August 8, 2019 Release
-
Improved the detection logic of 7 BIOC rules:
-
Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic
-
Windows Firewall disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - improved detection logic and changed the metadata
-
Process attempts to kill a known security/AV tool (e33072a2-ae58-43a0-bd05-08e986732f03) - improved detection logic
-
Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - improved detection logic
-
PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - improved detection logic
-
Communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved detection logic
-
New local user created via Powershell command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - improved detection logic and changed the metadata
-
Decreased severity of 2 BIOC rules:
-
Microsoft Office process spawns an unsigned process (da9356d9-f8fa-4d32-a6eb-a79a2590816e) - decreased severity to informational
-
Web server process drops an executable to disk (20a37717-dd61-4fe5-a73b-80d9fb2a8862) - decreased severity to informational
-
Added 18 new informational BIOC rules:
-
Windows Firewall notifications disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - added a new informational alert
-
Windows Firewall policy edited via registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - added a new informational alert
-
Curl connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190323) - added a new informational alert
-
Wget connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - added a new informational alert
-
Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - added a new informational alert
-
Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - added a new informational alert
-
Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - added a new informational alert
-
Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - added a new informational alert
-
Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - added a new informational alert
-
Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - added a new informational alert
-
Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - added a new informational alert
-
PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - added a new informational alert
-
Image File Execution Options registry key injection (98430360-5b37-465e-acd6-bafa9325110c) - added a new informational alert
-
Executable moved to system32 folder (045190df-f5ab-491a-b214-199dc17f9e3b) - added a new informational alert
-
RDP enabled via registry (6d432610-7ee0-4857-a8f5-009dfd4bde14) - added a new informational alert
-
Multiple RDP sessions enabled via registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - added a new informational alert
-
Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - added a new informational alert
-
WebDAV drive mounted from net.exe over HTTPS (0c0a801f-06ff-4a10-b555-67e56ecbd410) - added a new informational alert
July 18, 2019 Release
-
Modified 6 BIOC rules:
-
Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - increased severity to medium
-
Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - increased severity to medium
-
New entry added to startup related registry keys by unsigned process (a09c90f7-0b45-4f2a-ac71-96170f047921) - decreased severity to informational
-
Windows Firewall being disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - decreased severity to informational
-
Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic
-
Web server process drops an executable to disk (20a37717-dd61-4fe5-a73b-80d9fb2a8862) - improved detection logic
-
Deleted 2 BIOC rules:
-
Execution of network debugging/tunnelling tool (56a93227-73d7-42e5-936c-0a3de691b7c6) - removed the alert
-
Explorer spawned from commonly abused host process (7b2e9352-20cf-4c52-94e9-b01fac10753a) - removed the alert
July 11, 2019 Release
July 9, 2019 Release
July 7, 2019 Release
- 11 BIOC rule changes - note that for this content release, and for future ones, global rule IDs are listed in parentheses next to the BIOC names:
-
Microsoft HTML Application Host spawns from CMD or Powershell (bfca0d1c-91f9-4ed3-b812-f207ba100a3b) - decreased severity to informational
-
Microsoft Office process spawns a commonly abused process (c043b141-83d4-4158-a573-c1e348bb2ad9) - decreased severity to informational
-
Web server spawns an unsigned process (bd23f54a-2bd4-417e-80ea-9dd7dcea54f4) - decreased severity to informational
-
PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - decreased severity to informational
-
Cleartext password harvesting using find tools (7ac5c888-838d-489c-a6a9-2bab9cec7e9d) - decreased severity to informational
-
Compiler process started by an Office process (9b8c5e4f-1b36-49ad-b2c4-155f244ea0ac) - decreased severity to informational
-
New local user created via command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - decreased severity to informational
-
Unsigned process injects code into a process (5c3624c9-b234-49b3-b6c1-beae8d9891f8) - decreased severity to informational
-
Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - decreased severity to informational
-
Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - decreased severity to informational
-
Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - decreased severity to informational
June 19, 2019 Release
- 27 BIOC rule changes:
- Manipulation of Windows settings using bcdedit.exe - decreased severity to informational
- Bypassing Windows UAC using disk cleanup - decreased severity to low
- Commonly abused process executes by a remote host using psexec - decreased severity to informational
- Compiled HTML (help file) writes a binary file to disk - decreased severity to medium
- Cscript connects to an external network - decreased severity to informational
- Windows process masquerading by an unsigned process - decreased severity to informational
- Windows Powershell Logging being disabled via registry - decreased severity to informational
- Binary file being created to disk with a double extension - decreased severity to medium
- Outlook creates an executable file on disk - decreased severity to low
- Executable created to disk by lsass.exe - decreased severity to medium
- Microsoft Office process spawns a commonly abused process - decreased severity to low
- Powershell runs with known Mimikatz arguments - decreased severity to medium
- Process attempts to kill a known security/AV tool- decreased severity to medium, improved detection logic
- Process runs from the recycle bin - decreased severity to medium
- Process runs with a double extension - decreased severity to medium
- Enumeration of installed AV or FW products using WMIC - decreased severity to informational
- Powershell process makes network connections to the internet - decreased severity to informational
- Powershell runs base64 encoded commands - decreased severity to informational
- Communication over email ports to external email server by unsigned process - decreased severity to informational
- PowerShell calling Invoke-Expression argument - improved detection logic
- Compiler process started by a commonly abused shell process - decreased severity to informational
- Unsigned process executing whoami command - decreased severity to informational
- Scripting engine called to run in the command line - decreased severity to informational
- Unsigned process injects code into a process - decreased severity to low
- Sensitive Google Chrome files access by a non-Google process - decreased severity to informational
- Script file entry written to startup related registry keys - decreased severity to informational
- Adobe Acrobat Reader drops an executable file to disk - decreased severity to low, improved detection logic
April 15-16, 2019 Release
- Adobe Acrobat Reader drops an executable file to disk - ignore acrord32.exe as causality process to reduce false positives
Initial Release
- 198 BIOC rules:
- 12 high severity
- 11 medium severity
- 53 low severity
- 122 informational