cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Older Cortex XDR Content Release Notes (2019)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Printer Friendly Page
yshivek
‎05-10-2020 07:50 AM

Older Cortex XDR Content Release Notes (2019)

 

 

December 29, 2019 Release
  • Increased the severity to high for a BIOC rule:
    • ntdsutil.exe accessing ntds.dit file (73a6f03c-d459-4314-8213-3b69c9aa69c8) - increased severity and changed metadata
  • Increased the severity to medium for a BIOC rule:
    • New local user created via PowerShell command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - increased severity and changed metadata
  • Added 5 new informational BIOC rules:
    • Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - added a new informational alert
    • Unsigned integer Sudo privilege escalation (1974dd9e-20c1-11ea-ab34-8c8590c9ccd1) added a new informational alert
    • debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) added a new informational alert
    • LOLBAS executable injection into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) added a new informational alert
    • Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) added a new informational alert
  • Changed metadata for a BIOC rule:
    • Microsoft Office Equation Editor spawns a commonly abused process (68d5ddf7-50b4-49e0-be96-863cf763a2b1) - changed metadata

 

December 15, 2019 Release
  • Improved the logic of 2 informational BIOC rules:
    • Service enumeration via sc (f5ad264a-fc27-4cef-9a94-245150ace5b1) - improved logic and changed metadata changed
    • Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - improved logic and changed metadata
  • Changed the metadata for a BIOC rule:
    • Excel Web Query file created on disk (5f29933c-46ae-45f4-b5ce-fc59f12240bf) - changed metadata
  • Added 9 new informational BIOC rules:
    • Hash cracking using Hashcat tool (f09765e8-105f-11ea-af82-8c8590c9ccd1) - added a new informational alert
    • Host firewall profile discovery using netsh (42d72b02-1751-11ea-8401-88e9fe502c1f) - added a new informational alert
    • Enumeration of services via wmic (3654c173-14e9-11ea-8723-88e9fe502c1f) - added a new informational alert
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - added a new informational alert
    • Discovery of host’s users via wmic (6593c57d-14fe-11ea-9297-88e9fe502c1f) - added a new informational alert
    • DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - added a new informational alert
    • Enumeration of services via PowerShell (6977966b-14e9-11ea-b5d7-88e9fe502c1f) - added a new informational alert
    • Interface enumeration using netsh (3c63c894-1449-11ea-803f-88e9fe502c1f) - added a new informational alert
    • Kerberos ticket forging using Impacket ticketer (08222430-105d-11ea-8d11-8c8590c9ccd1) - added a new informational alert

 

November 3, 2019 Release
  • Increased the severity to high for a BIOC rule:
    • Bitsadmin.exe used to upload data (6ba957eb-d63e-4cee-99aa-89e21ef3acc8) - improved logic, changed metadata and increased the severity to high
  • Increased the severity to medium for 5 BIOC rules:
    • Windows set to permit unsigned drivers (Test Mode) (bc4e5b48-cd06-4eb4-a35c-3ea42bf98ff4) - changed metadata, and increased the severity to medium
    • Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - increased the severity to medium
    • 64-bit PowerShell spawning a 32-bit PowerShell (824a3186-b262-4e01-a45c-35cca8efa233) - improved logic, and increased the severity to medium
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved logic, and increased the severity to medium
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved logic, and increased the severity to medium
  • Added 3 new informational BIOC rules:
    • Bitsadmin.exe used to download data (6aa957eb-d63e-4cee-99aa-89e21ef3acc8) - added a new informational alert
    • Non-browser access to a pastebin-like site (6b394699-0a16-4d03-b8b4-e9a062965ad7) - added a new informational alert
    • Non-browser failed access to a pastebin-like site (c1e7607b-e56c-43ca-b072-5b266bb4133b) - added a new informational alert
  • Improved the logic of an informational BIOC rule:
    • Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - improved logic
  • Deleted an informational BIOC rule: 
    • Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - removed the alert

 

September 27, 2019 Release
  • Decreased the severity to informational for a BIOC rule:
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - decreased severity to informational

 

September 26, 2019 Release
  • Increased the severity to high for 6 BIOC rules:
    • Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - improved detection logic, and increased severity to high
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - improved detection logic, and increased severity to high
    • Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - improved detection logic, and increased severity to high
    • Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - improved detection logic, and increased severity to high
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - improved detection logic, and increased severity to high
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, changed the metadata, and increased severity to high
  • Increased the severity to moderate for 4 BIOC rules:
    • User added to local administrator group using a PowerShell command (7135da01-046f-452b-99d3-974795aca8c6) - changed the metadata, and increased severity to medium
    • Scheduled task created with HTTP or FTP reference (3c888671-03a0-4e8f-8192-c7a6e031712c) - improved detection logic, changed the metadata, and increased severity  to medium
    • Powershell downloads files via BITS (ed10c4cc-867c-4318-aa9d-59d57d6934bb) - improved detection logic, changed the metadata, and increased severity  to medium
    • Clear Windows event logs using PowerShell.exe (d9321f3f-d32e-4aa9-8f88-22b03c36139d) - increased severity to medium
  • Improved the detection logic and increased the severity to low for 2 BIOC rules:
    • Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - improved detection logic, and increased severity to low
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and increased severity to low
  • Improved the detection logic of a low-severity BIOC rules:
    • Image File Execution Options registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic
  • Improved the detection logic of 4 informational BIOC rules:
    • Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - improved detection logic
    • Curl connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190323) - improved detection logic
    • Wget connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - improved detection logic
    • Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - improved detection logic
  • Added a new informational BIOC rule:
    • Accessing Linux bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - added a new informational alert

 

September 25, 2019 Release
  • Added 7 new informational BIOC rules:
    • Default Cobalt Strike command line for beaconing with PowerShell (f8ea70da-4bbd-44a7-9a32-0abc809dd2ae) - added a new informational alert
    • Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - added a new informational alert
    • Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - added a new informational alert
    • Unsigned process injecting into a windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) added a new informational alert
    • RDP connections enabled via registry by unsigned process (6d432610-7ee0-4857-a8f5-009dfd4bde14) - added a new informational alert
    • RDP connections enabled via registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - added a new informational alert
    • 64-bit PowerShell spawning a 32-bit PowerShell (824a3186-b262-4e01-a45c-35cca8efa233) - added a new informational alert
  • Reduced the severity of 1 BIOC rule to informational:
    • Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - decreased severity to informational

 

September 5, 2019 Release
  • Added a new BIOC rule:
    • Image File Execution Options registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - added a new low severity alert
  • Improved the detection logic and increased the severity of 2 BIOC rules:
    • Image File Execution Options registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic, changed the metadata, and increased severity to low
    • WebDAV drive mounted from net.exe over HTTPS (0c0a801f-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and increased severity to low
  • Improved the detection logic of 3 informational BIOC rules:
    • Executable moved to system32 folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic
    • RDP enabled via registry (6d432610-7ee0-4857-a8f5-009dfd4bde14) - improved detection logic
    • Multiple RDP sessions enabled via registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - improved detection logic

 

August 8, 2019 Release
  • Improved the detection logic of 7 BIOC rules:
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic
    • Windows Firewall disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - improved detection logic and changed the metadata
    • Process attempts to kill a known security/AV tool (e33072a2-ae58-43a0-bd05-08e986732f03) - improved detection logic
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - improved detection logic
    • PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - improved detection logic
    • Communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved detection logic
    • New local user created via Powershell command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - improved detection logic and changed the metadata
  • Decreased severity of 2 BIOC rules:
    • Microsoft Office process spawns an unsigned process (da9356d9-f8fa-4d32-a6eb-a79a2590816e) - decreased severity to informational
    • Web server process drops an executable to disk (20a37717-dd61-4fe5-a73b-80d9fb2a8862) - decreased severity to informational
  • Added 18 new informational BIOC rules:
    • Windows Firewall notifications disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - added a new informational alert
    • Windows Firewall policy edited via registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - added a new informational alert
    • Curl connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190323) - added a new informational alert
    • Wget connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - added a new informational alert
    • Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - added a new informational alert
    • Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - added a new informational alert
    • Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - added a new informational alert
    • Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - added a new informational alert
    • Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - added a new informational alert
    • Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - added a new informational alert
    • Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - added a new informational alert
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - added a new informational alert
    • Image File Execution Options registry key injection (98430360-5b37-465e-acd6-bafa9325110c) - added a new informational alert
    • Executable moved to system32 folder (045190df-f5ab-491a-b214-199dc17f9e3b) - added a new informational alert
    • RDP enabled via registry (6d432610-7ee0-4857-a8f5-009dfd4bde14) - added a new informational alert
    • Multiple RDP sessions enabled via registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - added a new informational alert
    • Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - added a new informational alert
    • WebDAV drive mounted from net.exe over HTTPS (0c0a801f-06ff-4a10-b555-67e56ecbd410) - added a new informational alert

 

July 18, 2019 Release
  • Modified 6 BIOC rules:
    • Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - increased severity to medium
    • Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - increased severity to medium
    • New entry added to startup related registry keys by unsigned process (a09c90f7-0b45-4f2a-ac71-96170f047921) - decreased severity to informational
    • Windows Firewall being disabled via registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - decreased severity to informational
    • Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic
    • Web server process drops an executable to disk (20a37717-dd61-4fe5-a73b-80d9fb2a8862) - improved detection logic
  • Deleted 2 BIOC rules:
    • Execution of network debugging/tunnelling tool (56a93227-73d7-42e5-936c-0a3de691b7c6) - removed the alert
    • Explorer spawned from commonly abused host process (7b2e9352-20cf-4c52-94e9-b01fac10753a) - removed the alert

 

July 11, 2019 Release
  • Added 5 new medium-severity BIOC rules for detecting credential dumping:
    • Credential dumping via gsecdump.exe (ca11656e-2c37-4089-94e3-f659ba50d792) - added a new medium-severity alert
    • Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - added a new medium-severity alert
    • Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - added a new medium-severity alert
    • Dumping lsass.exe memory for credential extraction (cb05480f-17d8-4138-aa38-f0f9fb50b671) - added a new medium-severity alert
    • Credential dumping via fgdump.exe (eebd92ac-c37f-4e7a-b37d-5c0189ddedcb) - added a new medium-severity alert
  • Improved the detection logic of 7 BIOC rules:
    • Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - improved detection logic
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic, increased severity to high and changed the metadata
    • Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - improved detection logic
    • Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, increased severity to medium and changed the metadata
    • PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - improved detection logic
    • Communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved detection logic
    • Adobe Acrobat Reader drops an executable file to disk (61f01972-e07f-46d7-ba75-f1ec1309625a) - improved detection logic

 

July 9, 2019 Release
  • Changed the logic of 1 BIOC rule and added 16 informational BIOC rules:
    • Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - improved detection logic
    • Active Directory enumeration via command-line tool (136788a7-717a-49e2-9e0a-76f00eb60ed6) - added a new informational alert
    • Logged on users enumeration via query.exe (375cb7bf-400e-4fbf-9755-693d80a5a54a) - added a new informational alert
    • Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - added a new informational alert
    • Attempted to dump ntds.dit (73a6f03c-d459-4314-8213-3b69c9aa69c8) - added a new informational alert
    • Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - added a new informational alert
    • Creation of volume shadow copy using vssadmin.exe (8dd80937-96d8-4ecf-9f44-29a46e0cb5d9) - added a new informational alert
    • Modification of NTLM restrictions in the registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - added a new informational alert
    • Logged on users enumeration via quser.exe (6b228541-9610-4e6f-ad5d-dc6b8d027405) - added a new informational alert
    • Active directory enumeration using builtin nltest.exe (216e4145-0656-47c9-b4b3-40f362e133bc) - added a new informational alert
    • Clear Windows event logs using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - added a new informational alert
    • Clear Windows event logs using PowerShell.exe (d9321f3f-d32e-4aa9-8f88-22b03c36139d) - added a new informational alert
    • Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - added a new informational alert
    • Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - added a new informational alert
    • Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - added a new informational alert
    • Addition or replacement of password filter DLL(s) through registry modification (ea98601c-e552-4b9b-8164-f085a38d383d) - added a new informational alert
    • Dumping registry hives with passwords via reg.exe (824a3186-b262-4e01-b45c-35cca8efa233) - added a new informational alert

 

July 7, 2019 Release

  • 11 BIOC rule changes - note that for this content release, and for future ones, global rule IDs are listed in parentheses next to the BIOC names:
    • Microsoft HTML Application Host spawns from CMD or Powershell (bfca0d1c-91f9-4ed3-b812-f207ba100a3b) - decreased severity to informational
    • Microsoft Office process spawns a commonly abused process (c043b141-83d4-4158-a573-c1e348bb2ad9) - decreased severity to informational
    • Web server spawns an unsigned process (bd23f54a-2bd4-417e-80ea-9dd7dcea54f4) - decreased severity to informational
    • PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - decreased severity to informational
    • Cleartext password harvesting using find tools (7ac5c888-838d-489c-a6a9-2bab9cec7e9d) - decreased severity to informational
    • Compiler process started by an Office process (9b8c5e4f-1b36-49ad-b2c4-155f244ea0ac) - decreased severity to informational
    • New local user created via command line (8369f619-0fc7-4b32-aa9f-fce1efcfd3c7) - decreased severity to informational
    • Unsigned process injects code into a process (5c3624c9-b234-49b3-b6c1-beae8d9891f8) - decreased severity to informational
    • Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - decreased severity to informational
    • Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - decreased severity to informational
    • Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - decreased severity to informational

 

June 19, 2019 Release

  • 27 BIOC rule changes:
    • Manipulation of Windows settings using bcdedit.exe - decreased severity to informational
    • Bypassing Windows UAC using disk cleanup - decreased severity to low
    • Commonly abused process executes by a remote host using psexec - decreased severity to informational
    • Compiled HTML (help file) writes a binary file to disk - decreased severity to medium
    • Cscript connects to an external network - decreased severity to informational
    • Windows process masquerading by an unsigned process - decreased severity to informational
    • Windows Powershell Logging being disabled via registry - decreased severity to informational
    • Binary file being created to disk with a double extension - decreased severity to medium
    • Outlook creates an executable file on disk - decreased severity to low
    • Executable created to disk by lsass.exe - decreased severity to medium
    • Microsoft Office process spawns a commonly abused process - decreased severity to low
    • Powershell runs with known Mimikatz arguments - decreased severity to medium
    • Process attempts to kill a known security/AV tool- decreased severity to medium, improved detection logic
    • Process runs from the recycle bin - decreased severity to medium
    • Process runs with a double extension - decreased severity to medium
    • Enumeration of installed AV or FW products using WMIC - decreased severity to informational
    • Powershell process makes network connections to the internet - decreased severity to informational
    • Powershell runs base64 encoded commands - decreased severity to informational
    • Communication over email ports to external email server by unsigned process - decreased severity to informational
    • PowerShell calling Invoke-Expression argument - improved detection logic
    • Compiler process started by a commonly abused shell process - decreased severity to informational
    • Unsigned process executing whoami command - decreased severity to informational
    • Scripting engine called to run in the command line - decreased severity to informational
    • Unsigned process injects code into a process - decreased severity to low
    • Sensitive Google Chrome files access by a non-Google process - decreased severity to informational
    • Script file entry written to startup related registry keys - decreased severity to informational
    • Adobe Acrobat Reader drops an executable file to disk - decreased severity to low, improved detection logic

 

April 15-16, 2019 Release

  • Adobe Acrobat Reader drops an executable file to disk - ignore acrord32.exe as causality process to reduce false positives

 

Initial Release

  • 198 BIOC rules:
    • 12 high severity
    • 11 medium severity
    • 53 low severity
    • 122 informational
 
 
0 Likes
Rate this article:
240 Views
Ask Questions Get Answers Join the Live Community
Version history
Revision #:
5 of 5
Last update:
‎05-22-2020 08:24 AM
Updated by:
 
View article history
Labels
Contributors
Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks