, and increased the severity to medium
    • Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - improved detection logic, and increased the severity to medium
    • LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - improved detection logic, and increased the severity to medium
    • Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved detection logic, and increased the severity to medium
  • Increased the severity to low for 6 BIOC rules:
    • Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - improved detection logic, changed metadata, and increased the severity to low
    • Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - improved detection logic, changed metadata, and increased the severity to low
    • Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - improved detection logic, and increased the severity to low
    • Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - improved detection logic, and increased the severity to low
    • Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved detection logic, changed metadata, and increased the severity to low
    • Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - improved detection logic, and increased the severity to low
  • Added 4 new informational BIOC rules:
    • Direct scheduled task creation via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - added a new informational alert
    • Disable outlook security via Registry (a6311886-ab62-4df9-862f-b999a0c3a995) - added a new informational alert
    • Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - added a new informational alert
    • File renamed to have a script extension (51bd180f-ae84-450d-b0a6-b1a67300ef4d) - added a new informational alert
  • Removed a BIOC rule:
    • Common Google process name missing Google digital signature (417426e1-363c-4dbc-928d-ff7cd5f114d0) - removed
  • Changed the metadata for 115 BIOC rules

 

March 24, 2020 Release
  • Decreased the severity to informational for a BIOC rule:
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and decreased the severity to informational

 

 

 

Rate this article:
Comments
L0 Member

Hi, can I ask you where I can find the content update version with the release date?

By example: the Cortex XDR agent content version 172-54504, when was released? 

 

Thanks

L2 Linker

Hi @mfranzonYou view the release notes to the Cortex XDR agent conten versions on the customer support portal in the Updates > Dynamic Updates > Traps section. 

 

L0 Member

Thanks @WSeldenIII, found it.

L0 Member

Hi,

 

For this Added Medium Analytics BIOCs:

  • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - added a new Medium alert

Is it possible to alert this kind of attack?

No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loade...

 

Thank You.

L0 Member

Hi,


the Info that something changed for the better is nice, but it'd be even better if there is a possibility to review the changes made.
To this day I think there isn't a possibility to view Analytics BIOC Rules.
The fact that Cortex XDR isn't a "black box" like other XDR/EDR products, that it's possible to view and alter standard BIOC Rules was the deciding factor for us to take the product into our MSSP program.

 

Best regards

Register or Sign-in
Article Dashboard
Version history
Last update:
Sunday
Updated by: