Older Cortex XDR Content Release Notes (2019)

Printer Friendly Page
Did you find this article helpful? Yes No
No ratings

Older Cortex XDR Content Release Notes (2019)

 

 

December 29, 2019 Release
  • Increased the severity to high for a BIOC rule:
    • ntdsutil.exe accessing ntds.dit file (73a6f03c-d459-4314-8213-3b69c9aa69c8) - increased severity and changed metadata
  • Increased the severity to medium for a BIOC rule:
    • New local user created via PowerShell command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - increased severity and changed metadata
  • Added 5 new informational BIOC rules:
    • Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - added a new informational alert
    • Unsigned integer Sudo privilege escalation (1974dd9e-20c1-11ea-ab34-8c8590c9ccd1) added a new informational alert
    • debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) added a new informational alert
    • LOLBAS executable injection into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) added a new informational alert
    • Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) added a new informational alert
  • Changed metadata for a BIOC rule:
    • Microsoft Office Equation Editor spawns a commonly abused process (68d5ddf7-50b4-49e0-be96-863cf763a2b1) - changed metadata

 

December 15, 2019 Release
  • Improved the logic of 2 informational BIOC rules:
    • Service enumeration via sc (f5ad264a-fc27-4cef-9a94-245150ace5b1) - improved logic and changed metadata changed
    • Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - improved logic and changed metadata
  • Changed the metadata for a BIOC rule:
    • Excel Web Query file created on disk (5f29933c-46ae-45f4-b5ce-fc59f12240bf) - changed metadata
  • Added 9 new informational BIOC rules:
    • Hash cracking using Hashcat tool (f09765e8-105f-11ea-af82-8c8590c9ccd1) - added a new informational alert
    • Host firewall profile discovery using netsh (42d72b02-1751-11ea-8401-88e9fe502c1f) - added a new informational alert
    • Enumeration of services via wmic (3654c173-14e9-11ea-8723-88e9fe502c1f) - added a new informational alert
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - added a new informational alert
    • Discovery of host’s users via wmic (6593c57d-14fe-11ea-9297-88e9fe502c1f) - added a new informational alert
    • DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - added a new informational alert
    • Enumeration of services via PowerShell (6977966b-14e9-11ea-b5d7-88e9fe502c1f) - added a new informational alert
    • Interface enumeration using netsh (3c63c894-1449-11ea-803f-88e9fe502c1f) - added a new informational alert
    • Kerberos ticket forging using Impacket ticketer (08222430-105d-11ea-8d11-8c8590c9ccd1) - added a new informational alert

 

November 3, 2019 Release
  • Increased the severity to high for a BIOC rule:
    • Bitsadmin.exe used to upload data (6ba957eb-d63e-4cee-99aa-89e21ef3acc8) - improved logic, changed metadata and increased the severity to high
  • Increased the severity to medium for 5 BIOC rules:
    • Windows set to permit unsigned drivers (Test Mode) (bc4e5b48-cd06-4eb4-a35c-3ea42bf98ff4) - changed metadata, and increased the severity to medium
    • Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - increased the severity to medium
    • 64-bit PowerShell spawning a 32-bit PowerShell (824a3186-b262-4e01-a45c-35cca8efa233) - improved logic, and increased the severity to medium
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved logic, and increased the severity to medium
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved logic, and increased the severity to medium
  • Added 3 new informational BIOC rules:
    • Bitsadmin.exe used to download data (6aa957eb-d63e-4cee-99aa-89e21ef3acc8) - added a new informational alert
    • Non-browser access to a pastebin-like site (6b394699-0a16-4d03-b8b4-e9a062965ad7) - added a new informational alert
    • Non-browser failed access to a pastebin-like site (c1e7607b-e56c-43ca-b072-5b266bb4133b) - added a new informational alert
  • Improved the logic of an informational BIOC rule:
    • Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - improved logic
  • Deleted an informational BIOC rule: 
    • Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - removed the alert

 

September 27, 2019 Release
  • Decreased the severity to informational for a BIOC rule:
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - decreased severity to informational

 

September 26, 2019 Release
  • Increased the severity to high for 6 BIOC rules:
    • Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - improved detection logic, and increased severity to high
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - improved detection logic, and increased severity to high
    • Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - improved detection logic, and increased severity to high
    • Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - improved detection logic, and increased severity to high
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - improved detection logic, and increased severity to high
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, changed the metadata, and increased severity to high
  • Increased the severity to moderate for 4 BIOC rules:
    • User added to local administrator group using a PowerShell command (7135da01-046f-452b-99d3-974795aca8c6) - changed the metadata, and increased severity to medium
    • Scheduled task created with HTTP or FTP reference (3c888671-03a0-4e8f-8192-c7a6e031712c) - improved detection logic, changed the metadata, and increased severity  to medium
    • Powershell downloads files via BITS (ed10c4cc-867c-4318-aa9d-59d57d6934bb) - improved detection logic, changed the metadata, and increased severity  to medium
    • Clear Windows event logs using PowerShell.exe (d9321f3f-d32e-4aa9-8f88-22b03c36139d) - increased severity to medium
  • Improved the detection logic and increased the severity to low for 2 BIOC rules:
    • Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - improved detection logic, and increased severity to low
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and increased severity to low
  • Improved the detection logic of a low-severity BIOC rules:
    • Image File Execution Options registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic
  • Improved the detection logic of 4 informational BIOC rules:
    • Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - improved detection logic
    • Curl connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190323) - improved detection logic
    • Wget connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - improved detection logic
    • Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - improved detection logic
  • Added a new informational BIOC rule:
    • Accessing Linux bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - added a new informational alert

 

September 25, 2019 Release
  • Added 7 new informational BIOC rules:
    • Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - added a new informational alert
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - added a new informational alert
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - added a new informational alert
    • Unsigned process injecting into a windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) added a new informational alert
    • RDP connections enabled via registry by unsigned process (6d432610-7ee0-4857-a8f5-009dfd4bde14) - added a new informational alert
    • RDP connections enabled via registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - added a new informational alert
    • 64-bit PowerShell spawning a 32-bit PowerShell (824a3186-b262-4e01-a45c-35cca8efa233) - added a new informational alert
  • Reduced the severity of 1 BIOC rule to informational:
    • Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - decreased severity to informational

 

September 5, 2019 Release
  • Added a new BIOC rule:
    • Image File Execution Options registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - added a new low severity alert
  • Improved the detection logic and increased the severity of 2 BIOC rules:
    • Image File Execution Options registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic, changed the metadata, and increased severity to low
    • WebDAV drive mounted from net.exe over HTTPS (0c0a801f-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and increased severity to low
  • Improved the detection logic of 3 informational BIOC rules:
    • Executable moved to system32 folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic
    • RDP enabled via registry (6d432610-7ee0-4857-a8f5-009dfd4bde14) - improved detection logic
    • Multiple RDP sessions enabled via registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - improved detection logic

 

August 8, 2019 Release
  • Improved the detection logic of 7 BIOC rules:
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic
    • Windows Firewall disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - improved detection logic and changed the metadata
    • Process attempts to kill a known security/AV tool (e33072a2-ae58-43a0-bd05-08e986732f03) - improved detection logic
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - improved detection logic
    • PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - improved detection logic
    • Communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved detection logic
    • New local user created via Powershell command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - improved detection logic and changed the metadata
  • Decreased severity of 2 BIOC rules:
    • Microsoft Office process spawns an unsigned process (da9356d9-f8fa-4d32-a6eb-a79a2590816e) - decreased severity to informational
    • Web server process drops an executable to disk (20a37717-dd61-4fe5-a73b-80d9fb2a8862) - decreased severity to informational
  • Added 18 new informational BIOC rules:
    • Windows Firewall notifications disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - added a new informational alert
    • Windows Firewall policy edited via registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - added a new informational alert
    • Curl connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190323) - added a new informational alert
    • Wget connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - added a new informational alert
    • Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - added a new informational alert
    • Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - added a new informational alert
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - added a new informational alert
    • Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - added a new informational alert
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - added a new informational alert
    • Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - added a new informational alert
    • Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - added a new informational alert
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - added a new informational alert
    • Image File Execution Options registry key injection (98430360-5b37-465e-acd6-bafa9325110c) - added a new informational alert
    • Executable moved to system32 folder (045190df-f5ab-491a-b214-199dc17f9e3b) - added a new informational alert
    • RDP enabled via registry (6d432610-7ee0-4857-a8f5-009dfd4bde14) - added a new informational alert
    • Multiple RDP sessions enabled via registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - added a new informational alert
    • Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - added a new informational alert
    • WebDAV drive mounted from net.exe over HTTPS (0c0a801f-06ff-4a10-b555-67e56ecbd410) - added a new informational alert

 

July 18, 2019 Release
  • Modified 6 BIOC rules:
    • Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - increased severity to medium
    • Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - increased severity to medium
    • New entry added to startup related registry keys by unsigned process (a09c90f7-0b45-4f2a-ac71-96170f047921) - decreased severity to informational
    • Windows Firewall being disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - decreased severity to informational
    • Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic
    • Web server process drops an executable to disk (20a37717-dd61-4fe5-a73b-80d9fb2a8862) - improved detection logic
  • Deleted 2 BIOC rules:
    • Execution of network debugging/tunnelling tool (56a93227-73d7-42e5-936c-0a3de691b7c6) - removed the alert
    • Explorer spawned from commonly abused host process (7b2e9352-20cf-4c52-94e9-b01fac10753a) - removed the alert

 

July 11, 2019 Release
  • Added 5 new medium-severity BIOC rules for detecting credential dumping:
    • Credential dumping via gsecdump.exe (ca11656e-2c37-4089-94e3-f659ba50d792) - added a new medium-severity alert
    • Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - added a new medium-severity alert
    • Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - added a new medium-severity alert
    • Dumping lsass.exe memory for credential extraction (cb05480f-17d8-4138-aa38-f0f9fb50b671) - added a new medium-severity alert
    • Credential dumping via fgdump.exe (eebd92ac-c37f-4e7a-b37d-5c0189ddedcb) - added a new medium-severity alert
  • Improved the detection logic of 7 BIOC rules:
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic, increased severity to high and changed the metadata
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - improved detection logic
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, increased severity to medium and changed the metadata
    • PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - improved detection logic
    • Communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved detection logic
    • Adobe Acrobat Reader drops an executable file to disk (61f01972-e07f-46d7-ba75-f1ec1309625a) - improved detection logic

 

July 9, 2019 Release
  • Changed the logic of 1 BIOC rule and added 16 informational BIOC rules:
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic
    • Active Directory enumeration via command-line tool (136788a7-717a-49e2-9e0a-76f00eb60ed6) - added a new informational alert
    • Logged on users enumeration via query.exe (375cb7bf-400e-4fbf-9755-693d80a5a54a) - added a new informational alert
    • Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - added a new informational alert
    • Attempted to dump ntds.dit (73a6f03c-d459-4314-8213-3b69c9aa69c8) - added a new informational alert
    • Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - added a new informational alert
    • Creation of volume shadow copy using vssadmin.exe (8dd80937-96d8-4ecf-9f44-29a46e0cb5d9) - added a new informational alert
    • Modification of NTLM restrictions in the registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - added a new informational alert
    • Logged on users enumeration via quser.exe (6b228541-9610-4e6f-ad5d-dc6b8d027405) - added a new informational alert
    • Active directory enumeration using builtin nltest.exe (216e4145-0656-47c9-b4b3-40f362e133bc) - added a new informational alert
    • Clear Windows event logs using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - added a new informational alert
    • Clear Windows event logs using PowerShell.exe (d9321f3f-d32e-4aa9-8f88-22b03c36139d) - added a new informational alert
    • Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - added a new informational alert
    • Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - added a new informational alert
    • Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - added a new informational alert
    • Addition or replacement of password filter DLL(s) through registry modification (ea98601c-e552-4b9b-8164-f085a38d383d) - added a new informational alert
    • Dumping registry hives with passwords via reg.exe (824a3186-b262-4e01-b45c-35cca8efa233) - added a new informational alert

 

July 7, 2019 Release

  • 11 BIOC rule changes - note that for this content release, and for future ones, global rule IDs are listed in parentheses next to the BIOC names:
    • Microsoft HTML Application Host spawns from CMD or Powershell (bfca0d1c-91f9-4ed3-b812-f207ba100a3b) - decreased severity to informational
    • Microsoft Office process spawns a commonly abused process (c043b141-83d4-4158-a573-c1e348bb2ad9) - decreased severity to informational
    • Web server spawns an unsigned process (bd23f54a-2bd4-417e-80ea-9dd7dcea54f4) - decreased severity to informational
    • PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - decreased severity to informational
    • Cleartext password harvesting using find tools (7ac5c888-838d-489c-a6a9-2bab9cec7e9d) - decreased severity to informational
    • Compiler process started by an Office process (9b8c5e4f-1b36-49ad-b2c4-155f244ea0ac) - decreased severity to informational
    • New local user created via command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - decreased severity to informational
    • Unsigned process injects code into a process (5c3624c9-b234-49b3-b6c1-beae8d9891f8) - decreased severity to informational
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - decreased severity to informational
    • Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - decreased severity to informational
    • Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - decreased severity to informational

 

June 19, 2019 Release

  • 27 BIOC rule changes:
    • Manipulation of Windows settings using bcdedit.exe - decreased severity to informational
    • Bypassing Windows UAC using disk cleanup - decreased severity to low
    • Commonly abused process executes by a remote host using psexec - decreased severity to informational
    • Compiled HTML (help file) writes a binary file to disk - decreased severity to medium
    • Cscript connects to an external network - decreased severity to informational
    • Windows process masquerading by an unsigned process - decreased severity to informational
    • Windows Powershell Logging being disabled via registry - decreased severity to informational
    • Binary file being created to disk with a double extension - decreased severity to medium
    • Outlook creates an executable file on disk - decreased severity to low
    • Executable created to disk by lsass.exe - decreased severity to medium
    • Microsoft Office process spawns a commonly abused process - decreased severity to low
    • Powershell runs with known Mimikatz arguments - decreased severity to medium
    • Process attempts to kill a known security/AV tool- decreased severity to medium, improved detection logic
    • Process runs from the recycle bin - decreased severity to medium
    • Process runs with a double extension - decreased severity to medium
    • Enumeration of installed AV or FW products using WMIC - decreased severity to informational
    • Powershell process makes network connections to the internet - decreased severity to informational
    • Powershell runs base64 encoded commands - decreased severity to informational
    • Communication over email ports to external email server by unsigned process - decreased severity to informational
    • PowerShell calling Invoke-Expression argument - improved detection logic
    • Compiler process started by a commonly abused shell process - decreased severity to informational
    • Unsigned process executing whoami command - decreased severity to informational
    • Scripting engine called to run in the command line - decreased severity to informational
    • Unsigned process injects code into a process - decreased severity to low
    • Sensitive Google Chrome files access by a non-Google process - decreased severity to informational
    • Script file entry written to startup related registry keys - decreased severity to informational
    • Adobe Acrobat Reader drops an executable file to disk - decreased severity to low, improved detection logic

 

April 15-16, 2019 Release

  • Adobe Acrobat Reader drops an executable file to disk - ignore acrord32.exe as causality process to reduce false positives

 

Initial Release

  • 198 BIOC rules:
    • 12 high severity
    • 11 medium severity
    • 53 low severity
    • 122 informational
 
 
Tags (3)
Register or Sign-in
Version history
Last update:
‎05-22-2020 08:24 AM
Updated by:
Retired Member
Labels
Contributors