Cortex XDR Articles

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Featured Article
Cortex XDR Content Release Notes April 18, 2021 Release: Improved logic of a Medium BIOC: Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - improved logic of a Medium BIOC Added a new Medium Analytics BIOC: Execution of a password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - added a new Medium alert Improved logic of a Medium Analytics BIOC: Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC April 11, 2021 Release: Improved logic of a High Analytics BIOC: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOC Improved logic of 3 Medium Analytics BIOCs: Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs Added a new Medium Analytics Alert: Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - added a new Medium alert Improved logic of a Medium Analytics Alert: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert Improved logic of 5 Low Analytics BIOCs: Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOC Improved logic of 4 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Added a new Informational BIOC: SharpHound LDAP query (5f50bb22-588c-4d48-8600-446df59d8a51) - added a new Informational alert Changed metadata of 3 Informational BIOCs: Crash dump file created (e6cb68b9-7bb3-4be2-9b7c-d66d560e5a3b) - changed metadata of an Informational BIOCs Enumeration command executes (6958a24d-f33a-45f2-819c-b47c1e03964d) - changed metadata of an Informational BIOCs Enumeration command called by commonly abused CGO (e7d21bc3-3190-4b25-a2f4-20c6242b1029) - changed metadata of an Informational BIOCs Improved logic of an Informational Analytics BIOC: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC   April 4, 2021 Release: Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Added a new Low Analytics BIOC: Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert Improved logic of an Informational Analytics BIOC: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC   March 29, 2021 Release: Decreased the severity to Medium for an Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Medium Improved logic of a Medium Analytics BIOC: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Improved logic of a Low Analytics BIOC: Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Low Analytics BIOC Improved logic of 2 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC   March 22, 2021 Release: Improved logic of a Medium Analytics BIOC: Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert Improved logic of 5 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alerts Removed an old Informational BIOC: Network configuration discovery (d69c1be0-a351-469d-a47c-34e1f0562690) - removed an old Informational alert March 16, 2021 Release: Changed metadata of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC Improved logic of a Medium Analytics BIOC: Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOC   March 14, 2021 Release: Added a new High Analytics BIOC: Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - added a new High alert Improved logic of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC Removed an old Medium BIOC: Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - removed an old Medium alert Added a new Medium Analytics BIOC: Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved logic of a Medium Analytics BIOCs Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC   March 3, 2021 Release: Added a new High BIOC: Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - added a new High alert   February 28, 2021 Release: Changed metadata of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC Improved logic of a Medium BIOC: LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved logic of a Medium BIOC Improved logic of a Medium Analytics BIOC: LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Changed metadata of 2 Medium Analytics BIOCs: WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Increased the severity to Low for a BIOC: Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - increased the severity to Low Improved logic of 2 Low Analytics BIOCs: Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOC Added a new Low Analytics Alert: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - added a new Low alert   February 21, 2021 Release: Added a new High Analytics BIOC: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - added a new High alert Improved logic of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Improved logic of an Informational BIOC: Non-browser process downloads content from GitHub (75c22cca-c58a-4319-881b-1f7b917cdad2) - improved logic of an Informational BIOC Improved logic of an Informational Analytics BIOC: Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC   February 14, 2021 Release: Added a new Medium Analytics BIOC: Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Decreased the severity to Low for a BIOC: Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - decreased the severity to Low, and improved detection logic Added a new Low Analytics BIOC: Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - added a new Low alert Improved logic of a Low Analytics BIOC: Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC Decreased the severity to Informational for an Analytics BIOC: Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - decreased the severity to Informational Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC   February 07, 2021 Release: Increased the severity to Medium for a BIOC: Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - increased the severity to Medium Removed an old Informational BIOC: Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - removed an old Informational alert Added a new Informational Analytics BIOC: Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - added a new Informational alert   January 24, 2021 Release: Increased the severity to High for 4 BIOCs: LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - increased the severity to High, and improved detection logic Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - increased the severity to High, and improved detection logic Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - increased the severity to High, and improved detection logic Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - increased the severity to High Removed an old High BIOC: Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - removed an old High alert Increased the severity to Medium for 9 BIOCs: Office process creates an unusual .LNK file (fc55f1f8-f1e7-11ea-84f5-faffc26aac4a) - increased the severity to Medium Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - increased the severity to Medium Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - increased the severity to Medium, and improved detection logic Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - increased the severity to Medium Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - increased the severity to Medium, and improved detection logic Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - increased the severity to Medium, and improved detection logic Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - increased the severity to Medium, and improved detection logic Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - increased the severity to Medium Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - increased the severity to Medium Added 2 new Medium Analytics BIOCs: LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - added a new Medium alert Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs - SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Increased the severity to Low for 7 BIOCs: Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - increased the severity to Low, and improved detection logic Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - increased the severity to Low, and improved detection logic System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - increased the severity to Low, and improved detection logic Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - increased the severity to Low, and improved detection logic Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - increased the severity to Low, and improved detection logic Plink/SSH reverse tunnel (d793d95c-0236-11eb-9597-faffc26aac4a) - increased the severity to Low, and improved detection logic Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - increased the severity to Low Added 4 new Low Analytics BIOCs: Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - added a new Low alert Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - added a new Low alert Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - added a new Low alert Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - added a new Low alert Added 3 new Informational BIOCs: Remote wmiexec execution (070094f8-87c3-47c4-92c8-82bcad12116f) - added a new Informational alert Service execution via sc.exe (a1c6c171-005c-403b-a60b-fb85e6ecb81a) - added a new Informational alert - Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - added a new Informational alert Improved logic of 4 Informational BIOCs: Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - improved logic of an Informational BIOCs Suspicious SDB file written to disk (cb9bd832-3391-4501-8ed3-95c56a7c3d08) - improved logic of an Informational BIOCs Wget connection to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - improved logic of an Informational BIOCs Print spooler set to load new DLL on boot (87bff3b7-1bdb-4e2d-8bea-36bfb0a5da11) - improved logic of an Informational BIOCs Added a new Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - added a new Informational alert January 18, 2021 Release: Improved logic of a Medium BIOC: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC Added 2 new Informational BIOCs: Possible reverse SSH tunnel (7314accf-0f4a-4c08-a33c-f894fdd01e44) - added a new Informational alert Gost Tunnel tool in the Command String (e88e4718-9211-4365-8700-103f86a39573) - added a new Informational alert   January 10, 2021 Release: Improved logic of a Medium BIOC: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC Improved logic of a Medium Analytics BIOC: WmiPrvSe.exe Rare Child Process (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC Changed metadata of 2 Low BIOCs: Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOCs Accessing bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - changed metadata of a Low BIOCs Changed metadata of 4 Informational BIOCs: System package enumeration (50dd2a0c-114b-11eb-a1fc-faffc26aac4a) - changed metadata of an Informational BIOCs Screen capture via command-line tool (593bc5d9-8bdf-482a-8d84-34b6045cf4d8) - changed metadata of an Informational BIOCs OS information listing via distro version file (3a85fbc4-a63f-4e0d-8c06-af22383db482) - changed metadata of an Informational BIOCs Collect network configuration (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs   December 29, 2020 Release: Increased the severity to Medium for an Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - increased the severity to Medium Improved logic of a Medium Analytics Alert: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert Added 2 new Low Analytics BIOCs: Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - added a new Low alert Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - added a new Low alert Improved logic of a Low Analytics Alert: Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alert Changed metadata of 3 Low Analytics Alerts: High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - changed metadata of a Low Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts Added 4 new Informational BIOCs: Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - added a new Informational alert ADFind queries Active Directory for Exchange groups (f623125f-b4e5-4e47-a5be-8fa788e7bb05) - added a new Informational alert PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - added a new Informational alert Malicious NetSetupSvc.dll loaded into svchost.exe (495195f9-3947-4fc7-913b-6e84fc937730) - added a new Informational alert   December 17, 2020 Release: Added 2 new High BIOCs: SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - added a new High alert SunBurst Module loaded (89308c56-40e9-43d4-8f0a-1c7f018a15d4) - added a new High alert Improved logic of 2 Informational BIOCs: Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - improved logic of an Informational BIOCs Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - improved logic of an Informational BIOCs   December 13, 2020 Release: Improved logic of a Medium BIOC: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - improved logic of a Medium BIOC Improved logic of 2 Medium Analytics Alerts: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts Improved logic of 2 Low Analytics BIOCs: Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Improved logic of 4 Low Analytics Alerts: Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Added a new Informational BIOC: EventLog service disabled by a Registry operation (b7c919b6-b653-49c6-bd20-2441160ec75e) - added a new Informational alert Improved logic of an Informational Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of an Informational Analytics Alert   December 1, 2020 Release: Improved logic of a Medium BIOC: Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved logic of a Medium BIOC Improved logic of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Improved logic of a Low Analytics BIOC: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOC November 22, 2020 Release: Improved logic of 3 Low Analytics MultiEvents: High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics MultiEvents Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics MultiEvents Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics MultiEvents   November 8, 2020 Release: Added a new Informational BIOC: Lsmod execution (9e13baeb-f82d-11ea-a61b-faffc26aac4a) - added a new Informational alert Improved logic of a Medium BIOC: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved logic of a Medium BIOC Changed metadata of 4 High BIOCs: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOC Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - changed metadata of a High BIOCs Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - changed metadata of a High BIOCs Bitsadmin.exe used to upload data (6ba957eb-d63e-4cee-99aa-89e21ef3acc8) - changed metadata of a High BIOCs Changed metadata of 10 Medium BIOCs: Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - changed metadata of a Medium BIOCs WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - changed metadata of a Medium BIOCs Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata of a Medium BIOCs Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - changed metadata of a Medium BIOCs Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - changed metadata of a Medium BIOCs UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - changed metadata of a Medium BIOCs Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - changed metadata of a Medium BIOCs Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - changed metadata of a Medium BIOCs Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata of a Medium BIOCs Changed metadata of 6 Low BIOCs: Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - changed metadata of a Low BIOCs Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - changed metadata of a Low BIOCs Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - changed metadata of a Low BIOCs Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - changed metadata of a Low BIOCs Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - changed metadata of a Low BIOCs Remote process execution using WMI (5bab2bb9-882a-4101-ace1-700f84171a52) - changed metadata of a Low BIOCs Changed metadata of 26 Informational BIOCs: Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of an Informational BIOCs Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - changed metadata of an Informational BIOCs Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - changed metadata of an Informational BIOCs Enumeration of services via WMIC (3654c173-14e9-11ea-8723-88e9fe502c1f) - changed metadata of an Informational BIOCs Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - changed metadata of an Informational BIOCs Manipulation of service imagepath configuration (73001df6-ff14-44d5-a2ed-08804880b46c) - changed metadata of an Informational BIOCs Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata of an Informational BIOCs Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - changed metadata of an Informational BIOCs Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs Bypassing Windows UAC using sysprep (dbefa4ae-3797-11ea-a926-f218983c2a51) - changed metadata of an Informational BIOCs User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - changed metadata of an Informational BIOCs PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata of an Informational BIOCs Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - changed metadata of an Informational BIOCs Scripting engine called to run in the command line (7e274c6d-e617-4b92-b13f-f27b882932eb) - changed metadata of an Informational BIOCs Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata of an Informational BIOCs MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - changed metadata of an Informational BIOCs Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - changed metadata of an Informational BIOCs MacOS firewall manipulation (d445a34f-07c3-11eb-82a7-faffc26aac4a) - changed metadata of an Informational BIOCs Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata of an Informational BIOCs PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata of an Informational BIOCs Windows Firewall policy edited via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - changed metadata of an Informational BIOCs Tampering with Windows Control Panel configuration (2ba4c53b-03de-4a34-92ec-225cfe1fe0b4) - changed metadata of an Informational BIOCs Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs Removed an old Low BIOC: Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - removed an old Low alert September 14, 2020 Release: Increased the severity to medium for a BIOC rule: Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - increased the severity to medium, and improved detection logic Added 5 new informational BIOC rules: Permissive file privileges were granted (1fc409f0-ec4e-11ea-829b-faffc26aac4a) - added a new informational alert Modifying ELF file capabilities via setcap (55ed9751-ec6d-11ea-a1c2-faffc26aac4a) - added a new informational alert Space after filename creation (5a1902e6-ec6b-11ea-843f-faffc26aac4a) - added a new informational alert Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - added a new informational alert Write to /etc/hosts file (7cf74026-ec6a-11ea-9593-faffc26aac4a) - added a new informational alert   August 30, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic Improved detection logic for a low-severity BIOC rule: MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - improved detection logic   August 23, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - changed metadata, and improved detection logic Improved detection logic for a low-severity BIOC rule: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - changed metadata, and improved detection logic Added 12 new informational BIOC rules: Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - added a new informational alert Certutil execution (ffe4d5cc-e0c2-11ea-84ba-faffc26aac4a) - added a new informational alert Non-PowerShell process accessed the PowerShell history file (5ea6cb9c-dfc3-11ea-94f1-faffc26aac4a) - added a new informational alert Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - added a new informational alert Shim database registration via Registry (746eabe1-e0c3-11ea-88e5-faffc26aac4a) - added a new informational alert MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - added a new informational alert Wscript.exe execution (5b9151cc-e0c3-11ea-8c4b-faffc26aac4a) - added a new informational alert LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - added a new informational alert Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - added a new informational alert Shim database file access (69db2597-e0c3-11ea-b0e2-faffc26aac4a) - added a new informational alert Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - added a new informational alert Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - added a new informational alert Decreased the severity to informational for 2 BIOC rules: Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - decreased the severity to informational PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata, decreased the severity to informational, and improved detection logic   August 16, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Tampering with Internet Explorer Protected Mode configuration (2875c302-c815-468d-ac43-a56bba89bfe2) - improved detection logic, and changed metadata Added a new informational BIOC rule: Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - added a new informational alert   August 09, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic   August 02, 2020 Release: Increased the severity to high for a BIOC rule: Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata, and increased the severity to high Increased the severity to medium for 2 BIOC rules:  Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - increased the severity to medium, and improved detection logic Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata, increased the severity to medium, and improved detection logic Increased the severity to low for 3 BIOC rules: MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - changed metadata, increased the severity to low, and improved detection logic Built-in SoundRecorder tool capturing audio (d9d22a46-efbf-4d97-9e2b-625e1d6fcc91) - increased the severity to low, and improved detection logic Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - changed metadata, increased the severity to low, and improved detection logic Added 2 new informational BIOC rules: Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - added a new informational alert Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - added a new informational alert   July 26, 2020 Release: Increased the severity to high for 3 BIOC rules: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - increased the severity to high, and changed metadata  Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - increased the severity to high, and improved detection logic Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - increased the severity to high, changed metadata, and improved detection logic Increased the severity to medium for 6 BIOC rules: Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - increased the severity to medium, and changed metadata Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - increased the severity to medium Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - increased the severity to medium Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - increased the severity to medium, changed metadata, and improved detection logic  UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - increased the severity to medium, and changed metadata MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - increased the severity to medium, and improved detection logic Increased the severity to low for 2 BIOC rules: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to low, and improved detection logic Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - increased the severity to low, changed metadata, and improved detection logic Decreased the severity to informational for a BIOC rule: Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - decreased the severity to informational Added 2 new informational BIOC rules: Suspicious process loads AMSI DLL (d0ce0ecf-50f0-4dff-83f0-8bdc6b5d8dbd) - added a new informational alert Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - added a new informational alert Improved detection logic for an informational BIOC rule: Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata, and improved detection logic Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata, and improved detection logic Removed a BIOC rule: Manipulation of Winlogon 'Shell' autostart Registry key (f111b9b1-f9f6-464f-91a0-52abd2c5f797) - removed July 19, 2020 Release: Increased the severity to high for a BIOC rule: Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - increased the severity to high Increased the severity to medium for 5 BIOC rules: Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - changed metadata, increased the severity to medium, and improved detection logic Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - increased the severity to medium, and improved detection logic Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - changed metadata, increased the severity to medium, and improved detection logic Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - changed metadata, increased the severity to medium, and improved detection logic Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata, increased the severity to medium, and improved detection logic Increased the severity to low for a BIOC rule: Microsoft Office executes an unsigned process in a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - changed metadata, increased the severity to low, and improved detection logic Added 4 new informational BIOC rules: Connection to a TOR anonymization proxy (a009535f-54b4-4d38-9ee7-5ea0f7431c4e) - added a new informational alert Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - added a new informational alert Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - added a new informational alert Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - added a new informational alert   July 12, 2020 Release: Increased the severity to medium for a BIOC rule: Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata, and increased the severity to medium Added 5 new informational BIOC rules: LOLBAS access to database service (c115727b-a1c7-4909-88d0-e6ae866a0e7a) - added a new informational alert Suspicious setspn.exe execution (09939895-1ee6-468c-9588-61a3e2d57124) - added a new informational alert WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - added a new informational alert BitTorrent P2P file sharing (e0879f94-a9c9-42b0-9eb7-0aa038f89dac) - added a new informational alert Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - added a new informational alert Improved detection logic for 2 informational BIOC rules: Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata, and improved detection logic Changed metadata for 8 BIOC rules: Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - changed metadata Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - changed metadata Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata New service created via command line (cd9af829-d0ed-4c7f-b8da-6d6d23824562) - changed metadata Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata June 21, 2020 Release: Increased the severity to medium for a BIOC rule: Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - increased the severity to medium, improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and changed metadata Added 6 new informational BIOC rules: Manipulation of the 'SilentProcessExit' Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - added a new informational alert Creation of a new Microsoft Office default template (3272b10a-d3f1-4bef-82c6-4502eab0eaef) - added a new informational alert Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - added a new informational alert WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - added a new informational alert Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - added a new informational alert Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - added a new informational alert Improved detection logic for an informational BIOC rule: Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - improved detection logic, and changed metadata Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - improved detection logic, and changed metadata   June 7, 2020 Release: Added 17 new informational BIOC rules: Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - added a new informational alert Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - added a new informational alert Possible user enumeration via finger (84b6d1e8-812a-4ac7-a977-b88f26d32342) - added a new informational alert Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - added a new informational alert Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - added a new informational alert Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - added a new informational alert Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - added a new informational alert UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - added a new informational alert SMB enumeration via command-line tool (a8480241-6aa6-43d1-aae2-a53b22220b1d) - added a new informational alert Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - added a new informational alert DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - added a new informational alert Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - added a new informational alert Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - added a new informational alert Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - added a new informational alert Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - added a new informational alert Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - added a new informational alert Possible ARP reconnaissance via netdiscover (304eb4e4-1052-416e-8a13-1222a61bc672) - added a new informational alert Improved detection logic for 2 high-severity BIOC rules: Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, and changed metadata Improved detection logic for 4 medium-severity BIOC rules: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic, and changed metadata Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Notepad process makes a network connection (558de43f-e8ff-4222-bb82-4419868088cd) - improved detection logic, and changed metadata Improved detection logic for 9 informational BIOC rules: Commonly abused process launches as a system service (3a426a71-9c12-4146-a916-c2db387280ed) - improved detection logic, and changed metadata Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - improved detection logic, and changed metadata Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - improved detection logic, and changed metadata Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - improved detection logic, and changed metadata Dllhost.exe makes network connections (d4b8bd1d-f1fb-4fde-9547-33494049c44a) - improved detection logic, and changed metadata Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic, and changed metadata Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - improved detection logic, and changed metadata Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - improved detection logic Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - improved detection logic, and changed metadata   May 31, 2020 Release Improved detection logic for a high-severity BIOC rule: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic May 24, 2020 Release Improved detection logic for 3 medium-severity BIOC rules: Process runs with a double extension (f8890ac0-dc0b-4bd2-915f-932145147d73) - improved detection logic, and changed metadata Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and changed metadata LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic Added 5 new informational BIOC rules: Fontdrvhost.exe makes network connections (7d43a35a-d5f1-4d00-b755-3e62db2e70db) - added a new informational alert Unusual process spawned by fontdrvhost.exe (3e6054cf-8ba3-4550-ba4f-9308a537342f) - added a new informational alert Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - added a new informational alert Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - added a new informational alert Bypass UAC using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - added a new informational alert Changed metadata for a BIOC rule: Psexesvc.exe executes a command from a remote host (ced869bc-88ee-4c67-a6d9-92002800403a) - changed metadata    May 17, 2020 Release Increased the severity to medium for 2 BIOC rules: WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium Improved detection logic for a medium-severity BIOC rule: Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - improved detection logic Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic Improved detection logic for a low-severity BIOC rule: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic Added 11 new informational BIOC rules: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert SmartScreen disabled via Registry (51680cd3-af12-4140-ab98-af8694e36409) - added a new informational alert Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - added a new informational alert Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - added a new informational alert Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - added a new informational alert Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - added a new informational alert Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - added a new informational alert Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - added a new informational alert Microsoft Office executes an unsigned process under a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - added a new informational alert Improved detection logic for an informational BIOC rule: Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved detection logic, and changed metadata Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - improved detection logic, and changed metadata   May 10, 2020 Release  Increased the severity to medium for 2 BIOC rules:  WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium Added 3 new informational BIOC rules: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert   May 3, 2020 Release Increased the severity to high for 2 BIOC rules: Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - changed metadata, and increased the severity to high Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - increased the severity to high Increased the severity to medium for 2 BIOC rules: Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic, and increased the severity to medium AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - increased the severity to medium   April 26, 2020 Release Increased the severity to medium for 2 BIOC rules: Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - increased the severity to medium, changed metadata, and improved detection logic Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - increased the severity to medium, and changed metadata Improved detection logic for a medium-severity BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic Added 3 new informational BIOC rules: Access to Opera browser credentials file (01de8317-d3e7-4d4b-871f-e86a775a1c1e) - added a new informational alert Memory dumping with comsvcs (9873cd8b-2220-4384-a99f-712ad0ccfb45) - added a new informational alert SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - added a new informational alert   April 19, 2020 Release Added 3 new informational BIOC rules: Modification of default Windows startup path via Registry (fbacd7dc-f835-436b-9e83-9c20d74732e2) - added a new informational alert Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - added a new informational alert Password-related Mozilla files were read by a non-Mozilla process (4d52183d-193b-4cca-8e17-d4dcfb5a388c) - added a new informational alert Improved detection logic for a medium-severity BIOC rule: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Changed metadata for 8 BIOC rules: Executable file written to a temporary folder (73adac7b-e1c0-47d0-9767-f491e92008eb) - changed metadata Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - changed metadata Unsigned process running from a temporary directory (e9d12cc6-69a2-4cce-b58e-4db58b9176cf) - changed metadata DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - changed metadata Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata PowerShell possibly attempting to execute as administrator (765c164d-7170-4e1c-a463-a5ecf41617dd) - changed metadata Process calls ActiveX Object with a shell command (82485794-7e5b-48da-aacf-926d031b8f62) - changed metadata Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - changed metadata   April 12, 2020 Release Increased the severity to medium for a BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to medium, and changed metadata Changed metadata for 5 BIOC rules: Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - changed metadata Shutdown command issued (6c60836a-382a-460e-9208-4b59f4fc68a9) - changed metadata Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata Manipulation of Volume Shadow Copy configuration (ceaedeba-68c1-4c99-87b2-98872b4aeca3) - changed metadata Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata   April 6, 2020 Release Increased the severity to high for a BIOC rule: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic, increased the severity to high, and changed metadata Increased the severity to low for a BIOC rule: Manipulation of Windows DNS configuration using WMIC (ff9612ae-22ca-4ac2-bd3b-6bf1244dad8a) - improved detection logic, increased the severity to low, and changed metadata Added 3 new informational BIOC rules: Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - added a new informational alert WMI access to shadow copy interface (b6cd123b-e5a0-4aa3-ac43-3398d6a93ca7) - added a new informational alert Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - added a new informational alert Decreased the severity to informational for a BIOC rule: Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - decreased the severity to informational Removed 2 BIOC rule: PowerShell enumerates running processes (932681e4-919a-4151-921f-adcb1088bb86) - removed Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - removed Changed metadata for 118 BIOC rules   March 30, 2020 Release Increased the severity to high for 2 BIOC rules: Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - improved detection logic, changed metadata, and increased the severity to high Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic, changed metadata, and increased the severity to high Increased the severity to medium for 5 BIOC rules: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic, changed metadata, and increased the severity to medium Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved detection logic, changed metadata, and increased the severity to medium Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - improved detection logic, and increased the severity to medium LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - improved detection logic, and increased the severity to medium Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved detection logic, and increased the severity to medium Increased the severity to low for 6 BIOC rules: Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - improved detection logic, changed metadata, and increased the severity to low Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - improved detection logic, changed metadata, and increased the severity to low Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - improved detection logic, and increased the severity to low Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - improved detection logic, and increased the severity to low Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved detection logic, changed metadata, and increased the severity to low Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - improved detection logic, and increased the severity to low Added 4 new informational BIOC rules: Direct scheduled task creation via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - added a new informational alert Disable outlook security via Registry (a6311886-ab62-4df9-862f-b999a0c3a995) - added a new informational alert Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - added a new informational alert File renamed to have a script extension (51bd180f-ae84-450d-b0a6-b1a67300ef4d) - added a new informational alert Removed a BIOC rule: Common Google process name missing Google digital signature (417426e1-363c-4dbc-928d-ff7cd5f114d0) - removed Changed the metadata for 115 BIOC rules   March 24, 2020 Release Decreased the severity to informational for a BIOC rule: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and decreased the severity to informational   March 23, 2020 Release Increased the severity to low for a BIOC rule: Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - increased the severity to low, and improved detection logic Improved detection logic for a high-severity BIOC rule: Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - changed metadata, and improved detection logic Improved detection logic for a medium-severity BIOC rule: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - changed metadata, and improved detection logic Improved detection logic for an informational BIOC rule: Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata, and improved detection logic Added 7 new informational BIOC rules: Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - added a new informational alert Suspicious file created in AppData directory (b2ad90f1-11ac-4a98-9c85-0526953f2879) - added a new informational alert Root certificate installed (c7f92662-5a28-48da-845a-34a7876c3eb3) - added a new informational alert Injection into ping.exe (cc960d74-2582-42cd-aaa7-6ef1282e5029) - added a new informational alert MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - added a new informational alert Persistence via Registry screensaver key change (dac7763e-7a68-43b0-98eb-e79e7f80db76) - added a new informational alert Root certificate installed (e48ab0ac-e71b-40b1-8035-cc5033b7dd87) - added a new informational alert Changed metadata for 43 BIOC rules: New certificate added to the trusted root store (01c10219-918d-4c45-bd0d-daf63ef6903c) - changed metadata Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - changed metadata Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - changed metadata Commonly-abused process executes as a scheduled task (1fe9ecf8-64e7-4547-8a67-9f188d694550) - changed metadata WMI terminated a process (5c93679e-ea6c-4b88-8ba9-24446f6665dd) - changed metadata Chrome launched in Incognito mode (5119f194-5362-4141-8212-cba47a3530b9) - changed metadata Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata Registry change to hide known file extension (6110979a-b0ba-4384-955c-a73438ef38a9) - changed metadata PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - changed metadata Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata Unsigned process spawned a browser (3baa64a2-09b6-4af7-9305-0a0dd2297b15) - changed metadata Enumeration of running processes via command line (621fe652-fc63-4eae-9a29-6a436b70e985) - changed metadata Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - changed metadata New scheduled task created (00e82bfd-a179-4293-b1e0-976ba382e136) - changed metadata Driver written to a temporary directory (5edceb49-5371-476e-94d5-442337a14cff) - changed metadata Manipulation of LSA 'Authentication Packages' Registry key (4f133949-205d-4abf-bbf6-4fc6e48bc6c4) - changed metadata Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - changed metadata Windows hosts file written to (54d01b86-4b6a-4554-81f8-214f2d7d6c32) - changed metadata Unsigned process creates an Alternate Data Stream (ADS) (51be6542-3345-464a-8c0a-11f90fb97331) - changed metadata Ping executed with loopback address (363bfa0b-95f7-43c8-a699-0670f9bbebfe) - changed metadata Wget connecting to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - changed metadata Tampering with Windows Security Support Provider DLLs  (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - changed metadata PowerShell running with download in the command line (59de217d-211f-468b-a2a8-60324a305513) - changed metadata Excel Web Query file created on disk (5f29933c-46ae-45f4-b5ce-fc59f12240bf) - changed metadata Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata Unsigned process executes as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - changed metadata New environment variable set (0df2d00a-e4eb-4198-8573-962de02885ff) - changed metadata Unsigned process executing whoami (690a8894-5827-4f70-ac30-61f26feb1e34) - changed metadata PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata Windows 10 Developer Mode enabled (4e4a3361-3863-4a98-a08c-4992b43ca7e4) - changed metadata Commonly-abused process spawned by web server (0e2c294f-cd18-44bf-8d93-edf98c4a41c3) - changed metadata Modification of Windows boot configuration using bcdedit.exe (154dbe5f-ba64-4c31-899a-f64bc9983d12) - changed metadata PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata Changing permissions or ownership of a file or folder (0c6d31b7-78c5-4244-90ac-5fb26952d54f) - changed metadata Execution of commonly-abused AutoIT script (13b17653-c885-4d10-bce2-51a63419cf8f) - changed metadata Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - changed metadata Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - changed metadata PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - changed metadata Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - changed metadata   March 15, 2020 Release Improved detection logic for a low-severity BIOC rule: Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - improved detection logic Added 10 new informational BIOC rules: System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - added a new informational alert WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - added a new informational alert Usage of tracing tool (4446f8cf-6859-4af0-8da0-17f4503077d5) - added a new informational alert Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - added a new informational alert Reverse shell one-liner using a scripting engine (59be79be-d4e3-41f8-ba81-08ff8f5830f1) - added a new informational alert Office process writes an executable file to disk (235ffb55-8b93-4ff0-b5b1-f6ed864995e0) - added a new informational alert Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - added a new informational alert Suspicious usage of cytool.exe (9e389768-e7ad-428c-9e2b-916a979950ca) - added a new informational alert Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - added a new informational alert Suspicious access to /etc/shadow (e5fa37b4-939d-434e-9065-9723c06790fb) - added a new informational alert Improved detection logic for an informational BIOC rule: Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - improved detection logic, and changed metadata   March 8, 2020 Release Increased the severity to medium for 2 BIOC rules: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved detection logic, increased the severity to medium, and changed metadata Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - increased the severity to medium Increased the severity to low for a BIOC rule: RDP connections enabled via Registry by unsigned process (6d432610-7ee0-4857-a8f5-009dfd4bde14) - improved detection logic, increased the severity to low, and changed metadata Added 13 new informational BIOC rules: WMI execution of cmd.exe with output redirection (af8d1cd7-7e8f-4084-b698-b47ca9e2c8b2) - added a new informational alert Discovery of files with setgid or setuid bits (6e873af1-fa2b-46f2-b641-f64b55db5db2) - added a new informational alert Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - added a new informational alert Remote RDP session enumeration via query.exe (ba98e718-1bc4-427d-9ccf-44c80b40f2b7) - added a new informational alert Command-line creation of a RAR archive (0276283f-7696-45d4-82dc-a4195d9b849b) - added a new informational alert NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - added a new informational alert Possible UAC bypass using Eventvwr.exe (55644e90-38b9-4233-aa11-eefe85561184) - added a new informational alert Kernel modules loaded via compiled loader and .ko file (371c8d3b-560a-456e-802d-394aea248f1d) - added a new informational alert Potential web shell installation (4cc829d5-6fba-4167-8c4c-25e538bcd993) - added a new informational alert Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - added a new informational alert Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - added a new informational alert Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - added a new informational alert Remote RDP session enumeration via qwinsta.exe (5f017d4f-f526-46f6-9f32-a63d16639637) - added a new informational alert Improved detection logic for a medium-severity BIOC rule: Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Dumping Registry hives with passwords (824a3186-b262-4e01-b45c-35cca8efa233) - improved detection logic   February 23, 2020 Release Increased the severity to medium for a BIOC rule: Possible ping sweep (362649fe-9028-4166-baf8-b58c8dab8bee) - improved detection logic, and increased the severity to medium Added 2 new informational BIOC rules: PsExec runs with System privileges (b834289d-44f9-4e05-9411-4dd8dfff8959) - added a new informational alert Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - added a  new informational alert   February 16, 2020 Release Increased the severity to high for a BIOC rule: Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - increased the severity to high Increased the severity to medium for 9 BIOC rules: Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved detection logic, increased the severity to medium, and changed metadata Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - increased the severity to medium, and changed metadata Multiple RDP sessions enabled via Registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - increased the severity to medium, and changed metadata Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - increased the severity to medium, and changed metadata Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic, increased the severity to medium, and changed metadata Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic, increased the severity to medium, and changed metadata Unsigned integer Sudo privilege escalation (1974dd9e-20c1-11ea-ab34-8c8590c9ccd1) - increased the severity to medium Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - improved detection logic, increased the severity to medium, and changed metadata Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - improved detection logic, and increased the severity to medium Increased the severity to low for a BIOC rule: Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - improved detection logic, and increased the severity to low Added 9 new informational BIOC rules: Execution of regsvcs/regasm with uncommon paths (a1ce5d8b-5ea0-49d2-8d91-8ae4ea752ec0) - added a new informational alert Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - added  a new informational alert WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - added a new informational alert LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - added a new informational alert Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - added a new informational alert Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - added a new informational alert Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - added a new informational alert AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - added a new informational alert VBScript execution from the command line (e71d7a58-f4c9-4582-bdb9-e86beb803d0c) - added a new informational alert
View full article
Sunday
39,864 Views
3 Replies
8 Likes
The Cortex XDR August release unifies the Analytics and Investigation and Response apps into a single Cortex XDR app, with a unified and streamlined user interface.
View full article
‎05-22-2020 08:38 AM
3,347 Views
0 Replies
2 Likes
Here you will find Older Cortex XDR release notes from 2019. Review release notes from April 2019 to December 2019.
View full article
‎05-22-2020 08:24 AM
1,299 Views
0 Replies
Hunt down and stop stealthy attacks by unifying network, endpoint, and cloud data.
View full article
‎07-10-2019 09:43 AM
5,046 Views
1 Reply
Labels
Top Contributors