About vcotton

Cortex XDR Content Release Notes May 15 2022 Release: Removed an old Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - removed an old Medium alert Added 3 new Low Analytics BIOCs: Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - added a new Low alert Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - added a new Low alert Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOC Added a new Low Analytics Alert: Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - added a new Low alert Improved logic of a Low Analytics Alert: Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alert Removed an old Low Analytics Alert: Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - removed an old Low alert Decreased the severity to Informational for 2 Analytics BIOCs: Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - decreased the severity to Informational, and improved detection logic Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - decreased the severity to Informational Improved logic of 6 Informational Analytics BIOCs: VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs Added 3 new Informational Analytics Alerts: A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - added a new Informational alert Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - added a new Informational alert Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - added a new Informational alert Improved logic of 3 Informational Analytics Alerts: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts   May 08 2022 Release: Changed metadata of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert Improved logic of a Medium Analytics BIOC: Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Medium Analytics BIOC Changed metadata of 4 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of a Medium Analytics BIOCs Changed metadata of 3 Medium Analytics Alerts: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Medium Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - changed metadata of a Medium Analytics Alerts Decreased the severity to Low for 2 Analytics BIOCs: Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - decreased the severity to Low, and improved detection logic Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - decreased the severity to Low, and improved detection logic Improved logic of a Low Analytics BIOC: Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOC Changed metadata of 14 Low Analytics BIOCs: Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of a Low Analytics BIOCs Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs Changed metadata of 2 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts Improved logic of 2 Informational Analytics BIOCs: Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Changed metadata of 73 Informational Analytics BIOCs: Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - added a new Informational alert Improved logic of an Informational Analytics Alert: Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alert Changed metadata of 2 Informational Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts   May 01 2022 Release: Improved logic of 2 Medium Analytics BIOCs: Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Added a new Medium Analytics Alert: An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - added a new Medium alert Increased the severity to Low for an Analytics BIOC: Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - increased the severity to Low Decreased the severity to Low for an Analytics BIOC: Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - decreased the severity to Low, and improved detection logic Improved logic of a Low Analytics BIOC: Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOC Removed an old Low Analytics BIOC: A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - removed an old Low alert Added a new Low Analytics Alert: Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - added a new Low alert Improved logic of 2 Low Analytics Alerts: Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - decreased the severity to Informational, and improved detection logic Improved logic of 5 Informational Analytics BIOCs: Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs A user successfully authenticated via SSO for the first time (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - added a new Informational alert Improved logic of an Informational Analytics Alert: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alert   April 24 2022 Release: Added a new Informational Analytics BIOC: Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - added a new Informational alert Improved logic of 2 Informational Analytics BIOCs: A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Improved logic of 2 Informational Analytics Alerts: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts   April 19 2022 Release: Improved logic of 6 High Analytics BIOCs: Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - improved logic of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - improved logic of a High Analytics BIOCs Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - improved logic of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a High Analytics BIOCs Changed metadata of a High Analytics BIOC: Suspicious HTTP Request to a vulnerable Java class (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a High Analytics BIOC Added 2 new Medium Analytics BIOCs: A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - added a new Medium alert Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - added a new Medium alert Improved logic of 39 Medium Analytics BIOCs: Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - improved logic of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - improved logic of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - improved logic of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - improved logic of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs Office process creates an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - improved logic of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - improved logic of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - improved logic of a Medium Analytics BIOCs Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - improved logic of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - improved logic of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - improved logic of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - improved logic of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - improved logic of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - improved logic of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - improved logic of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - improved logic of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - improved logic of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - improved logic of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOC Removed an old Medium Analytics BIOC: Compiled HTML (help file) writes a script file to disk (19cb36a3-3d9b-9453-125c-f0b456d4cef4) - removed an old Medium alert Changed metadata of a Medium Analytics Alert: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert Added a new Low Analytics BIOC: A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - added a new Low alert Improved logic of 24 Low Analytics BIOCs: Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - improved logic of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - improved logic of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - improved logic of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - improved logic of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOC Improved logic of 3 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts Changed metadata of 2 Informational BIOCs: Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - changed metadata of an Informational BIOCs Cleartext password harvesting using find tools (7ac5c888-838d-489c-a6a9-2bab9cec7e9d) - changed metadata of an Informational BIOCs Improved logic of 24 Informational Analytics BIOCs: A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - added a new Informational alert Improved logic of 3 Informational Analytics Alerts: Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts   April 11 2022 Release: Increased the severity to High for an Analytics BIOC: Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - increased the severity to High Added a new High Analytics BIOC: Suspicious HTTP Request to a vulnerable Java class (1028c23d-f8f0-4adb-9e12-bffce9104359) - added a new High alert Added a new Medium Analytics BIOC: Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - added a new Medium alert Improved logic of a Medium Analytics BIOC: Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Changed metadata of a Low BIOC: Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOC Improved logic of 2 Low Analytics BIOCs: A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs Changed metadata of 2 Low Analytics BIOCs: Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs Increased the severity to Low for 3 Analytics Alerts: Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - increased the severity to Low User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - increased the severity to Low, and improved detection logic Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - increased the severity to Low Improved logic of a Low Analytics Alert: Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert Added 4 new Informational Analytics BIOCs: Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - added a new Informational alert A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - added a new Informational alert Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - added a new Informational alert A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - added a new Informational alert Improved logic of 3 Informational Analytics BIOCs: Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs Changed metadata of 3 Informational Analytics BIOCs: A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - added a new Informational alert Improved logic of 3 Informational Analytics Alerts: Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts   April 05 2022 Release: Added a new High Analytics BIOC: Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - added a new High alert Removed 3 old Medium BIOCs: Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - removed an old Medium alert Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - removed an old Medium alert Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - removed an old Medium alert Added 4 new Medium Analytics BIOCs: Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - added a new Medium alert Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - added a new Medium alert Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - added a new Medium alert Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - added a new Medium alert Removed 3 old Medium Analytics BIOCs: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - removed an old Medium alert LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - removed an old Medium alert LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - removed an old Medium alert Increased the severity to Low for an Analytics BIOC: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to Low, and improved detection logic Added a new Low Analytics BIOC: A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - added a new Low alert Improved logic of 9 Low Analytics BIOCs: Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs A disabled user successfully authenticated via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs Removed 2 old Low Analytics BIOCs: UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - removed an old Low alert MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - removed an old Low alert Added 3 new Low Analytics Alerts: New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - added a new Low alert Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - added a new Low alert SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - added a new Low alert Improved logic of a Low Analytics Alert: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alert Added 6 new Informational Analytics BIOCs: A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - added a new Informational alert VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - added a new Informational alert Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - added a new Informational alert A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - added a new Informational alert A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - added a new Informational alert A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - added a new Informational alert Improved logic of 11 Informational Analytics BIOCs: Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs Improved logic of an Informational Analytics Alert: Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alert   March 27 2022 Release: Changed metadata of a Medium Analytics BIOC: Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOC Added a new Medium Analytics Alert: Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - added a new Medium alert Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Added 7 new Low Analytics BIOCs: Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - added a new Low alert Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - added a new Low alert Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - added a new Low alert Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - added a new Low alert Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - added a new Low alert Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - added a new Low alert Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - added a new Low alert Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Decreased the severity to Informational for an Analytics BIOC: Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alerts   March 20, 2022 Release: Changed metadata of 18 High Analytics BIOCs: Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - changed metadata of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a High Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs Changed metadata of 2 High Analytics Alerts: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alerts Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alerts Improved logic of a Medium Analytics BIOC: Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOC Changed metadata of 87 Medium Analytics BIOCs: Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - changed metadata of a Medium Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Medium Analytics BIOCs Office process creates an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - changed metadata of a Medium Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs Autorun.inf created in root C:\ drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - changed metadata of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs Compiled HTML (help file) writes a script file to disk (19cb36a3-3d9b-9453-125c-f0b456d4cef4) - changed metadata of a Medium Analytics BIOCs Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - changed metadata of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs Improved logic of 3 Medium Analytics Alerts: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Changed metadata of 8 Medium Analytics Alerts: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts Improved logic of 3 Low Analytics BIOCs: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Changed metadata of 93 Low Analytics BIOCs: Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - changed metadata of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - changed metadata of a Low Analytics BIOCs MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - changed metadata of a Low Analytics BIOCs MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - changed metadata of a Low Analytics BIOCs Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - changed metadata of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - changed metadata of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - changed metadata of a Low Analytics BIOCs Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - changed metadata of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs Increased the severity to Low for an Analytics Alert: TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - increased the severity to Low, and improved detection logic Added a new Low Analytics Alert: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - added a new Low alert Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Changed metadata of 22 Low Analytics Alerts: Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - added a new Informational alert Changed metadata of 139 Informational Analytics BIOCs: An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - changed metadata of an Informational Analytics BIOCs Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - added a new Informational alert Changed metadata of 13 Informational Analytics Alerts: Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - changed metadata of an Informational Analytics Alerts Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of an Informational Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts March 13, 2022 Release: Improved logic of 3 High Analytics BIOCs:  Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Changed metadata of 15 High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert Improved logic of 3 Medium Analytics BIOCs: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs Changed metadata of 85 Medium Analytics BIOCs Added a new Medium Analytics Alert: Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - added a new Medium alert Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Changed metadata of 9 Medium Analytics Alerts Removed an old Low BIOC: Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - removed an old Low alert Increased the severity to Low for 2 Analytics BIOCs: Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - increased the severity to Low, and improved detection logic Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - increased the severity to Low, and improved detection logic Decreased the severity to Low for an Analytics BIOC: Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - decreased the severity to Low Improved logic of 12 Low Analytics BIOCs: AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Changed metadata of 82 Low Analytics BIOCs Removed an old Low Analytics BIOC: A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - removed an old Low alert Improved logic of a Low Analytics Alert: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alert Changed metadata of 22 Low Analytics Alerts Added a new Informational BIOC: WSL Feature Installation (73ef4c5f-41da-4e46-8a72-ccb54088f106) - added a new Informational alert Removed an old Informational BIOC: Non-PowerShell process loading a known PowerShell DLL (d2d23fdd-5fcb-4483-a14e-a187e87a58c7) - removed an old Informational alert Decreased the severity to Informational for 2 Analytics BIOCs: User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - decreased the severity to Informational, and improved detection logic First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - decreased the severity to Informational, and improved detection logic Improved logic of 68 Informational Analytics BIOCs Changed metadata of 69 Informational Analytics BIOCs Removed an old Informational Analytics BIOC: First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - removed an old Informational alert Decreased the severity to Informational for an Analytics Alert: TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - decreased the severity to Informational Improved logic of 2 Informational Analytics Alerts: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Changed metadata of 11 Informational Analytics Alerts Removed an old Informational Analytics Alert: Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - removed an old Informational alert   March 7, 2022 Release: Removed an old High BIOC:  Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - removed an old High alert Increased the severity to High for an Analytics BIOC: Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - increased the severity to High, and improved detection logic  Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs Removed 5 old Medium BIOCs: Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - removed an old Medium alert Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - removed an old Medium alert LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - removed an old Medium alert Encoded information using Windows certificate management tool (ed18908a-2d6a-4d7d-a754-0a8ce32051a1) - removed an old Medium alert Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - removed an old Medium alert Increased the severity to Medium for 4 Analytics BIOCs: Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - increased the severity to Medium Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - increased the severity to Medium, and improved detection logic Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - increased the severity to Medium, and improved detection logic Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - increased the severity to Medium Improved logic of 7 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Improved logic of 3 Low Analytics BIOCs: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Added a new Informational BIOC: Execution of WSL Distro (ff4f73d0-8adf-4861-b743-25bd071e6a5a) - added a new Informational alert Decreased the severity to Informational for an Analytics BIOC: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - decreased the severity to Informational Added a new Informational BIOCs: A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - added a new Informational alert Improved logic of 8 Informational Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Changed metadata of an Informational Analytics BIOC: Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOC Removed an old Informational Analytics BIOC: Rare LOLBAS executable injects into another process (48374128-3426-47f1-8bbd-08780ab08c60) - removed an old Informational alert February 28, 2022 Release: Improved logic of a High Analytics BIOC: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOC Removed 19 old Medium BIOCs: Office process creates an unusual .LNK file (fc55f1f8-f1e7-11ea-84f5-faffc26aac4a) - removed an old Medium alert Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - removed an old Medium alert Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - removed an old Medium alert Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - removed an old Medium alert Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - removed an old Medium alert Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - removed an old Medium alert Possible malicious .NET compilation started by a commonly abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - removed an old Medium alert Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - removed an old Medium alert Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - removed an old Medium alert Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - removed an old Medium alert Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - removed an old Medium alert Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - removed an old Medium alert Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - removed an old Medium alert Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - removed an old Medium alert LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - removed an old Medium alert Tampering with Internet Explorer Protected Mode configuration (2875c302-c815-468d-ac43-a56bba89bfe2) - removed an old Medium alert Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - removed an old Medium alert Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - removed an old Medium alert Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - removed an old Medium alert Increased the severity to Medium for 19 Analytics BIOCs: Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - increased the severity to Medium Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - increased the severity to Medium Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - increased the severity to Medium Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - increased the severity to Medium LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - increased the severity to Medium Compiled HTML (help file) writes a script file to disk (19cb36a3-3d9b-9453-125c-f0b456d4cef4) - increased the severity to Medium Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - increased the severity to Medium Autorun.inf created in root C:\ drive (cee2bedd-66d1-84d6-fd43-652725459a71) - increased the severity to Medium Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - increased the severity to Medium Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - increased the severity to Medium Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - increased the severity to Medium Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - increased the severity to Medium Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - increased the severity to Medium Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - increased the severity to Medium Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - increased the severity to Medium Office process creates an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - increased the severity to Medium Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - increased the severity to Medium Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - increased the severity to Medium Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - increased the severity to Medium Improved logic of 3 Medium Analytics BIOCs: Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Remote WMI process execution v2 (96478c6f-eb33-4361-9f72-ca4a581c3518) - removed an old Medium alert' Improved logic of 2 Medium Analytics Alerts: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Medium Analytics Alerts Removed 2 old Low BIOCs: Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - removed an old Low alert Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - removed an old Low alert Increased the severity to Low for 3 Analytics BIOCs: Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - increased the severity to Low, and improved detection logic Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - increased the severity to Low Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - increased the severity to Low Improved logic of 3 Low Analytics BIOCs: Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs Decreased the severity to Informational for an Analytics BIOC: Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - decreased the severity to Informational, and improved detection logic Added 2 new Informational Analytics BIOCs: Globally uncommon action from a signed process (252d8435-ce11-4807-a8ee-3f0db51e7e5d) - added a new Informational alert A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - added a new Informational alert Improved logic of 6 Informational Analytics BIOCs: Globally uncommon root domain from a signed process (665fafa8-3b35-4c23-abbc-aa0183580835) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Changed metadata of an Informational Analytics BIOC: Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOC February 20, 2022 Release: Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) improved logic of a High Analytics BIOCs Changed metadata of 5 High Analytics BIOCs: A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) changed metadata of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) changed metadata of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) improved logic of a High Analytics Alert Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) changed metadata of a High Analytics Alert Improved logic of 5 Medium Analytics BIOCs: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics BIOCs: TGT request with a spoofed sAMAccountName Network (92c20cd9-60e8-11ec-80b1-acde48001122) changed metadata of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) changed metadata of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) improved logic of a Medium Analytics Alert Changed metadata of 4 Medium Analytics Alerts: Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) changed metadata of a Medium Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) changed metadata of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) changed metadata of a Medium Analytics Alerts Decreased the severity to Low for a BIOC: 64-bit PowerShell spawning a 32-bit PowerShell (824a3186-b262-4e01-a45c-35cca8efa233) decreased the severity to Low, and improved detection logic Improved logic of 20 Low Analytics BIOCs: AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) improved logic of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) improved logic of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) improved logic of a Low Analytics BIOCs Changed metadata of 21 Low Analytics BIOCs Improved logic of 2 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) improved logic of a Low Analytics Alerts Changed metadata of 14 Low Analytics Alerts: NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) changed metadata of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) changed metadata of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) changed metadata of a Low Analytics Alerts Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) changed metadata of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) changed metadata of a Low Analytics Alerts Impossible traveler SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) changed metadata of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) changed metadata of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) added a new Informational alert Improved logic of 71 Informational Analytics BIOCs Changed metadata of 13 Informational Analytics BIOCs: User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) changed metadata of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) changed metadata of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) changed metadata of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) changed metadata of an Informational Analytics BIOCs A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) changed metadata of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) changed metadata of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of an Informational Analytics Alerts Changed metadata of 7 Informational Analytics Alerts: NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) changed metadata of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) changed metadata of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) changed metadata of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) changed metadata of an Informational Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) changed metadata of an Informational Analytics Alerts February 10, 2022 Release: Added a new High Analytics BIOC: User account delegation to KRBTGT (b6c63bd1-8506-11ec-b228-acde48001122) - added a new High alert Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Improved logic of a Medium Analytics BIOC: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOC Added a new Low Analytics BIOC: VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - added a new Low alert Improved logic of 13 Low Analytics BIOCs: AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alert February 06, 2022 Release: Changed metadata of 15 High Analytics BIOCs: PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert Improved logic of a Medium Analytics BIOC: LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC Changed metadata of 61 Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Changed metadata of 6 Medium Analytics Alerts: Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts Removed an old Medium Analytics Alert: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - removed an old Medium alert Added 4 new Low Analytics BIOCs: VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - added a new Low alert VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - added a new Low alert VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - added a new Low alert A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs Changed metadata of 90 Low Analytics BIOCs Changed metadata of 21 Low Analytics Alerts Added a new Informational BIOC: Microsoft Office spawns curl/wget on a macOS device (3cbf66af-49c6-485c-b5fd-eacce8cc07ba) - added a new Informational alert Improved logic of 5 Informational BIOCs: Security services stopped (e126fe04-a77a-46d7-9b49-f032b20b828e) - improved logic of an Informational BIOCs Shell binary copied to another location (cd582eaf-1497-4bbd-9361-79c7a18050fa) - improved logic of an Informational BIOCs Curl connects to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190323) - improved logic of an Informational BIOCs System network configuration discovery (7d9524ea-a458-46e5-a954-2442a294e583) - improved logic of an Informational BIOCs Grepping for passwords (4ab8f6a2-9aea-4e6f-a2e5-1e8530a3ed7d) - improved logic of an Informational BIOCs Decreased the severity to Informational for an Analytics BIOC: Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - decreased the severity to Informational, and improved detection logic Added 8 new Informational Analytics BIOCs: Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - added a new Informational alert Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - added a new Informational alert First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - added a new Informational alert Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - added a new Informational alert A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - added a new Informational alert Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - added a new Informational alert Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - added a new Informational alert Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - added a new Informational alert Improved logic of 2 Informational Analytics BIOCs: Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs Changed metadata of 112 Informational Analytics BIOCs Changed metadata of 11 Informational Analytics Alerts: Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alerts Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - changed metadata of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of an Informational Analytics Alerts January 30, 2022 Release: Removed an old High BIOC: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - removed an old High alert Added a new High Analytics BIOC: Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - added a new High alert Increased the severity to Medium for a BIOC: SharpHound LDAP query (5f50bb22-588c-4d48-8600-446df59d8a51) - increased the severity to Medium Improved logic of 2 Medium Analytics BIOCs: PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOC Removed an old Medium Analytics BIOC: Possible DCSync Attempt (a420aa30-20c3-11ea-b525-8c8591c0ccb0) - removed an old Medium alert Improved logic of 3 Medium Analytics Alerts: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alerts Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts Added a new Low Analytics BIOC: Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - added a new Low alert Improved logic of a Low Analytics BIOC: Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOC Added a new Low Analytics Alert: Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - added a new Low alert Improved logic of a Low Analytics Alert: Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alert Added 2 new Informational Analytics BIOCs: Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - added a new Informational alert First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - added a new Informational alert Improved logic of an Informational Analytics BIOC: System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOC Changed metadata of an Informational Analytics BIOC: Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOC Added a new Informational Analytics Alert: Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - added a new Informational alert January 23, 2022 Release: Improved logic of a High Analytics BIOC: Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - improved logic of a High Analytics BIOC Changed metadata of 5 High Analytics BIOCs: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert Improved logic of 6 Medium Analytics BIOCs: LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain(00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs Changed metadata of 4 Medium Analytics BIOCs: Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - changed metadata of a Medium Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - removed an old Medium alert Improved logic of a Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert Changed metadata of 4 Medium Analytics Alerts: NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts   Removed an old Low BIOC: Command running with COMSPEC in the command line argument (de1e1f40-6782-4d2e-8046-327373f8a697) - removed an old Low alert Added a new Low Analytics BIOC: Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - added a new Low alert Improved logic of 4 Low Analytics BIOCs: Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs Changed metadata of 20 Low Analytics BIOCs: A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Changed metadata of 12 Low Analytics Alerts: Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts Improved logic of 2 Informational Analytics BIOCs: Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Changed metadata of 16 Informational Analytics BIOCs: Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs Removed 2 old Informational Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - removed an old Informational alert First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - removed an old Informational alert Improved logic of an Informational Analytics Alert: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alert Changed metadata of 7 Informational Analytics Alerts: Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts Removed an old Informational Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - removed an old Informational alert   January 16, 2022 Release: Added a new High Analytics BIOC: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - added a new High alert Increased the severity to Medium for an Analytics BIOC: Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - increased the severity to Medium, and improved detection logic Added a new Medium Analytics BIOC: Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - added a new Medium alert Changed metadata of an Informational BIOC: Network Packet Capture: tshark/tcpdump (9e72d135-0782-48dd-8b4f-da2dd4d1599f) - changed metadata of an Informational BIOC Added a new Informational Analytics BIOC: Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - added a new Informational alert January 9, 2022 Release: Changed metadata of 5 High Analytics BIOCs: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert Improved logic of 3 Medium Analytics BIOCs: Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics BIOCs: Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Changed metadata of 4 Medium Analytics Alerts: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts Changed metadata of 23 Low Analytics BIOCs: First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of a Low Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert Changed metadata of 13 Low Analytics Alerts: Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts Changed metadata of 16 Informational Analytics BIOCs: Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOC User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of an Informational Analytics BIOCs A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs Changed metadata of 7 Informational Analytics Alerts: NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts January 2, 2022 Release: Removed an old High BIOC: Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - removed an old High alert Increased the severity to High for an Analytics BIOC: Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - increased the severity to High Changed metadata of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert Improved logic of a Medium Analytics BIOC: Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOC: Changed metadata of a Medium Analytics BIOC: Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert Added a new Low Analytics BIOC: Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - added a new Low alert Improved logic of a Low Analytics BIOC: Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOC Improved logic of 3 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Improved logic of 9 Informational Analytics BIOCs: Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs Suspicious remote execution from a vCenter server (6213c66f-e269-4d16-9db7-86015b5a2f4d) - improved logic of an Informational Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of an Informational Analytics BIOCs IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs First session from external IP to vCenter (4ad03760-f701-4f40-b01f-d1ddefda4002) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Changed metadata of 2 Informational Analytics BIOCs: A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs Removed 2 old Informational Analytics BIOCs: Signed process performed an unpopular DLL injection (5109a2c2-9bd6-4ef0-ad3e-4bd8b1b683aa) - removed an old Informational alert Signed process performed an unpopular injection (3ee6d300-7fbe-4281-8de8-3d1016663931) - removed an old Informational alert Decreased the severity to Informational for 2 Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - decreased the severity to Informational, and improved detection logic Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - decreased the severity to Informational, and improved detection logic Changed metadata of an Informational Analytics Alert: Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alert Removed an old Informational Analytics Alert: Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - removed an old Informational alert   ... View more

Hunt down and stop stealthy attacks by unifying network, endpoint, and cloud data. ... View more