Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Cortex XDR Articles
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- Technologies
- Cortex XDR
- Cortex XDR Articles
Options
- My LIVEcommunity Articles Contributions
- Subscribe
- Bookmark
- Subscribe to RSS Feed
- Invite a Friend
Featured Article
L3 Networker
Cortex XDR Content Release Notes
January 16, 2022 Release:
-
Added a new High Analytics BIOC:
-
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - added a new High alert
-
-
Increased the severity to Medium for an Analytics BIOC:
-
Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - increased the severity to Medium, and improved detection logic
-
-
Added a new Medium Analytics BIOC:
-
Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - added a new Medium alert
-
- Changed metadata of an Informational BIOC:
- Network Packet Capture: tshark/tcpdump (9e72d135-0782-48dd-8b4f-da2dd4d1599f) - changed metadata of an Informational BIOC
- Added a new Informational Analytics BIOC:
- Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - added a new Informational alert
January 9, 2022 Release:
-
Changed metadata of 5 High Analytics BIOCs:
-
Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs
-
A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
-
A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs
-
A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs
-
Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs
-
-
Changed metadata of a High Analytics Alert:
-
Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
-
-
Improved logic of 3 Medium Analytics BIOCs:
-
Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - improved logic of a Medium Analytics BIOCs
-
TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs
-
TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs
-
- Changed metadata of 2 Medium Analytics BIOCs:
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs
- Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Improved logic of a Medium Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
- Changed metadata of 4 Medium Analytics Alerts:
- Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts
- NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts
- Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts
- Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts
- Changed metadata of 23 Low Analytics BIOCs:
- First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of a Low Analytics BIOCs
- Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
- User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs
- Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs
- SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of a Low Analytics BIOCs
- SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs
- Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
- A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs
- Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs
- A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
- First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs
- A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs
- Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
- Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs
- LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs
- Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs
- Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs
- Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of a Low Analytics BIOCs
- A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs
- Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs
- Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs
- Improved logic of a Low Analytics Alert:
- Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert
- Changed metadata of 13 Low Analytics Alerts:
- Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts
- NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
- Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of a Low Analytics Alerts
- NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
- Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
- TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts
- Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
- Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts
- Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
- NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts
- A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts
- Changed metadata of 16 Informational Analytics BIOCs:
- Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOC
- User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs
- A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs
- Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs
- Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
- SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs
- Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of an Informational Analytics BIOCs
- A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs
- A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
- Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs
- Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
- A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
- Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
- Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs
- User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
- First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
- Changed metadata of 7 Informational Analytics Alerts:
- NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
- Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
- User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts
- Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts
- Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts
- Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts
- Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
January 2, 2022 Release:
- Removed an old High BIOC:
- Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - removed an old High alert
- Increased the severity to High for an Analytics BIOC:
- Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - increased the severity to High
- Changed metadata of a High Analytics Alert:
- Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert
- Improved logic of a Medium Analytics BIOC:
- Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOC:
- Changed metadata of a Medium Analytics BIOC:
- Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOC
- Improved logic of a Medium Analytics Alert:
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
- Added a new Low Analytics BIOC:
- Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - added a new Low alert
- Improved logic of a Low Analytics BIOC:
- Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOC
- Improved logic of 3 Low Analytics Alerts:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
- IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
- Improved logic of 9 Informational Analytics BIOCs:
- Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
- Suspicious remote execution from a vCenter server (6213c66f-e269-4d16-9db7-86015b5a2f4d) - improved logic of an Informational Analytics BIOCs
- Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of an Informational Analytics BIOCs
- IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - improved logic of an Informational Analytics BIOCs
- Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
- Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
- First session from external IP to vCenter (4ad03760-f701-4f40-b01f-d1ddefda4002) - improved logic of an Informational Analytics BIOCs
- Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs
- Changed metadata of 2 Informational Analytics BIOCs:
- A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs
- Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
- Removed 2 old Informational Analytics BIOCs:
- Signed process performed an unpopular DLL injection (5109a2c2-9bd6-4ef0-ad3e-4bd8b1b683aa) - removed an old Informational alert
- Signed process performed an unpopular injection (3ee6d300-7fbe-4281-8de8-3d1016663931) - removed an old Informational alert
- Decreased the severity to Informational for 2 Analytics Alerts:
- Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - decreased the severity to Informational, and improved detection logic
- Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - decreased the severity to Informational, and improved detection logic
- Changed metadata of an Informational Analytics Alert:
- Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alert
- Removed an old Informational Analytics Alert:
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - removed an old Informational alert
December 27, 2021 Release:
- Changed metadata of 14 High Analytics BIOCs
- Removed an old High Analytics BIOC:
- Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - removed an old High alert
- Changed metadata of a High Analytics Alert:
- Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
- Added 3 new Medium Analytics BIOCs:
- TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - added a new Medium alert
- TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - added a new Medium alert
- Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - added a new Medium alert
- Improved logic of a Medium Analytics BIOC:
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOC
- Changed metadata of 62 Medium Analytics BIOCs
- Improved logic of a Medium Analytics Alert:
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
- Changed metadata of 10 Medium Analytics Alerts
- Added a new Low Analytics BIOC:
- Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - added a new Low alert
- Improved logic of 2 Low Analytics BIOCs:
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Changed metadata of 88 Low Analytics BIOCs
- Improved logic of 5 Low Analytics Alerts:
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Changed metadata of 19 Low Analytics Alerts
- Added a new Informational Analytics BIOC:
- Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - added a new Informational alert
- Improved logic of an Informational Analytics BIOC:
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOC
- Changed metadata of 113 Informational Analytics BIOCs
- Changed metadata of 11 Informational Analytics Alerts
December 21, 2021 Release:
- Changed metadata of 15 High Analytics BIOCs:
- A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs
- Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs
- Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs
- PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs
- Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs
- Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
- Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a High Analytics BIOCs
- Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs
- A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs
- Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs
- Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs
- Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of a High Analytics BIOCs
- A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
- Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs
- Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
- Changed metadata of a High Analytics Alert:
- Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
- Added a new Medium Analytics BIOC:
- A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - added a new Medium alert
- Improved logic of a Medium Analytics BIOC:
- Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOC
- Changed metadata of 61 Medium Analytics BIOCs:
- Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs
- RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs
- Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs
- Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs
- Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs
- Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of a Medium Analytics BIOCs
- Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs
- PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs
- Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Medium Analytics BIOCs
- Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
- Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Medium Analytics BIOCs
- PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs
- External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs
- Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs
- Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
- Possible DCSync Attempt (a420aa30-20c3-11ea-b525-8c8591c0ccb0) - changed metadata of a Medium Analytics BIOCs
- Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs
- Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs
- Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - changed metadata of a Medium Analytics BIOCs
- Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs
- Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs
- Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs
- Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs
- Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs
- LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs
- Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs
- Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs
- Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs
- LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs
- Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs
- Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs
- Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
- Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs
- Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs
- Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs
- Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Medium Analytics BIOCs
- PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs
- Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs
- Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs
- Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs
- Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Medium Analytics BIOCs
- Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Medium Analytics BIOCs
- Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - changed metadata of a Medium Analytics BIOCs
- Changed metadata of 11 Medium Analytics Alerts:
- Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts
- Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of a Medium Analytics Alerts
- DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Medium Analytics Alerts
- Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts
- Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts
- NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts
- Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - changed metadata of a Medium Analytics Alerts
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts
- Removed an old Low BIOC:
- New addition to Windows Defender exclusion list (419ff8cf-dc92-4f24-8665-3415fcdd0074) - removed an old Low alert
- Added 5 new Low Analytics BIOCs:
- Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - added a new Low alert
- SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - added a new Low alert
- Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - added a new Low alert
- New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - added a new Low alert
- Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - added a new Low alert
- Improved logic of a Low Analytics BIOC:
- A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - improved logic of a Low Analytics BIOC
- Changed metadata of 84 Low Analytics BIOCs
- Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of a Low Analytics BIOCs
- Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs
- Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs
- Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs
- Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs
- A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs
- Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs
- Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
- AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs
- A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
- Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of a Low Analytics BIOCs
- System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs
- A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs
- AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs
- Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs
- GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
- SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs
- Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs
- MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - changed metadata of a Low Analytics BIOCs
- Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs
- Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs
- Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs
- PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs
- Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of a Low Analytics BIOCs
- An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs
- Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs
- Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
- Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of a Low Analytics BIOCs
- Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
- Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
- Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs
- Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - changed metadata of a Low Analytics BIOCs
- Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of a Low Analytics BIOCs
- AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs
- Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs
- Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of a Low Analytics BIOCs
- Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs
- Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
- AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs
- MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs
- Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
- Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
- Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs
- Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs
- A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs
- Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
- Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs
- Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
- Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs
- Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs
- Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
- Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
- SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of a Low Analytics BIOCs
- Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs
- LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs
- SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs
- Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
- Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - changed metadata of a Low Analytics BIOCs
- Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
- Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs
- Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs
- Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs
- Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs
- Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - changed metadata of a Low Analytics BIOCs
- Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs
- Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
- Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of a Low Analytics BIOCs
- SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs
- Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs
- First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of a Low Analytics BIOCs
- Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
- Removed 3 old Low Analytics BIOCs:
- Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - removed an old Low alert
- Unsigned and unpopular process performed an injection (30f78c0f-4f8b-4969-bb00-809cf72a3eed) - removed an old Low alert
- Unsigned and unpopular process performed a DLL injection (6cbd636f-6f55-480c-872d-7611840a7f0a) - removed an old Low alert
- Improved logic of a Low Analytics Alert:
- Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alert
- Changed metadata of 23 Low Analytics Alerts:
- NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts
- Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts
- Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
- Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts
- Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts
- Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts
- Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
- TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
- NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
- Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
- Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts
- IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts
- A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts
- NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
- Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
- Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
- Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts
- Added 6 new Informational BIOCs:
- System owner/user discovery (12d9aab2-f990-4696-b05c-1657791a4f3c) - added a new Informational alert
- Remote file copy (97b353d8-4995-41ee-b27b-dc0d91b3a493) - added a new Informational alert
- System information discovery (63e963e1-81be-4b5f-991f-e93b76898def) - added a new Informational alert
- Remote system discovery (f6c6e30a-f616-4e07-bb34-351abdb48eb5) - added a new Informational alert
- System network configuration discovery (7d9524ea-a458-46e5-a954-2442a294e583) - added a new Informational alert
- Linux network share discovery (5ce678af-ca4b-4c5a-bc5b-8725b50f6047) - added a new Informational alert
- Improved logic of an Informational BIOC:
- Password complexity enumeration (e86d9dc7-e59d-44d0-a611-5480d390eff0) - improved logic of an Informational BIOC
- Added a new Informational Analytics BIOC:
- Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - added a new Informational alert
- Improved logic of an Informational Analytics BIOC:
- First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - improved logic of an Informational Analytics BIOC
- Changed metadata of 112 Informational Analytics BIOCs:
- Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
- AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs
- Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of an Informational Analytics BIOCs
- LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs
- GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs
- Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
- SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs
- First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
- GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs
- GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs
- AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs
- A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs
- Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs
- Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs
- Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
- GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs
- Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs
- Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs
- Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs
- Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs
- GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
- GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
- Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs
- EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs
- Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs
- AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs
- GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs
- Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs
- GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs
- Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
- Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs
- Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs
- Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs
- Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs
- Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs
- GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs
- Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs
- AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
- GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs
- Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs
- Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs
- First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs
- MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs
- Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs
- Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs
- IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs
- Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs
- Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs
- Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
- An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs
- Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs
- Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs
- An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs
- AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs
- Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs
- IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - changed metadata of an Informational Analytics BIOCs
- Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs
- GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs
- A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs
- Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
- AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
- Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs
- System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs
- VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs
- An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs
- Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
- GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs
- Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs
- Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs
- Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
- Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs
- Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs
- Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs
- A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
- GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs
- Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs
- AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs
- AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
- GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs
- WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs
- AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs
- AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs
- Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs
- A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs
- GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs
- AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
- Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
- Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
- User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs
- AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
- Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs
- A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
- Hiding a user as a computer account (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of an Informational Analytics BIOCs
- Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs
- Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs
- User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
- Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs
- PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs
- Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of an Informational Analytics BIOCs
- GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs
- GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs
- Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs
- New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs
- Changed metadata of 11 Informational Analytics Alerts:
- Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
- User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts
- Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts
- Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - changed metadata of an Informational Analytics Alerts
- Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
- Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of an Informational Analytics Alerts
- Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts
- Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
- NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
- Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - changed metadata of an Informational Analytics Alerts
December 13, 2021 Release:
- Improved logic of 2 High Analytics BIOCs:
- Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - improved logic of a High Analytics BIOCs
- Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of a High Analytics BIOCs
- Improved logic of a High Analytics Alert:
- Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alert
- Changed metadata of 6 Medium BIOCs:
-
Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - changed metadata of a Medium BIOCs
- Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - changed metadata of a Medium BIOCs
- DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - changed metadata of a Medium BIOCs
- Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - changed metadata of a Medium BIOCs
- PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - changed metadata of a Medium BIOCs
- Possible ping sweep (362649fe-9028-4166-baf8-b58c8dab8bee) - changed metadata of a Medium BIOCs
-
- Removed 2 old Medium BIOCs:
- MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - removed an old Medium alert
- Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - removed an old Medium alert
- Added 2 new Medium Analytics BIOCs:
- MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - added a new Medium alert
- Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - added a new Medium alert
- Improved logic of 4 Medium Analytics BIOCs:
- Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
- Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
- Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Improved logic of 2 Medium Analytics Alerts:
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts
- Changed metadata of 4 Low BIOCs:
- Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - changed metadata of a Low BIOCs
- UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - changed metadata of a Low BIOCs
- Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - changed metadata of a Low BIOCs
- Network share discovery via command-line tool (c8a48667-d44e-4ffb-b6f7-2b42a3bf6328) - changed metadata of a Low BIOCs
- Improved logic of 5 Low Analytics BIOCs:
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
- Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs
- Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs
- SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of a Low Analytics BIOCs
- Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
- Improved logic of 3 Low Analytics Alerts:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Changed metadata of 29 Informational BIOCs
- Improved logic of 4 Informational Analytics BIOCs:
- Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs
- Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - improved logic of an Informational Analytics BIOCs
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
- SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
- Improved logic of an Informational Analytics Alert:
- Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alert
December 06, 2021 Release:
- Increased the severity to High for a BIOC:
- EventLog service disabled by a Registry operation (b7c919b6-b653-49c6-bd20-2441160ec75e) - increased the severity to High
- Improved logic of a High BIOC:
- Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - improved logic of a High BIOC
- Improved logic of 2 High Analytics BIOCs:
- Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a High Analytics BIOCs
- Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs
- Changed metadata of a High Analytics BIOC:
- A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOC
- Added a new Medium Analytics BIOC:
- Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - added a new Medium alert
- Improved logic of 16 Medium Analytics BIOCs:
- PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs
- Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs
- RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs
- Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs
- Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs
- Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs
- Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs
- Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs
- LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Medium Analytics BIOCs
- Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs
- Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs
- PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Improved logic of a Medium Analytics Alert:
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert
- Removed an old Low BIOC:
- Screensaver process executed from users or temporary folder (e07f68e2-27bb-46fa-97b1-a7b6b59feb16) - removed an old Low alert
- Increased the severity to Low for an Analytics BIOC:
- Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - increased the severity to Low, and improved detection logic
- Added a new Low Analytics BIOC:
- Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - added a new Low alert
- Improved logic of 17 Low Analytics BIOCs:
- Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
- Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
- Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
- Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
- Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs
- Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs
- LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
- Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs
- SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
- Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs
- Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs
- Improved logic of 4 Low Analytics Alerts:
- Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
- Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
- Added a new Informational BIOC:
- Possible web shell command execution (3be30b63-d245-4ef7-b806-16f42247af50) - added a new Informational alert
- Removed 2 old Informational BIOCs:
- Remote wmiexec execution (070094f8-87c3-47c4-92c8-82bcad12116f) - removed an old Informational alert
- Credential dumping via LaZagne (8e9e0996-eb08-48b2-a234-730c8227bbdd) - removed an old Informational alert
- Added a new Informational Analytics BIOC:
- Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - added a new Informational alert
- Improved logic of 10 Informational Analytics BIOCs:
- Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs
- LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
- Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
- Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs
- Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs
- A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
- Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
- Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
- Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs
- Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
- Improved logic of 3 Informational Analytics Alerts:
- Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
- Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
- Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
November 28, 2021 Release:
- Changed metadata of 2 High Analytics BIOCs:
- A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
- Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs
- Changed metadata of a High Analytics Alert:
- Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert
- Increased the severity to Medium for an Analytics BIOC:
- Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - increased the severity to Medium, and improved detection logic
- Improved logic of 4 Medium Analytics BIOCs:
- Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - improved logic of a Medium Analytics BIOCs
- Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs
- Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
- Changed metadata of 2 Medium Analytics BIOCs:
- Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
- Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
- Removed an old Medium Analytics BIOC:
- Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - removed an old Medium alert
- Improved logic of a Medium Analytics Alert:
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert
- Changed metadata of a Medium Analytics Alert:
- Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alert
- Increased the severity to Low for an Analytics BIOC:
- A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - increased the severity to Low, and improved detection logic
- Decreased the severity to Low for an Analytics BIOC:
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - decreased the severity to Low, and improved detection logic
- Added 3 new Low Analytics BIOCs:
- WmiPrvSe.exe Rare Child Command Line - Test (940d6895-b1e1-4bcc-9325-ccd1169574a9) - added a new Low alert
- Unsigned and unpopular process performed a DLL injection - Multi Severity (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - added a new Low alert
- Unsigned and unpopular process performed an injection - Multi Severity (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - added a new Low alert
- Improved logic of 5 Low Analytics BIOCs:
- Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
- Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
- Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
- Changed metadata of 2 Low Analytics BIOCs:
- SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs
- Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Improved logic of 5 Low Analytics Alerts:
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Changed metadata of 2 Low Analytics Alerts:
- Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
- Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts
- Decreased the severity to Informational for a BIOC:
- Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - decreased the severity to Informational
- Added 4 new Informational Analytics BIOCs:
- VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - added a new Informational alert
- Signed process performed an unpopular DLL injection - Multi Severity (9e699960-30e7-4b6e-bb71-30cdbf635307) - added a new Informational alert
- Signed process performed an unpopular injection - Multi Severity (365bfca2-a3e1-4a44-9487-1353903a6c61) - added a new Informational alert
- VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - added a new Informational alert
- Improved logic of 5 Informational Analytics BIOCs:
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
- Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - improved logic of an Informational Analytics BIOCs
- Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of an Informational Analytics BIOCs
- Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs
- A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
- Changed metadata of 8 Informational Analytics BIOCs:
- C2 from contextual causality signal (f53f53ae-4ccc-11ea-9102-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
- WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs
- First session from external IP to vCenter (4ad03760-f701-4f40-b01f-d1ddefda4002) - changed metadata of an Informational Analytics BIOCs
- Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs
- Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
- A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of an Informational Analytics BIOCs
- Suspicious remote execution from a vCenter server (6213c66f-e269-4d16-9db7-86015b5a2f4d) - changed metadata of an Informational Analytics BIOCs
- Added a new Informational Analytics Alert:
- Port Scan with partial connections (ab93cb66-1d50-4f1f-a840-15d9d7d232b8) - added a new Informational alert
- Changed metadata of 6 Informational Analytics Alerts:
- Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
- Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts
- Random-Looking Domain Names v2 (3db83477-0c4d-44ac-bc64-dbfe50c845c4) - changed metadata of an Informational Analytics Alerts
- Weakly-Encrypted Kerberos Ticket Requested v2 (4afa8fa6-281e-4c81-a10e-b61d7de11cc6) - changed metadata of an Informational Analytics Alerts
- Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) - changed metadata of an Informational Analytics Alerts
- A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts
November 21, 2021 Release:
- Improved logic of 2 High Analytics BIOCs:
- Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) improved logic of a High Analytics BIOCs
- Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) improved logic of a High Analytics BIOCs
-
Improved logic of 6 Medium Analytics BIOCs:
-
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs
-
Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) improved logic of a Medium Analytics BIOCs
-
External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) improved logic of a Medium Analytics BIOCs
-
Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
-
LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) improved logic of a Medium Analytics BIOCs
-
Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) improved logic of a Medium Analytics BIOCs
-
- improved logic of 2 Medium Analytics Alerts:
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) improved logic of a Medium Analytics Alerts
- Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of a Medium Analytics Alerts
- Increased the severity to Low for an Analytics BIOC:
- Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) increased the severity to Low, and improved detection logic
- Improved logic of 13 Low Analytics BIOCs:
- Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs
- GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs
- AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs
- Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs
- Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) improved logic of a Low Analytics BIOCs
- An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs
- Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) improved logic of a Low Analytics BIOCs
- Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs
- Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) improved logic of a Low Analytics BIOCs
- AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs
- AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs
- AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs
- Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs
- Increased the severity to Low for an Analytics Alert:
- Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) increased the severity to Low, and improved detection logic
- Improved logic of 2 Low Analytics Alerts:
- IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts
- Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of a Low Analytics Alerts
- Added 3 new Informational Analytics BIOCs:
- First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) added a new Informational alert
- VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) added a new Informational alert
- First VPN access from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) added a new Informational alert
- Improved logic of 70 Informational Analytics BIOCs
- Changed metadata of 2 Informational Analytics BIOCs:
- DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) changed metadata of an Informational Analytics BIOCs
- Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) changed metadata of an Informational Analytics BIOCs
- Added a new Informational Analytics Alert:
- Possible LDAP enumeration by unsigned process-multi severity (85c187ec-80d1-464e-ab1e-a9aa5af7f191) added a new Informational alert
- Improved logic of 2 Informational Analytics Alerts:
- Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) improved logic of an Informational Analytics Alerts
- Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) improved logic of an Informational Analytics Alerts
November 15, 2021 Release:
- Improved logic of 2 High Analytics BIOCs:
- Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
- Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs
- Improved logic of a Medium BIOC:
- Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) improved logic of a Medium BIOC
- Improved logic of 3 Medium Analytics BIOCs:
- External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) improved logic of a Medium Analytics BIOCs
- Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs
- Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) improved logic of a Medium Analytics BIOCs
-
Improved logic of 4 Medium Analytics Alerts:
-
Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) improved logic of a Medium Analytics Alerts
-
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) improved logic of a Medium Analytics Alerts
-
Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) improved logic of a Medium Analytics Alerts
-
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of a Medium Analytics Alerts
-
-
increased the severity to Low for an Analytics BIOC:
-
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) increased the severity to Low, and improved detection logic
-
-
Improved logic of 12 Low Analytics BIOCs:
-
UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) improved logic of a Low Analytics BIOCs
-
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs
-
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs
-
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs
-
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs
-
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs
-
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs
-
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs
-
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs
-
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) improved logic of a Low Analytics BIOCs
-
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs
-
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs
-
-
Improved logic of 5 Low Analytics Alerts:
-
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts
-
Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) improved logic of a Low Analytics Alerts
-
Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) improved logic of a Low Analytics Alerts
-
Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of a Low Analytics Alerts
-
Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) improved logic of a Low Analytics Alerts
-
-
Decreased the severity to Informational for an Analytics BIOC:
-
Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) decreased the severity to Informational, and improved detection logic
-
-
Added 6 new Informational Analytics BIOCs:
-
A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) added a new Informational alert
-
MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) added a new Informational alert
-
DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) added a new Informational alert
-
First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) added a new Informational alert
-
A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) added a new Informational alert
-
Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) added a new Informational alert
-
-
Improved logic of 68 Informational Analytics BIOCs
-
Added a new Informational Analytics Alert:
-
Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) added a new Informational alert
-
-
Improved logic of 2 Informational Analytics Alerts:
-
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) improved logic of an Informational Analytics Alerts
-
Random-Looking Domain Names v2 (3db83477-0c4d-44ac-bc64-dbfe50c845c4) improved logic of an Informational Analytics Alerts
-
November 07, 2021 Release:
- Increased the severity to Medium for an Analytics BIOC:
- Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - increased the severity to Medium, and improved detection logic
- Improved logic of a Medium Analytics BIOC:
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOC
- Improved logic of 2 Medium Analytics Alerts:
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts
- Added a new Low Analytics BIOC:
- Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - added a new Low alert
- Improved logic of 2 Low Analytics BIOCs:
- Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - improved logic of a Low Analytics BIOCs
- Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Improved logic of a Low Analytics Alert:
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alert
- Added 2 new Informational Analytics BIOCs:
- Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - added a new Informational alert
- Hiding a user as a computer account (eeb7b678-3c9b-11ec-879d-acde48001122) - added a new Informational alert
- Improved logic of 3 Informational Analytics BIOCs:
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
- Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
October 31, 2021 Release:
- Improved logic of 2 High Analytics BIOCs:
- A Successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
- A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
- Added a new Medium Analytics BIOC:
- Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - added a new Medium alert
- Changed metadata of 2 Medium Analytics BIOCs:
- Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs
- Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
- Improved logic of 9 Low Analytics BIOCs:
- SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
- SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of a Low Analytics BIOCs
- First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
- Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs
- SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
- Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs
- A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs
- Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - improved logic of a Low Analytics BIOCs
- Improved logic of 2 Low Analytics Alerts:
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Changed metadata of a Low Analytics Alert:
- NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alert
- Decreased the severity to Informational for a BIOC:
- Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - decreased the severity to Informational
- Added a new Informational BIOC:
- An executable compiled with a py2exe-like program was executed (5a1516d6-9082-4c19-8c03-8c70ddc5ce7f) - added a new Informational alert
- Improved logic of an Informational BIOC:
- WinPmem Forensics Tool (b66e6a72-09fd-42ad-98fe-a866907c593f) - improved logic of an Informational BIOC
- Removed an old Informational BIOC:
- Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - removed an old Informational alert
- Decreased the severity to Informational for an Analytics BIOC:
- Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - decreased the severity to Informational
- Added 5 new Informational Analytics BIOCs:
- New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - added a new Informational alert
- Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - added a new Informational alert
- Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - added a new Informational alert
- PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - added a new Informational alert
- Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - added a new Informational alert
- Improved logic of 3 Informational Analytics BIOCs:
- First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
- Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - improved logic of an Informational Analytics BIOCs
- SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
- Decreased the severity to Informational for an Analytics Alert:
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - decreased the severity to Informational
- Added a new Informational Analytics Alert:
- Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - added a new Informational alert
October 24, 2021 Release:
- Improved logic of 2 High Analytics BIOCs:
- Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs
- Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
- Improved logic of 2 Medium Analytics BIOCs:
- Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
- External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs
- Increased the severity to Medium for an Analytics Alert:
- Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - increased the severity to Medium, and improved detection logic
- Improved logic of a Medium Analytics Alert:
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert
- Added 4 new Low Analytics BIOCs:
- Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - added a new Low alert
- Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - added a new Low alert
- Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - added a new Low alert
- A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - added a new Low alert
- Improved logic of 12 Low Analytics BIOCs:
- AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
- AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
- GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
- AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
- Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
- Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
- Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs
- AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
- Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
- Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
- An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
- Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of a Low Analytics BIOCs
- Added 2 new Low Analytics Alerts:
- A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - added a new Low alert
- NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - added a new Low alert
- Improved logic of 6 Low Analytics Alerts:
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of a Low Analytics Alerts
- Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alerts
- IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
- Changed metadata of a Low Analytics Alert:
- Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert
- Added a new Informational BIOC:
- Credential dumping via LaZagne (8e9e0996-eb08-48b2-a234-730c8227bbdd) - added a new Informational alert
- Added 4 new Informational Analytics BIOCs:
- Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - added a new Informational alert
- A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - added a new Informational alert
- Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - added a new Informational alert
- Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - added a new Informational alert
- Improved logic of 69 Informational Analytics BIOCs:
- Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
- A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs
- Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
- A cloud identity connected from a new country (19c743b0-99ca-400c-b386-bcc99d846582) - improved logic of an Informational Analytics BIOCs
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs
- GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
- GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
- An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
- Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
- An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
- Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
- An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs
- AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
- IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - improved logic of an Informational Analytics BIOCs
- GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
- AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
- GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
- Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
- GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
- GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
- AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
- Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
- Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
- GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
- Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
- GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
- Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
- GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
- GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
- Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
- GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
- AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
- AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
- GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
- A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs
- AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
- GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
- GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
- AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
- GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
- First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
- Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
- AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
- Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
- AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
- Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
- Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
- First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - improved logic of an Informational Analytics BIOCs
- GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
- Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
- Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
- Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
- Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
- Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
- AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
- MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
- Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
- IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
- Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
- Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
- Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
- EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
- S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
- GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
- AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
- GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
- GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
- AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
- GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
- Improved logic of 3 Informational Analytics Alerts:
- Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of an Informational Analytics Alerts
- User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of an Informational Analytics Alerts
- Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
October 17, 2021 Release:
- Removed an old High BIOC:
- Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - removed an old High alert
- Added a new High Analytics BIOC:
- Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - added a new High alert
- Improved logic of 2 Medium Analytics BIOCs:
- Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs
- LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOCs
- Added a new Low Analytics BIOC:
- Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - added a new Low alert
- Improved logic of a Low Analytics BIOC:
- Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of a Low Analytics BIOC
- Removed an old Low Analytics BIOC:
- Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - removed an old Low alert
- Improved logic of a Low Analytics Alert:
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alert
- Removed 59 old Informational BIOCs
- Added a new Informational Analytics BIOC:
- A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - added a new Informational alert
October 11, 2021 Release:
- Added 2 new Medium Analytics BIOCs:
- The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - added a new Medium alert
- Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - added a new Medium alert
- Improved logic of a Medium Analytics BIOC:
- LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOC
- Decreased the severity to Low for an Analytics BIOC:
- Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - decreased the severity to Low, and improved detection logic
- Improved logic of a Low Analytics BIOC:
- Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOC
- Improved logic of a Low Analytics Alert:
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alert
- Removed an old Low Analytics Alert:
- Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - removed an old Low alert
- Added a new Informational Analytics BIOC:
- A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - added a new Informational alert
- Improved logic of an Informational Analytics BIOC:
- System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOC
October 03, 2021 Release:
- Added 3 new High Analytics BIOCs:
- A Successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - added a new High alert
- A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - added a new High alert
- A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - added a new High alert
- Added a new High Analytics Alert:
- Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - added a new High alert
- Added 4 new Medium Analytics BIOCs:
- LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - added a new Medium alert
- Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - added a new Medium alert
- Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - added a new Medium alert
- Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - added a new Medium alert
- Improved logic of 5 Medium Analytics BIOCs:
- Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
- Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs
- Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
- Removed an old Medium Analytics BIOC:
- Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - removed an old Medium alert
- Added a new Medium Analytics Alert:
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - added a new Medium alert
- Changed metadata of a Medium Analytics Alert:
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Medium Analytics Alert
- Added 3 new Low Analytics BIOCs:
- Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - added a new Low alert
- Unsigned and unpopular process performed a DLL injection (6cbd636f-6f55-480c-872d-7611840a7f0a) - added a new Low alert
- Unsigned and unpopular process performed an injection (30f78c0f-4f8b-4969-bb00-809cf72a3eed) - added a new Low alert
- Improved logic of 3 Low Analytics BIOCs:
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
- First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
- Added 2 new Low Analytics Alerts:
- Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - added a new Low alert
- Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - added a new Low alert
- Improved logic of a Low Analytics Alert:
- Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alert
- Changed metadata of a Low Analytics Alert:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert
- Decreased the severity to Informational for an Analytics BIOC:
- A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - decreased the severity to Informational, and improved detection logic
- Added a new Informational Analytics BIOC:
- Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - added a new Informational alert
September 19, 2021 Release:
- Improved logic of 2 High Analytics BIOCs:
- Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs
- Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
- Removed an old Medium BIOC:
- Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - removed an old Medium alert
- Added a new Medium Analytics BIOC:
- Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - added a new Medium alert
- Improved logic of 2 Medium Analytics BIOCs:
- External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs
- Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
- Improved logic of a Medium Analytics Alert:
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert
- Improved logic of 11 Low Analytics BIOCs:
- GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
- AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
- An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
- Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
- AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
- Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
- Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs
- Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
- AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
- Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
- AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
- Improved logic of 3 Low Analytics Alerts:
- IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
- Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of a Low Analytics Alerts
- Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of a Low Analytics Alerts
- Added 2 new Informational BIOCs:
- Unsigned process accessed a credential locker file (4f7818dc-5c6b-49db-a716-a2dd0094a424) - added a new Informational alert
- Unsigned process accessed a Thunderbird Mail profiles folder (c9f80771-a56a-4a13-99c9-cbd4a52187ac) - added a new Informational alert
- Improved logic of 2 Informational BIOCs:
- Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - improved logic of an Informational BIOCs
- Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved logic of an Informational BIOCs
- Decreased the severity to Informational for an Analytics BIOC:
- Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - decreased the severity to Informational, and improved detection logic
- Improved logic of 66 Informational Analytics BIOCs
- Improved logic of an Informational Analytics Alert:
- Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of an Informational Analytics Alert
August 29, 2021 Release:
- Removed an old High BIOC:
- Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - removed an old High alert
- Added 2 new High Analytics BIOCs:
- Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - added a new High alert
- Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - added a new High alert
- Improved logic of a High Analytics BIOC:
- Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOC
- Added 4 new Medium Analytics BIOCs:
- External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - added a new Medium alert
- Possible DHCP poisoning (e5afa116-5041-4ed9-9d0c-18eaac133173) - added a new Medium alert
- Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - added a new Medium alert
- Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - added a new Medium alert
- Added 2 new Medium Analytics Alerts:
- Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - added a new Medium alert
- An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - added a new Medium alert
- Removed an old Medium Analytics Alert:
- Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - removed an old Medium alert
- Added 16 new Low Analytics BIOCs:
- AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - added a new Low alert
- A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - added a new Low alert
- Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - added a new Low alert
- Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - added a new Low alert
- Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - added a new Low alert
- Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - added a new Low alert
- AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - added a new Low alert
- Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - added a new Low alert
- Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - added a new Low alert
- AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - added a new Low alert
- Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - added a new Low alert
- GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - added a new Low alert
- An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - added a new Low alert
- Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - added a new Low alert
- Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - added a new Low alert
- AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - added a new Low alert
- Improved logic of a Low Analytics BIOC:
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOC
- Added 3 new Low Analytics Alerts:
- Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - added a new Low alert
- Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - added a new Low alert
- IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - added a new Low alert
- Improved logic of 4 Low Analytics Alerts:
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Added 2 new Informational BIOCs:
- Forensics Driver Loaded (a9da7ef7-9708-4a39-b4f1-b17ebbd8b399) - added a new Informational alert
- WinPmem Forensics Tool (b66e6a72-09fd-42ad-98fe-a866907c593f) - added a new Informational alert
- Added 66 new Informational Analytics BIOCs:
- AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - added a new Informational alert
- GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - added a new Informational alert
- GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - added a new Informational alert
- AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - added a new Informational alert
- S3 configuration was deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - added a new Informational alert
- An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - added a new Informational alert
- First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - added a new Informational alert
- GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - added a new Informational alert
- Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - added a new Informational alert
- IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - added a new Informational alert
- Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - added a new Informational alert
- An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - added a new Informational alert
- Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - added a new Informational alert
- GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - added a new Informational alert
- GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - added a new Informational alert
- AWS CloudWatch log group was deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - added a new Informational alert
- Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - added a new Informational alert
- Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - added a new Informational alert
- AWS CloudWatch log stream was deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - added a new Informational alert
- Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - added a new Informational alert
- GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - added a new Informational alert
- AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - added a new Informational alert
- Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - added a new Informational alert
- First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - added a new Informational alert
- Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - added a new Informational alert
- GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - added a new Informational alert
- GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - added a new Informational alert
- Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - added a new Informational alert
- AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - added a new Informational alert
- GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - added a new Informational alert
- GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - added a new Informational alert
- GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - added a new Informational alert
- EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - added a new Informational alert
- Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - added a new Informational alert
- Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - added a new Informational alert
- Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - added a new Informational alert
- GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - added a new Informational alert
- GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - added a new Informational alert
- Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - added a new Informational alert
- Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - added a new Informational alert
- Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - added a new Informational alert
- Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - added a new Informational alert
- AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - added a new Informational alert
- GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - added a new Informational alert
- AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - added a new Informational alert
- AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - added a new Informational alert
- GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - added a new Informational alert
- AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - added a new Informational alert
- MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - added a new Informational alert
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - added a new Informational alert
- Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - added a new Informational alert
- An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - added a new Informational alert
- Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - added a new Informational alert
- Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - added a new Informational alert
- Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - added a new Informational alert
- GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - added a new Informational alert
- AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - added a new Informational alert
- IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - added a new Informational alert
- Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - added a new Informational alert
- System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - added a new Informational alert
- AWS IAM resource group was deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - added a new Informational alert
- GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - added a new Informational alert
- GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - added a new Informational alert
- GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - added a new Informational alert
- A cloud identity connected from a new country (19c743b0-99ca-400c-b386-bcc99d846582) - added a new Informational alert
- GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - added a new Informational alert
- Added a new Informational Analytics Alert:
- Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - added a new Informational alert
August 23, 2021 Release:
- Added a new High Analytics BIOC:
- Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - added a new High alert
- Improved logic of 6 High Analytics BIOCs
- Increased the severity to Medium for a BIOC:
- Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - increased the severity to Medium
- Removed 2 old Medium BIOCs:
- Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - removed an old Medium alert
- Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - removed an old Medium alert
- Added 2 new Medium Analytics BIOCs:
- Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - added a new Medium alert
- Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - added a new Medium alert
- Improved logic of 44 Medium Analytics BIOCs
- Improved logic of 9 Medium Analytics Alerts
- Decreased the severity to Low for a BIOC:
- Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - decreased the severity to Low
- Improved logic of 58 Low Analytics BIOCs
- Removed an old Low Analytics BIOC:
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - removed an old Low alert
- Improved logic of 16 Low Analytics Alerts
- Added 2 new Informational Analytics BIOCs:
- Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - added a new Informational alert
- VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - added a new Informational alert
- Improved logic of 24 Informational Analytics BIOCs
- Improved logic of 3 Informational Analytics Alerts
August 15, 2021 Release:
- Increased the severity to Medium for an Analytics BIOC:
- Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - increased the severity to Medium
- Added 2 new Medium Analytics BIOCs:
- Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - added a new Medium alert
- Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - added a new Medium alert
- Improved logic of 3 Medium Analytics BIOCs:
- Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
- Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Medium Analytics BIOCs
- Increased the severity to Medium for an Analytics Alert:
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - increased the severity to Medium
- Removed an old Low BIOC:
- Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - removed an old Low alert
- Added 2 new Low Analytics BIOCs:
- PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - added a new Low alert
- Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - added a new Low alert
- Improved logic of 5 Low Analytics BIOCs:
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
- Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
- Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs
- Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
- Decreased the severity to Informational for a BIOC:
- Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - decreased the severity to Informational
August 08, 2021 Release:
- Changed metadata of a High BIOC:
- Kerberos service ticket request in PowerShell command (90e501248bf24631861e4b3e1766af5f) changed metadata of a High BIOC
- Improved logic of a High Analytics BIOC:
- Unprivileged process opened a registry hive (9937ddbfbeb949b0ac34e005d53a127b) improved logic of a High Analytics BIOC
- Removed an old Medium BIOC:
- Windows certificate management tool makes a network connection (0179177fe5ec4101a238c0372b239afb) removed an old Medium alert
- Increased the severity to Medium for 3 Analytics BIOCs:
- WmiPrvSe.exe Rare Child Command Line (f4c5d502e95211e980aa8c8590c9ccd1) increased the severity to Medium, and improved detection logic
- Scrcons.exe Rare Child Process (f62553d1e95211e981c48c8590c9ccd1) increased the severity to Medium, and improved detection logic
- PowerShell suspicious flags (4ce1b55945b811ea81bb88e9fe502c1f) increased the severity to Medium, and improved detection logic
- Improved logic of 5 Medium Analytics BIOCs:
- Microsoft Office Process Spawning a Suspicious OneLiner (aca7aaa1436111ea8fed88e9fe502c1f) improved logic of a Medium Analytics BIOCs
- Execution of renamed lolbin (fdb82a708f9a11ea991888e9fe502c1f) improved logic of a Medium Analytics BIOCs
- LOLBIN connecting to a rare host (4bcc13de20b711eaa54a8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
- LOLBIN spawned by an Office executable connected to a rare external host (0aad609499a311ea854488e9fe502c1f) improved logic of a Medium Analytics BIOCs
- RDP Connection to localhost (23679c11e95411e990028c8590c9ccd1) improved logic of a Medium Analytics BIOCs
- Changed metadata of a Medium Analytics BIOC:
- Mshta.exe launched with suspicious arguments (0b174006394643b6af3cab400e6c7a87) changed metadata of a Medium Analytics BIOC
- Improved logic of a Medium Analytics Alert:
- NTLM Hash Harvesting (3cc30c5c2d7311eba32aacde48001122) improved logic of a Medium Analytics Alert
- Changed metadata of 2 Low BIOCs:
- Screensaver process executed from users or temporary folder (e07f68e227bb46fa97b1a7b6b59feb16) changed metadata of a Low BIOCs
- DLL sideloading attack using Xwizard (2b8385b9ca8346819cab739091ee2da1) changed metadata of a Low BIOCs
- Removed 2 old Low BIOCs:
- MSBuild.exe makes a network connection (bb459bb4e8644008a12a10ed4df3d753) removed an old Low alert
- Visual Basic compiler makes unusual net connection (5ace24876b004582a6316e1ca419c458) removed an old Low alert
- Added 2 new Low Analytics BIOCs:
- Rare communication over email ports to external email server by unsigned process (7b424216fe614589bcee67e9e7b267be) added a new Low alert
- Suspicious process executed with a high integrity level (81e70ab2b1f14a1cbf943929f6d7e1b2) added a new Low alert
- Improved logic of 5 Low Analytics BIOCs:
- LOLBIN process executed with a high integrity level (365221fa4c36440f824a43885e9f3a6e) improved logic of a Low Analytics BIOCs
- Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f9cd04e26891fbe1a01652715) improved logic of a Low Analytics BIOCs
- Suspicious Process Spawned by Adobe Reader (497d6ba39d4640f4909d05ee574e1f57) improved logic of a Low Analytics BIOCs
- Suspicious process execution by scheduled task (56bc5f4ce48141de81e4ec618fb1f004) improved logic of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccfd9cb4efe8dccbcffca46d24b) improved logic of a Low Analytics BIOCs
- Improved logic of 3 Low Analytics Alerts:
- Multiple discovery commands (97dd1d4d602a4bc7b39a73fdad3d6053) improved logic of a Low Analytics Alerts
- NTLM Brute Force on a Service Account (33b7f308fb954d9cafc3a5ca9c7ab50d) improved logic of a Low Analytics Alerts
- Login Password Spray (3e879bb8641211eb9fa5acde48001122) improved logic of a Low Analytics Alerts
- Improved logic of an Informational BIOC:
- Windows Registry Editor being disabled via Registry (7da63563a9bd46b39deb4177d2645851) improved logic of an Informational BIOC
- Changed metadata of 5 Informational BIOCs:
- Dllhost.exe makes network connections (d4b8bd1df1fb4fde954733494049c44a) changed metadata of an Informational BIOCs
- Crash dump file created (e6cb68b97bb34be29b7cd66d560e5a3b) changed metadata of an Informational BIOCs
- Compiled HTML (help file) makes network connections (858a4ed736c44c439bffd142f300035d) changed metadata of an Informational BIOCs
- Security Support Provider (SSP) registered via a registry key (2b72b7fd5b134ff1ba5b6b149c76f032) changed metadata of an Informational BIOCs
- Web server process drops an executable to disk (20a37717dd614fe5a73b80d9fb2a8862) changed metadata of an Informational BIOCs
- Removed 2 old Informational BIOCs:
- Service execution via sc.exe (a1c6c171005c403ba60bfb85e6ecb81a) removed an old Informational alert
- Manipulation of LSA 'Authentication Packages' Registry key (4f133949205d4abfbbf64fc6e48bc6c4) removed an old Informational alert
- Added 4 new Informational Analytics BIOCs:
- Commonly abused process launched as a system service (3cbd172e6e2f11ea8d8e88e9fe502c1f) added a new Informational alert
- Rare SMTP/S Session (4a634ad4e95411e9b86b8c8590c9ccd1) added a new Informational alert
- WebDAV drive mounted from net.exe over HTTPS (233491cae95411e990bd8c8590c9ccd1) added a new Informational alert
- Service execution via sc.exe (d25d07fa015c47a6a6a015ff46020cc5) added a new Informational alert
- Improved logic of an Informational Analytics BIOC:
- LDAP Traffic from NonStandard Process (5e72a7b439ed466998cab2495088f653) improved logic of an Informational Analytics BIOC
August 01, 2021 Release:
- Increased the severity to High for 2 BIOCs:
- Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - increased the severity to High
- Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - increased the severity to High
- Increased the severity to Medium for 15 BIOCs:
- Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - increased the severity to Medium
- NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - increased the severity to Medium
- WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - increased the severity to Medium
- Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - increased the severity to Medium
- WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - increased the severity to Medium
- Socat/Netcat connects to TOR domain (450e1ab2-22f5-4efd-beb9-ddd81823a5b9) - increased the severity to Medium
- Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - increased the severity to Medium
- Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - increased the severity to Medium
- Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - increased the severity to Medium
- Manipulation of Winlogon 'UserInit' autostart Registry key (d6af8739-01f2-4f29-80a0-c1b05d70b874) - increased the severity to Medium
- PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - increased the severity to Medium
- Impersonation using Rubeus tool (0e6a7a3a-1059-11ea-b96d-8c8590c9ccd1) - increased the severity to Medium
- Manipulation of the sticky keys file (7a201c2e-5b4e-478d-a504-773762bd3c90) - increased the severity to Medium
- Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - increased the severity to Medium
- DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - increased the severity to Medium
- Removed 2 old Medium BIOCs:
- Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - removed an old Medium alert
- Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - removed an old Medium alert
- Added 2 new Medium Analytics BIOCs:
- Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - added a new Medium alert
- Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - added a new Medium alert
- Improved logic of 4 Medium Analytics BIOCs:
- Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
- Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
- Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs
- Changed metadata of 2 Medium Analytics BIOCs:
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
- Changed metadata of a Medium Analytics Alert:
- DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert
- Increased the severity to Low for 6 BIOCs:
- Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - increased the severity to Low
- Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - increased the severity to Low
- UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - increased the severity to Low
- Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - increased the severity to Low
- Nagios enumeration (2f6f3ade-073e-11eb-9c0f-faffc26aac4a) - increased the severity to Low
- Internet Explorer home page modification (e4cf6b6e-70cc-4b02-a82d-148e10c36f76) - increased the severity to Low
- Removed an old Low BIOC:
- System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - removed an old Low alert
- Added 7 new Low Analytics BIOCs:
- LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - added a new Low alert
- Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - added a new Low alert
- A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - added a new Low alert
- Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - added a new Low alert
- Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - added a new Low alert
- System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - added a new Low alert
- Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - added a new Low alert
- Improved logic of 4 Low Analytics BIOCs:
- Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
- Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs
- Removed an old Low Analytics BIOC:
- PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - removed an old Low alert
- Improved logic of a Low Analytics Alert:
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert
- Changed metadata of a Low Analytics Alert:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert
July 25, 2021 Release:
- Added a new High Analytics BIOC:
- Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - added a new High alert
- Removed 2 old Medium BIOCs:
- Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - removed an old Medium alert
- Non-browser failed access to a pastebin-like site (c1f7607b-e56c-43ca-b072-5b266bb4133b) - removed an old Medium alert
- Added 3 new Medium Analytics BIOCs:
- Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - added a new Medium alert
- Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - added a new Medium alert
- Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - added a new Medium alert
- Improved logic of a Medium Analytics BIOC:
- Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
- Added a new Low Analytics BIOC:
- Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - added a new Low alert
- Improved logic of 4 Low Analytics BIOCs:
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
- Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs
- Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs
- Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
- Improved logic of 5 Low Analytics Alerts:
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Removed an old Low Analytics Alert:
- High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - removed an old Low alert
July 19, 2021 Release:
- Added 4 new Medium Analytics BIOCs:
- Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - added a new Medium alert
- Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - added a new Medium alert
- Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - added a new Medium alert
- Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - added a new Medium alert
- Improved logic of 5 Medium Analytics BIOCs:
- Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
- Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Removed an old Low BIOC:
- Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - removed an old Low alert
- Increased the severity to Low for an Analytics BIOC:
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - increased the severity to Low
- Decreased the severity to Low for 2 Analytics BIOCs:
- Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - decreased the severity to Low
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - decreased the severity to Low
- Added 3 new Low Analytics BIOCs:
- Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - added a new Low alert
- Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - added a new Low alert
- Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - added a new Low alert
- Improved logic of 3 Low Analytics BIOCs:
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs
- Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs
- Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs
- Added a new Low Analytics Alert:
- Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - added a new Low alert
- Improved logic of 3 Low Analytics Alerts:
- Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
- NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
- Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
- Decreased the severity to Informational for a BIOC:
- Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - decreased the severity to Informational
- Added 6 new Informational BIOCs:
- Execution privileges added to a temporary file (8d888902-486c-49a5-b675-8ba9280533b6) - added a new Informational alert
- SELinux was set to permissive mode (e1912c54-c1a4-4091-8b1d-019c3ceac2d6) - added a new Informational alert
- Hidden file and directory creation (84de44f2-8d06-452e-8322-e36e90cf3292) - added a new Informational alert
- Execution from inside the /tmp directory (a4e680e8-f9e8-4c58-bd29-7616a6445505) - added a new Informational alert
- Possible log destruction using dd command (7620b496-3804-4b00-83eb-85378033b6bd) - added a new Informational alert
- Possible XDG autostart persistency (41eac860-a716-420e-b48a-492b3142ecb6) - added a new Informational alert
- Improved logic of 3 Informational BIOCs:
- Persistence using bashrc files (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - improved logic of an Informational BIOCs
- Shell history access (735fd839-4959-4e5d-9207-fdf517b977a1) - improved logic of an Informational BIOCs
- Persistence through service registration (c69ed984-a260-4ba9-990f-bc762a4a3223) - improved logic of an Informational BIOCs
- Removed an old Informational BIOC:
- Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - removed an old Informational alert
- Added 9 new Informational Analytics BIOCs:
- Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - added a new Informational alert
- Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - added a new Informational alert
- Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - added a new Informational alert
- Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - added a new Informational alert
- Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - added a new Informational alert
- Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - added a new Informational alert
- Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - added a new Informational alert
- Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - added a new Informational alert
- Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - added a new Informational alert
- Added a new Informational Analytics Alert:
- Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - added a new Informational alert
- Improved logic of an Informational Analytics Alert:
- Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alert
July 11, 2021 Release:
- Added a new Medium Analytics BIOC:
- Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - added a new Medium alert
- Increased the severity to Low for an Analytics BIOC:
- PowerShell suspicious flags signal (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - increased the severity to Low
- Improved logic of 3 Low Analytics BIOCs:
- Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
- First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of a Low Analytics BIOCs
- User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - improved logic of a Low Analytics BIOCs
- Improved logic of a Low Analytics Alert:
- Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert
- Removed an old Informational BIOC:
- Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - removed an old Informational alert
- Improved logic of 2 Informational Analytics BIOCs:
- User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
- User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
July 4, 2021 Release:
- Improved logic of a Medium Analytics BIOC:
- Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
- Improved logic of a Medium Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
- Decreased the severity to Low for a BIOC:
- Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - decreased the severity to Low
- Improved logic of 2 Low Analytics Alerts:
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
June 28, 2021 Release:
- Changed metadata of 4 High BIOCs
- Changed metadata of 3 High Analytics BIOCs
- Changed metadata of 5 Medium BIOCs
- Improved logic of a Medium Analytics BIOC:
- Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOC
- Changed metadata of 10 Medium Analytics BIOCs
- Decreased the severity to Medium for an Analytics Alert:
- Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - decreased the severity to Medium, and improved detection logic
- Changed metadata of 5 Medium Analytics Alerts
- Changed metadata of 3 Low BIOCs
- Added a new Low Analytics BIOC:
- External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - added a new Low alert
- Changed metadata of 12 Low Analytics BIOCs
- Changed metadata of 8 Low Analytics Alerts
- Added 7 new Informational BIOCs:
- Log deletion using the truncate command (1afe4c22-2163-45ad-a90a-f130eaed6ff2) - added a new Informational alert
- Log deletion in known log file directories (4c91da94-296f-49c3-9e3d-4f040269391e) - added a new Informational alert
- Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - added a new Informational alert
- Clearing logs by executing cat /dev/null (787aa313-7ef6-40a9-a68c-bdcc9610c35f) - added a new Informational alert
- Clearing logs by copying /dev/null to a log file (62affbe1-1c47-4dc1-88d2-bd701e9be6d7) - added a new Informational alert
- Installation of networking security tools (45818abb-9462-4074-ae83-fd56f715ef11) - added a new Informational alert
- Network Packet Capture - tshark\tcpdump (9e72d135-0782-48dd-8b4f-da2dd4d1599f) - added a new Informational alert
- Changed metadata of 20 Informational BIOCs
- Changed metadata of 4 Informational Analytics BIOCs
- Changed metadata of an Informational Analytics Alert
June 20, 2021 Release:
- Changed metadata of a High Analytics BIOC:
- Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC
- Changed metadata of a Medium BIOC:
- Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - changed metadata of a Medium BIOC
- Added a new Medium Analytics BIOC:
- Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - added a new Medium alert
- Improved logic of 2 Medium Analytics BIOCs:
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Changed metadata of a Medium Analytics BIOC:
- Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOC
- Changed metadata of a Medium Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alert
- Improved logic of a Low BIOC:
- Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved logic of a Low BIOC
- Changed metadata of a Low BIOC:
- Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata of a Low BIOC
- Improved logic of a Low Analytics BIOC:
- Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOC
- Changed metadata of a Low Analytics BIOC:
- Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOC
- Changed metadata of 3 Informational BIOCs:
- Manipulation of default file association configuration (9ac339af-aa0c-4fac-8117-33d4b4123ee3) - changed metadata of an Informational BIOCs
- Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata of an Informational BIOCs
- Windows process masquerading by an unsigned process (a39a60db-05a6-4b77-ab09-6bd8852e1b1d) - changed metadata of an Informational BIOCs
- Added a new Informational Analytics BIOC:
- UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - added a new Informational alert
- Removed an old Informational Analytics BIOC:
- Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - removed an old Informational alert
June 13, 2021 Release:
- Improved logic of a Medium BIOC:
- Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved logic of a Medium BIOC
- Changed metadata of a Medium BIOC:
- User added to local administrator group using a PowerShell command (7135da01-046f-452b-99d3-974795aca8c6) - changed metadata of a Medium BIOC
- Improved logic of 2 Medium Analytics BIOCs:
- Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
- Changed metadata of a Medium Analytics Alert:
- DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert
- Changed metadata of a Low BIOC:
- Remote command executed from a Linux host (e311896f-8299-4041-abd9-05db740f0ecd) - changed metadata of a Low BIOC
- Improved logic of 2 Low Analytics BIOCs:
- Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
- Improved logic of a Low Analytics Alert:
- High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alert
- Changed metadata of 3 Informational BIOCs:
- Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata of an Informational BIOCs
- WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs
- User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs
June 06, 2021 Release:
- Changed metadata of a High BIOC:
- Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - changed metadata of a High BIOC
- Removed an old High BIOC:
- Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - removed an old High alert
- Added a new High Analytics BIOC:
- Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - added a new High alert
- Changed metadata of a High Analytics Alert:
- Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - changed metadata of a High Analytics Alert
- Changed metadata of 2 Medium BIOCs:
- Rundll32.exe was used to run JavaScript (c9207f63-0b78-4488-9668-e24bc1b2f9d6) - changed metadata of a Medium BIOCs
- Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - changed metadata of a Medium BIOCs
- Added 2 new Medium Analytics BIOCs:
- Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - added a new Medium alert
- Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - added a new Medium alert
- Improved logic of 2 Medium Analytics BIOCs:
- Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Removed an old Medium Analytics BIOC:
- Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - removed an old Medium alert
- Changed metadata of a Medium Analytics Alert:
- DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert
- Added a new Low Analytics BIOC:
- User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - added a new Low alert
- Improved logic of a Low Analytics BIOC:
- Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC
- Changed metadata of a Low Analytics BIOC:
- Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOC
- Improved logic of a Low Analytics Alert:
- Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert
- Changed metadata of a Low Analytics Alert:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert
- Decreased the severity to Informational for a BIOC:
- Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - decreased the severity to Informational, and improved detection logic
- Added 5 new Informational BIOCs:
- Reading the contents of /etc/mtab or /etc/fstab (5745ac31-522d-4d8a-b86f-b78260f6d609) - added a new Informational alert
- Wzzip.exe execution with password protection parameters (427a5f1d-eec4-4de4-927f-58daf0a0817d) - added a new Informational alert
- Base64 decoding using the base64 utility (1682c4a4-39ef-49ce-9cbc-cd7d08888553) - added a new Informational alert
- 7z.exe execution with password protection parameters (edaa5d9d-9c9d-443f-bd60-f4e887d48ac9) - added a new Informational alert
- Rar.exe execution with password protection parameters (03664565-3629-4267-91e7-a3fe7e91d4cc) - added a new Informational alert
- Changed metadata of 5 Informational BIOCs:
- Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata of an Informational BIOCs
- Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - changed metadata of an Informational BIOCs
- Service enumeration via sc (f5ad264a-fc27-4cef-9a94-245150ace5b1) - changed metadata of an Informational BIOCs
- Enumeration of services via PowerShell (6977966b-14e9-11ea-b5d7-88e9fe502c1f) - changed metadata of an Informational BIOCs
- PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - changed metadata of an Informational BIOCs
- Removed 2 old Informational BIOCs:
- Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - removed an old Informational alert
- Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - removed an old Informational alert
- Decreased the severity to Informational for an Analytics BIOC:
- User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - decreased the severity to Informational
- Improved logic of an Informational Analytics BIOC:
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC
- Changed metadata of an Informational Analytics BIOC:
- User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOC
May 30, 2021 Release:
- Changed metadata of 11 High BIOCs
- Improved logic of 2 High Analytics BIOCs:
- Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) improved logic of a High Analytics BIOCs
- Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) improved logic of a High Analytics BIOCs
- Changed metadata of a High Analytics BIOC:
- Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) changed metadata of a High Analytics BIOC
- Improved logic of a High Analytics Alert:
- Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) improved logic of a High Analytics Alert
- Changed metadata of 45 Medium BIOCs
- Increased the severity to Medium for an Analytics BIOC:
- Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) increased the severity to Medium, and improved detection logic
- Added 2 new Medium Analytics BIOCs:
- Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) added a new Medium alert
- Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) added a new Medium alert
- Improved logic of 12 Medium Analytics BIOCs:
- Possible DCSync Attempt (a420aa30-20c3-11ea-b525-8c8591c0ccb0) improved logic of a Medium Analytics BIOCs
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) improved logic of a Medium Analytics BIOCs
- RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
- Commonly-abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) improved logic of a Medium Analytics BIOCs
- LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) improved logic of a Medium Analytics BIOCs
- Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
- LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) improved logic of a Medium Analytics BIOCs
- Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs
- Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) improved logic of a Medium Analytics BIOCs
- Changed metadata of 7 Medium Analytics BIOCs
- Improved logic of 5 Medium Analytics Alerts:
- Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) improved logic of a Medium Analytics Alerts
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) improved logic of a Medium Analytics Alerts
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) improved logic of a Medium Analytics Alerts
- NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) improved logic of a Medium Analytics Alerts
- DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) improved logic of a Medium Analytics Alerts
- Changed metadata of 30 Low BIOCs
- Removed an old Low BIOC:
- Windows Firewall being disabled using netsh (23407a88-c820-4b42-8400-46fe6025cfe6) removed an old Low alert
- Increased the severity to Low for an Analytics BIOC:
- Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) increased the severity to Low, and improved detection logic
- Improved logic of 6 Low Analytics BIOCs:
- Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) improved logic of a Low Analytics BIOCs
- Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) improved logic of a Low Analytics BIOCs
- Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) improved logic of a Low Analytics BIOCs
- MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) improved logic of a Low Analytics BIOCs
- Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) improved logic of a Low Analytics BIOCs
- Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) improved logic of a Low Analytics BIOCs
- Changed metadata of 25 Low Analytics BIOCs
- Improved logic of 11 Low Analytics Alerts:
- Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) improved logic of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) improved logic of a Low Analytics Alerts
- Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) improved logic of a Low Analytics Alerts
- Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) improved logic of a Low Analytics Alerts
- High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) improved logic of a Low Analytics Alerts
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) improved logic of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) improved logic of a Low Analytics Alerts
- Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) improved logic of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) improved logic of a Low Analytics Alerts
- Changed metadata of 3 Low Analytics Alerts
- Changed metadata of 148 Informational BIOCs
- Improved logic of an Informational Analytics BIOC:
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) improved logic of an Informational Analytics BIOC
- Changed metadata of 6 Informational Analytics BIOCs
May 12, 2021 Release:
- Added a new Medium Analytics BIOC:
- Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - added a new Medium alert
- Improved logic of a Medium Analytics BIOC:
- Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
- Improved logic of a Medium Analytics Alert:
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert
- Changed metadata of a Medium Analytics Alert:
- Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alert
- Changed metadata of 4 Low Analytics BIOCs:
- Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs
- Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
- Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs
May 10, 2021 Release:
- Improved logic of a High BIOC:
- Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - improved logic of a High BIOC
- Changed metadata of 3 High BIOCs:
- Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOCs
- Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata of a High BIOCs
- Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of a High BIOCs
- Removed an old High BIOC:
- SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - removed an old High alert
- Changed metadata of 2 Medium BIOCs:
- Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs
- Dumping lsass.exe memory for credential extraction (cb05480f-17d8-4138-aa38-f0f9fb50b671) - changed metadata of a Medium BIOCs
- Improved logic of 5 Medium Analytics BIOCs:
- LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - improved logic of a Medium Analytics BIOCs
- LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
- Improved logic of a Low Analytics BIOC:
- MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - improved logic of a Low Analytics BIOC
- Changed metadata of 3 Low Analytics BIOCs:
- Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
- Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs
- Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
- Improved logic of 5 Low Analytics Alerts:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- Changed metadata of 7 Informational BIOCs:
- Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata of an Informational BIOCs
- Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs
- Compressed archive created using tar (e9e007db-a8a7-4ae5-b758-5cacbe0ab46e) - changed metadata of an Informational BIOCs
- Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs
- Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata of an Informational BIOCs
- Persistence using bashrc files (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - changed metadata of an Informational BIOCs
- Write to .bash_profile (1119d1ec-cdfb-404b-ae82-475b8fcf8ddc) - changed metadata of an Informational BIOCs
- Improved logic of an Informational Analytics BIOC:
- Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC
- Changed metadata of an Informational Analytics BIOC:
- Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOC
April 28, 2021 Release:
-
Improved logic of a Medium BIOC:
-
Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved logic of a Medium BIOC
-
-
Improved logic of a Low Analytics BIOC:
-
Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC
-
-
Improved logic of 2 Low Analytics Alerts:
-
Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
-
Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
-
-
Improved logic of an Informational BIOC:
-
Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - improved logic of an Informational BIOC
-
-
Changed metadata of an Informational BIOC:
-
Manipulation of Windows folder options (7cb8c831-ba6e-4cde-83db-3762d94cd1fa) - changed metadata of an Informational BIOC
-
April 18, 2021 Release:
- Improved logic of a Medium BIOC:
- Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - improved logic of a Medium BIOC
- Added a new Medium Analytics BIOC:
- Execution of a password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - added a new Medium alert
- Improved logic of a Medium Analytics BIOC:
- Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
April 11, 2021 Release:
- Improved logic of a High Analytics BIOC:
- Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOC
- Improved logic of 3 Medium Analytics BIOCs:
- Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs
- Added a new Medium Analytics Alert:
- Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - added a new Medium alert
- Improved logic of a Medium Analytics Alert:
- Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert
- Improved logic of 5 Low Analytics BIOCs:
- Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
- Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
- Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
- Changed metadata of a Low Analytics BIOC:
- Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOC
- Improved logic of 4 Low Analytics Alerts:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
- Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Added a new Informational BIOC:
- SharpHound LDAP query (5f50bb22-588c-4d48-8600-446df59d8a51) - added a new Informational alert
- Changed metadata of 3 Informational BIOCs:
- Crash dump file created (e6cb68b9-7bb3-4be2-9b7c-d66d560e5a3b) - changed metadata of an Informational BIOCs
- Enumeration command executes (6958a24d-f33a-45f2-819c-b47c1e03964d) - changed metadata of an Informational BIOCs
- Enumeration command called by commonly abused CGO (e7d21bc3-3190-4b25-a2f4-20c6242b1029) - changed metadata of an Informational BIOCs
- Improved logic of an Informational Analytics BIOC:
- Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC
April 4, 2021 Release:
- Improved logic of a Medium Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
- Added a new Low Analytics BIOC:
- Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - added a new Low alert
- Improved logic of 2 Low Analytics BIOCs:
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
- Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Improved logic of a Low Analytics Alert:
- Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert
- Changed metadata of a Low Analytics Alert:
- Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert
- Improved logic of an Informational Analytics BIOC:
- Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC
March 29, 2021 Release:
- Decreased the severity to Medium for an Analytics BIOC:
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Medium
- Improved logic of a Medium Analytics BIOC:
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
- Improved logic of a Low Analytics BIOC:
- Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Low Analytics BIOC
- Improved logic of 2 Low Analytics Alerts:
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
- Improved logic of an Informational Analytics BIOC:
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC
March 22, 2021 Release:
- Improved logic of a Medium Analytics BIOC:
- Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
- Improved logic of a Medium Analytics Alert:
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert
- Improved logic of 5 Low Analytics Alerts:
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
- Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
- Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
- High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alerts
- Removed an old Informational BIOC:
- Network configuration discovery (d69c1be0-a351-469d-a47c-34e1f0562690) - removed an old Informational alert
March 16, 2021 Release:
- Changed metadata of a High Analytics BIOC:
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC
- Improved logic of a Medium Analytics BIOC:
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOC
March 14, 2021 Release:
- Added a new High Analytics BIOC:
- Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - added a new High alert
- Improved logic of a High Analytics BIOC:
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC
- Removed an old Medium BIOC:
- Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - removed an old Medium alert
- Added a new Medium Analytics BIOC:
- Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - added a new Medium alert
- Improved logic of 2 Medium Analytics BIOCs:
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved logic of a Medium Analytics BIOCs
- Improved logic of a Low Analytics BIOC:
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC
- Improved logic of an Informational Analytics BIOC:
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC
March 3, 2021 Release:
-
Added a new High BIOC:
-
Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - added a new High alert
-
February 28, 2021 Release:
- Changed metadata of a High Analytics BIOC:
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC
- Improved logic of a Medium BIOC:
- LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved logic of a Medium BIOC
- Improved logic of a Medium Analytics BIOC:
- LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOC
- Changed metadata of 2 Medium Analytics BIOCs:
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
- Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs
- Improved logic of a Medium Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
- Increased the severity to Low for a BIOC:
- Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - increased the severity to Low
- Improved logic of 2 Low Analytics BIOCs:
- Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs
- Changed metadata of a Low Analytics BIOC:
- Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOC
- Added a new Low Analytics Alert:
- Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - added a new Low alert
February 21, 2021 Release:
- Added a new High Analytics BIOC:
- Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - added a new High alert
- Improved logic of a High Analytics BIOC:
- Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC
- Improved logic of a Medium Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
- Improved logic of a Low Analytics BIOC:
- Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC
- Improved logic of a Low Analytics Alert:
- Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert
- Improved logic of an Informational BIOC:
- Non-browser process downloads content from GitHub (75c22cca-c58a-4319-881b-1f7b917cdad2) - improved logic of an Informational BIOC
- Improved logic of an Informational Analytics BIOC:
- Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC
February 14, 2021 Release:
- Added a new Medium Analytics BIOC:
- Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - added a new Medium alert
- Improved logic of 2 Medium Analytics BIOCs:
- Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
- Changed metadata of 2 Medium Analytics BIOCs:
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
-
Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
-
Decreased the severity to Low for a BIOC:
-
Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - decreased the severity to Low, and improved detection logic
-
-
Added a new Low Analytics BIOC:
-
Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - added a new Low alert
-
-
Improved logic of a Low Analytics BIOC:
-
Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC
-
-
Decreased the severity to Informational for an Analytics BIOC:
-
Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - decreased the severity to Informational
-
-
Improved logic of an Informational Analytics BIOC:
-
Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC
-
February 07, 2021 Release:
-
Increased the severity to Medium for a BIOC:
-
Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - increased the severity to Medium
-
-
Removed an old Informational BIOC:
-
Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - removed an old Informational alert
-
-
Added a new Informational Analytics BIOC:
-
Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - added a new Informational alert
-
January 24, 2021 Release:
- Increased the severity to High for 4 BIOCs:
- LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - increased the severity to High, and improved detection logic
- Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - increased the severity to High, and improved detection logic
- Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - increased the severity to High, and improved detection logic
- Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - increased the severity to High
- Removed an old High BIOC:
- Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - removed an old High alert
- Increased the severity to Medium for 9 BIOCs:
- Office process creates an unusual .LNK file (fc55f1f8-f1e7-11ea-84f5-faffc26aac4a) - increased the severity to Medium
- Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - increased the severity to Medium
- Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - increased the severity to Medium, and improved detection logic
- Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - increased the severity to Medium
- Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - increased the severity to Medium, and improved detection logic
- Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - increased the severity to Medium, and improved detection logic
- Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - increased the severity to Medium, and improved detection logic
- Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - increased the severity to Medium
- Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - increased the severity to Medium
- Added 2 new Medium Analytics BIOCs:
- LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - added a new Medium alert
- Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - added a new Medium alert
- Improved logic of 2 Medium Analytics BIOCs:
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Increased the severity to Low for 7 BIOCs:
- Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - increased the severity to Low, and improved detection logic
- Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - increased the severity to Low, and improved detection logic
- System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - increased the severity to Low, and improved detection logic
- Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - increased the severity to Low, and improved detection logic
- Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - increased the severity to Low, and improved detection logic
- Plink/SSH reverse tunnel (d793d95c-0236-11eb-9597-faffc26aac4a) - increased the severity to Low, and improved detection logic
- Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - increased the severity to Low
- Added 4 new Low Analytics BIOCs:
- Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - added a new Low alert
- Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - added a new Low alert
- Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - added a new Low alert
- Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - added a new Low alert
- Added 3 new Informational BIOCs:
- Remote wmiexec execution (070094f8-87c3-47c4-92c8-82bcad12116f) - added a new Informational alert
- Service execution via sc.exe (a1c6c171-005c-403b-a60b-fb85e6ecb81a) - added a new Informational alert
- Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - added a new Informational alert
- Improved logic of 4 Informational BIOCs:
- Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - improved logic of an Informational BIOCs
- Suspicious SDB file written to disk (cb9bd832-3391-4501-8ed3-95c56a7c3d08) - improved logic of an Informational BIOCs
- Wget connection to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - improved logic of an Informational BIOCs
- Print spooler set to load new DLL on boot (87bff3b7-1bdb-4e2d-8bea-36bfb0a5da11) - improved logic of an Informational BIOCs
- Added a new Informational Analytics BIOC:
- Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - added a new Informational alert
January 18, 2021 Release:
- Improved logic of a Medium BIOC:
- Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC
- Added 2 new Informational BIOCs:
- Possible reverse SSH tunnel (7314accf-0f4a-4c08-a33c-f894fdd01e44) - added a new Informational alert
- Gost Tunnel tool in the Command String (e88e4718-9211-4365-8700-103f86a39573) - added a new Informational alert
January 10, 2021 Release:
- Improved logic of a Medium BIOC:
- Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC
- Improved logic of a Medium Analytics BIOC:
- WmiPrvSe.exe Rare Child Process (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC
- Changed metadata of 2 Low BIOCs:
- Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOCs
- Accessing bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - changed metadata of a Low BIOCs
- Changed metadata of 4 Informational BIOCs:
- System package enumeration (50dd2a0c-114b-11eb-a1fc-faffc26aac4a) - changed metadata of an Informational BIOCs
- Screen capture via command-line tool (593bc5d9-8bdf-482a-8d84-34b6045cf4d8) - changed metadata of an Informational BIOCs
- OS information listing via distro version file (3a85fbc4-a63f-4e0d-8c06-af22383db482) - changed metadata of an Informational BIOCs
- Collect network configuration (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs
December 29, 2020 Release:
- Increased the severity to Medium for an Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - increased the severity to Medium
- Improved logic of a Medium Analytics Alert:
- Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert
- Added 2 new Low Analytics BIOCs:
- Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - added a new Low alert
- Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - added a new Low alert
- Improved logic of a Low Analytics Alert:
- Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alert
- Changed metadata of 3 Low Analytics Alerts:
- High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - changed metadata of a Low Analytics Alerts
- New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
- Added 4 new Informational BIOCs:
- Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - added a new Informational alert
- ADFind queries Active Directory for Exchange groups (f623125f-b4e5-4e47-a5be-8fa788e7bb05) - added a new Informational alert
- PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - added a new Informational alert
- Malicious NetSetupSvc.dll loaded into svchost.exe (495195f9-3947-4fc7-913b-6e84fc937730) - added a new Informational alert
December 17, 2020 Release:
- Added 2 new High BIOCs:
- SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - added a new High alert
- SunBurst Module loaded (89308c56-40e9-43d4-8f0a-1c7f018a15d4) - added a new High alert
- Improved logic of 2 Informational BIOCs:
- Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - improved logic of an Informational BIOCs
- Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - improved logic of an Informational BIOCs
December 13, 2020 Release:
- Improved logic of a Medium BIOC:
- Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - improved logic of a Medium BIOC
- Improved logic of 2 Medium Analytics Alerts:
- Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts
- DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts
- Improved logic of 2 Low Analytics BIOCs:
- Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
- Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
- Improved logic of 4 Low Analytics Alerts:
- Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
- Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
- Added a new Informational BIOC:
- EventLog service disabled by a Registry operation (b7c919b6-b653-49c6-bd20-2441160ec75e) - added a new Informational alert
- Improved logic of an Informational Analytics Alert:
- Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of an Informational Analytics Alert
December 1, 2020 Release:
- Improved logic of a Medium BIOC:
- Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved logic of a Medium BIOC
- Improved logic of 2 Medium Analytics BIOCs:
- SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
- Improved logic of a Low Analytics BIOC:
- Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOC
November 22, 2020 Release:
- Improved logic of 3 Low Analytics MultiEvents:
- High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics MultiEvents
- Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics MultiEvents
- Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics MultiEvents
November 8, 2020 Release:
- Added a new Informational BIOC:
- Lsmod execution (9e13baeb-f82d-11ea-a61b-faffc26aac4a) - added a new Informational alert
- Improved logic of a Medium BIOC:
- Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved logic of a Medium BIOC
- Changed metadata of 4 High BIOCs:
- Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOC
- Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - changed metadata of a High BIOCs
- Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - changed metadata of a High BIOCs
- Bitsadmin.exe used to upload data (6ba957eb-d63e-4cee-99aa-89e21ef3acc8) - changed metadata of a High BIOCs
- Changed metadata of 10 Medium BIOCs:
- Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - changed metadata of a Medium BIOCs
- WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - changed metadata of a Medium BIOCs
- Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata of a Medium BIOCs
- Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - changed metadata of a Medium BIOCs
- Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs
- Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - changed metadata of a Medium BIOCs
- UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - changed metadata of a Medium BIOCs
- Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - changed metadata of a Medium BIOCs
- Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - changed metadata of a Medium BIOCs
- Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata of a Medium BIOCs
- Changed metadata of 6 Low BIOCs:
- Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - changed metadata of a Low BIOCs
- Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - changed metadata of a Low BIOCs
- Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - changed metadata of a Low BIOCs
- Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - changed metadata of a Low BIOCs
- Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - changed metadata of a Low BIOCs
- Remote process execution using WMI (5bab2bb9-882a-4101-ace1-700f84171a52) - changed metadata of a Low BIOCs
- Changed metadata of 26 Informational BIOCs:
- Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of an Informational BIOCs
- Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - changed metadata of an Informational BIOCs
- Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - changed metadata of an Informational BIOCs
- Enumeration of services via WMIC (3654c173-14e9-11ea-8723-88e9fe502c1f) - changed metadata of an Informational BIOCs
- Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - changed metadata of an Informational BIOCs
- Manipulation of service imagepath configuration (73001df6-ff14-44d5-a2ed-08804880b46c) - changed metadata of an Informational BIOCs
- Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata of an Informational BIOCs
- Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - changed metadata of an Informational BIOCs
- Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs
- Bypassing Windows UAC using sysprep (dbefa4ae-3797-11ea-a926-f218983c2a51) - changed metadata of an Informational BIOCs
- User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs
- Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - changed metadata of an Informational BIOCs
- PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata of an Informational BIOCs
- Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs
- WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs
- Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - changed metadata of an Informational BIOCs
- Scripting engine called to run in the command line (7e274c6d-e617-4b92-b13f-f27b882932eb) - changed metadata of an Informational BIOCs
- Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata of an Informational BIOCs
- MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - changed metadata of an Informational BIOCs
- Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - changed metadata of an Informational BIOCs
- MacOS firewall manipulation (d445a34f-07c3-11eb-82a7-faffc26aac4a) - changed metadata of an Informational BIOCs
- Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata of an Informational BIOCs
- PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata of an Informational BIOCs
- Windows Firewall policy edited via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - changed metadata of an Informational BIOCs
- Tampering with Windows Control Panel configuration (2ba4c53b-03de-4a34-92ec-225cfe1fe0b4) - changed metadata of an Informational BIOCs
- Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs
- Removed an old Low BIOC:
- Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - removed an old Low alert
September 14, 2020 Release:
- Increased the severity to medium for a BIOC rule:
- Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - increased the severity to medium, and improved detection logic
- Added 5 new informational BIOC rules:
- Permissive file privileges were granted (1fc409f0-ec4e-11ea-829b-faffc26aac4a) - added a new informational alert
- Modifying ELF file capabilities via setcap (55ed9751-ec6d-11ea-a1c2-faffc26aac4a) - added a new informational alert
- Space after filename creation (5a1902e6-ec6b-11ea-843f-faffc26aac4a) - added a new informational alert
- Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - added a new informational alert
- Write to /etc/hosts file (7cf74026-ec6a-11ea-9593-faffc26aac4a) - added a new informational alert
August 30, 2020 Release:
- Improved detection logic for a medium-severity BIOC rule:
- Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
- Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic
- Improved detection logic for a low-severity BIOC rule:
- MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - improved detection logic
August 23, 2020 Release:
- Improved detection logic for a medium-severity BIOC rule:
- Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - changed metadata, and improved detection logic
- Improved detection logic for a low-severity BIOC rule:
- Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - changed metadata, and improved detection logic
- Added 12 new informational BIOC rules:
- Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - added a new informational alert
- Certutil execution (ffe4d5cc-e0c2-11ea-84ba-faffc26aac4a) - added a new informational alert
- Non-PowerShell process accessed the PowerShell history file (5ea6cb9c-dfc3-11ea-94f1-faffc26aac4a) - added a new informational alert
- Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - added a new informational alert
- Shim database registration via Registry (746eabe1-e0c3-11ea-88e5-faffc26aac4a) - added a new informational alert
- MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - added a new informational alert
- Wscript.exe execution (5b9151cc-e0c3-11ea-8c4b-faffc26aac4a) - added a new informational alert
- LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - added a new informational alert
- Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - added a new informational alert
- Shim database file access (69db2597-e0c3-11ea-b0e2-faffc26aac4a) - added a new informational alert
- Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - added a new informational alert
- Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - added a new informational alert
- Decreased the severity to informational for 2 BIOC rules:
- Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - decreased the severity to informational
- PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata, decreased the severity to informational, and improved detection logic
August 16, 2020 Release:
- Improved detection logic for a medium-severity BIOC rule:
- Tampering with Internet Explorer Protected Mode configuration (2875c302-c815-468d-ac43-a56bba89bfe2) - improved detection logic, and changed metadata
- Added a new informational BIOC rule:
- Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - added a new informational alert
August 09, 2020 Release:
- Improved detection logic for a medium-severity BIOC rule:
- Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic
August 02, 2020 Release:
- Increased the severity to high for a BIOC rule:
- Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata, and increased the severity to high
- Increased the severity to medium for 2 BIOC rules:
- Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - increased the severity to medium, and improved detection logic
- Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata, increased the severity to medium, and improved detection logic
- Increased the severity to low for 3 BIOC rules:
- MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - changed metadata, increased the severity to low, and improved detection logic
- Built-in SoundRecorder tool capturing audio (d9d22a46-efbf-4d97-9e2b-625e1d6fcc91) - increased the severity to low, and improved detection logic
- Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - changed metadata, increased the severity to low, and improved detection logic
- Added 2 new informational BIOC rules:
- Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - added a new informational alert
- Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - added a new informational alert
July 26, 2020 Release:
- Increased the severity to high for 3 BIOC rules:
- Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - increased the severity to high, and changed metadata
- Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - increased the severity to high, and improved detection logic
- Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - increased the severity to high, changed metadata, and improved detection logic
- Increased the severity to medium for 6 BIOC rules:
- Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - increased the severity to medium, and changed metadata
- Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - increased the severity to medium
- Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - increased the severity to medium
- Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - increased the severity to medium, changed metadata, and improved detection logic
- UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - increased the severity to medium, and changed metadata
- MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - increased the severity to medium, and improved detection logic
- Increased the severity to low for 2 BIOC rules:
- Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to low, and improved detection logic
- Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - increased the severity to low, changed metadata, and improved detection logic
- Decreased the severity to informational for a BIOC rule:
- Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - decreased the severity to informational
- Added 2 new informational BIOC rules:
- Suspicious process loads AMSI DLL (d0ce0ecf-50f0-4dff-83f0-8bdc6b5d8dbd) - added a new informational alert
- Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - added a new informational alert
- Improved detection logic for an informational BIOC rule:
- Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata, and improved detection logic
- Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata, and improved detection logic
- Removed a BIOC rule:
- Manipulation of Winlogon 'Shell' autostart Registry key (f111b9b1-f9f6-464f-91a0-52abd2c5f797) - removed
July 19, 2020 Release:
- Increased the severity to high for a BIOC rule:
- Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - increased the severity to high
- Increased the severity to medium for 5 BIOC rules:
- Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - changed metadata, increased the severity to medium, and improved detection logic
- Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - increased the severity to medium, and improved detection logic
- Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - changed metadata, increased the severity to medium, and improved detection logic
- Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - changed metadata, increased the severity to medium, and improved detection logic
- Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata, increased the severity to medium, and improved detection logic
- Increased the severity to low for a BIOC rule:
- Microsoft Office executes an unsigned process in a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - changed metadata, increased the severity to low, and improved detection logic
- Added 4 new informational BIOC rules:
- Connection to a TOR anonymization proxy (a009535f-54b4-4d38-9ee7-5ea0f7431c4e) - added a new informational alert
- Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - added a new informational alert
- Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - added a new informational alert
- Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - added a new informational alert
July 12, 2020 Release:
- Increased the severity to medium for a BIOC rule:
- Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata, and increased the severity to medium
- Added 5 new informational BIOC rules:
- LOLBAS access to database service (c115727b-a1c7-4909-88d0-e6ae866a0e7a) - added a new informational alert
- Suspicious setspn.exe execution (09939895-1ee6-468c-9588-61a3e2d57124) - added a new informational alert
- WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - added a new informational alert
- BitTorrent P2P file sharing (e0879f94-a9c9-42b0-9eb7-0aa038f89dac) - added a new informational alert
- Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - added a new informational alert
- Improved detection logic for 2 informational BIOC rules:
- Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic
- Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata, and improved detection logic
- Changed metadata for 8 BIOC rules:
- Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - changed metadata
- Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - changed metadata
- Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata
- Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata
- Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata
- New service created via command line (cd9af829-d0ed-4c7f-b8da-6d6d23824562) - changed metadata
- Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata
- Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata
June 21, 2020 Release:
- Increased the severity to medium for a BIOC rule:
- Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - increased the severity to medium, improved detection logic, and changed metadata
- Improved detection logic for a low-severity BIOC rule:
- Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and changed metadata
- Added 6 new informational BIOC rules:
- Manipulation of the 'SilentProcessExit' Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - added a new informational alert
- Creation of a new Microsoft Office default template (3272b10a-d3f1-4bef-82c6-4502eab0eaef) - added a new informational alert
- Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - added a new informational alert
- WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - added a new informational alert
- Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - added a new informational alert
- Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - added a new informational alert
- Improved detection logic for an informational BIOC rule:
- Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - improved detection logic, and changed metadata
- Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - improved detection logic, and changed metadata
June 7, 2020 Release:
- Added 17 new informational BIOC rules:
- Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - added a new informational alert
- Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - added a new informational alert
- Possible user enumeration via finger (84b6d1e8-812a-4ac7-a977-b88f26d32342) - added a new informational alert
- Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - added a new informational alert
- Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - added a new informational alert
- Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - added a new informational alert
- Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - added a new informational alert
- UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - added a new informational alert
- SMB enumeration via command-line tool (a8480241-6aa6-43d1-aae2-a53b22220b1d) - added a new informational alert
- Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - added a new informational alert
- DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - added a new informational alert
- Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - added a new informational alert
- Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - added a new informational alert
- Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - added a new informational alert
- Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - added a new informational alert
- Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - added a new informational alert
- Possible ARP reconnaissance via netdiscover (304eb4e4-1052-416e-8a13-1222a61bc672) - added a new informational alert
- Improved detection logic for 2 high-severity BIOC rules:
- Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic
- Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, and changed metadata
- Improved detection logic for 4 medium-severity BIOC rules:
- Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic, and changed metadata
- Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic
- Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
- Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - improved detection logic, and changed metadata
- Improved detection logic for a low-severity BIOC rule:
- Notepad process makes a network connection (558de43f-e8ff-4222-bb82-4419868088cd) - improved detection logic, and changed metadata
- Improved detection logic for 9 informational BIOC rules:
- Commonly abused process launches as a system service (3a426a71-9c12-4146-a916-c2db387280ed) - improved detection logic, and changed metadata
- Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - improved detection logic, and changed metadata
- Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - improved detection logic, and changed metadata
- Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - improved detection logic, and changed metadata
- Dllhost.exe makes network connections (d4b8bd1d-f1fb-4fde-9547-33494049c44a) - improved detection logic, and changed metadata
- Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic, and changed metadata
- Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - improved detection logic, and changed metadata
- Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - improved detection logic
- Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - improved detection logic, and changed metadata
May 31, 2020 Release
- Improved detection logic for a high-severity BIOC rule:
- Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic
May 24, 2020 Release
- Improved detection logic for 3 medium-severity BIOC rules:
- Process runs with a double extension (f8890ac0-dc0b-4bd2-915f-932145147d73) - improved detection logic, and changed metadata
- Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and changed metadata
- LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic
- Added 5 new informational BIOC rules:
- Fontdrvhost.exe makes network connections (7d43a35a-d5f1-4d00-b755-3e62db2e70db) - added a new informational alert
- Unusual process spawned by fontdrvhost.exe (3e6054cf-8ba3-4550-ba4f-9308a537342f) - added a new informational alert
- Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - added a new informational alert
- Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - added a new informational alert
- Bypass UAC using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - added a new informational alert
- Changed metadata for a BIOC rule:
- Psexesvc.exe executes a command from a remote host (ced869bc-88ee-4c67-a6d9-92002800403a) - changed metadata
May 17, 2020 Release
- Increased the severity to medium for 2 BIOC rules:
- WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium
- Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium
- Improved detection logic for a medium-severity BIOC rule:
- Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - improved detection logic
- Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic
- Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic
- Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic
- Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic
- Improved detection logic for a low-severity BIOC rule:
- Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic
- Added 11 new informational BIOC rules:
- Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert
- LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert
- SmartScreen disabled via Registry (51680cd3-af12-4140-ab98-af8694e36409) - added a new informational alert
- Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - added a new informational alert
- Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - added a new informational alert
- Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert
- MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - added a new informational alert
- Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - added a new informational alert
- Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - added a new informational alert
- Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - added a new informational alert
- Microsoft Office executes an unsigned process under a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - added a new informational alert
- Improved detection logic for an informational BIOC rule:
- Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved detection logic, and changed metadata
- Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic
- Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - improved detection logic, and changed metadata
May 10, 2020 Release
- Increased the severity to medium for 2 BIOC rules:
- WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium
- Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium
- Added 3 new informational BIOC rules:
- Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert
- Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert
- LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert
May 3, 2020 Release
-
Increased the severity to high for 2 BIOC rules:
-
Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - changed metadata, and increased the severity to high
-
Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - increased the severity to high
-
-
Increased the severity to medium for 2 BIOC rules:
-
Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic, and increased the severity to medium
-
AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - increased the severity to medium
-
April 26, 2020 Release
-
Increased the severity to medium for 2 BIOC rules:
-
Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - increased the severity to medium, changed metadata, and improved detection logic
-
Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - increased the severity to medium, and changed metadata
-
-
Improved detection logic for a medium-severity BIOC rule:
-
Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic
-
-
Added 3 new informational BIOC rules:
-
Access to Opera browser credentials file (01de8317-d3e7-4d4b-871f-e86a775a1c1e) - added a new informational alert
-
Memory dumping with comsvcs (9873cd8b-2220-4384-a99f-712ad0ccfb45) - added a new informational alert
-
SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - added a new informational alert
-
April 19, 2020 Release
-
Added 3 new informational BIOC rules:
-
Modification of default Windows startup path via Registry (fbacd7dc-f835-436b-9e83-9c20d74732e2) - added a new informational alert
-
Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - added a new informational alert
-
Password-related Mozilla files were read by a non-Mozilla process (4d52183d-193b-4cca-8e17-d4dcfb5a388c) - added a new informational alert
-
-
Improved detection logic for a medium-severity BIOC rule:
-
Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic
-
-
Changed metadata for 8 BIOC rules:
-
Executable file written to a temporary folder (73adac7b-e1c0-47d0-9767-f491e92008eb) - changed metadata
-
Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - changed metadata
-
Unsigned process running from a temporary directory (e9d12cc6-69a2-4cce-b58e-4db58b9176cf) - changed metadata
-
DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - changed metadata
-
Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata
-
PowerShell possibly attempting to execute as administrator (765c164d-7170-4e1c-a463-a5ecf41617dd) - changed metadata
-
Process calls ActiveX Object with a shell command (82485794-7e5b-48da-aacf-926d031b8f62) - changed metadata
-
Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - changed metadata
-
April 12, 2020 Release
-
Increased the severity to medium for a BIOC rule:
-
Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to medium, and changed metadata
-
-
Changed metadata for 5 BIOC rules:
-
Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - changed metadata
-
Shutdown command issued (6c60836a-382a-460e-9208-4b59f4fc68a9) - changed metadata
-
Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata
-
Manipulation of Volume Shadow Copy configuration (ceaedeba-68c1-4c99-87b2-98872b4aeca3) - changed metadata
-
Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata
-
April 6, 2020 Release
-
Increased the severity to high for a BIOC rule:
-
Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic, increased the severity to high, and changed metadata
-
-
Increased the severity to low for a BIOC rule:
-
Manipulation of Windows DNS configuration using WMIC (ff9612ae-22ca-4ac2-bd3b-6bf1244dad8a) - improved detection logic, increased the severity to low, and changed metadata
-
-
Added 3 new informational BIOC rules:
-
Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - added a new informational alert
-
WMI access to shadow copy interface (b6cd123b-e5a0-4aa3-ac43-3398d6a93ca7) - added a new informational alert
-
Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - added a new informational alert
-
-
Decreased the severity to informational for a BIOC rule:
-
Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - decreased the severity to informational
-
-
Removed 2 BIOC rule:
-
PowerShell enumerates running processes (932681e4-919a-4151-921f-adcb1088bb86) - removed
-
Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - removed
-
-
Changed metadata for 118 BIOC rules
March 30, 2020 Release
-
Increased the severity to high for 2 BIOC rules:
-
Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - improved detection logic, changed metadata, and increased the severity to high
-
Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic, changed metadata, and increased the severity to high
-
-
Increased the severity to medium for 5 BIOC rules:
-
Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic, changed metadata, and increased the severity to medium
-
Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved detection logic, changed metadata, and increased the severity to medium
-
Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - improved detection logic, and increased the severity to medium
-
LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - improved detection logic, and increased the severity to medium
-
Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved detection logic, and increased the severity to medium
-
-
Increased the severity to low for 6 BIOC rules:
-
Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - improved detection logic, changed metadata, and increased the severity to low
-
Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - improved detection logic, changed metadata, and increased the severity to low
-
Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - improved detection logic, and increased the severity to low
-
Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - improved detection logic, and increased the severity to low
-
Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved detection logic, changed metadata, and increased the severity to low
- Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - improved detection logic, and increased the severity to low
-
- Added 4 new informational BIOC rules:
-
Direct scheduled task creation via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - added a new informational alert
-
Disable outlook security via Registry (a6311886-ab62-4df9-862f-b999a0c3a995) - added a new informational alert
-
Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - added a new informational alert
- File renamed to have a script extension (51bd180f-ae84-450d-b0a6-b1a67300ef4d) - added a new informational alert
-
- Removed a BIOC rule:
- Common Google process name missing Google digital signature (417426e1-363c-4dbc-928d-ff7cd5f114d0) - removed
- Changed the metadata for 115 BIOC rules
March 24, 2020 Release
-
Decreased the severity to informational for a BIOC rule:
-
Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and decreased the severity to informational
-
Showing articles with label Cortex XDR.
Show all articles
100% helpful
(1/1)
Rate this article:
|
Labels:
5 Comments
215380
Views
|
5 Comments
|
215380
Views
| ||
|
0 Comments
|
384
Views
| |||
|
|
0 Comments
|
635
Views
| |||
|
|
0 Comments
|
560
Views
| |||
|
0 Comments
|
3897
Views
| |||
|
|
0 Comments
|
2034
Views
| |||
|
|
Labels:
1 Comment
6143
Views
|
1 Comment
|
6143
Views
|
Latest Comments
- MateoSosa on: Content Release Notes
- adminx on: Cortex XDR Datasheet
Top Contributors
-
dagronL0 Member
-
ydadonL0 Member
-
nrimerL0 Member
-
yuvzanL0 Member
-
yshivekL2 Linker
-
garaziL0 Member
-
gfriedL0 Member
-
ssettyL0 Member
-
nhussainiL4 Transporter
-
sroitmanL0 Member
-
cevgi1L0 Member
-
vcottonL3 Networker
-
jforsytheCommunity Team Member
-
Retired MemberNot applicable -
tvilasL1 Bithead
-
eluisL3 Networker
-
mhojbergL0 Member
- Previous
- Next
Top Liked Posts in LIVEcommunity Article
| Subject | Likes |
|---|---|
| 1 Like |
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks
