About vcotton

Cortex XDR Content Release Notes September 14, 2020 Release: Increased the severity to medium for a BIOC rule: Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - increased the severity to medium, and improved detection logic Added 5 new informational BIOC rules: Permissive file privileges were granted (1fc409f0-ec4e-11ea-829b-faffc26aac4a) - added a new informational alert Modifying ELF file capabilities via setcap (55ed9751-ec6d-11ea-a1c2-faffc26aac4a) - added a new informational alert Space after filename creation (5a1902e6-ec6b-11ea-843f-faffc26aac4a) - added a new informational alert Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - added a new informational alert Write to /etc/hosts file (7cf74026-ec6a-11ea-9593-faffc26aac4a) - added a new informational alert   August 30, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic Improved detection logic for a low-severity BIOC rule: MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - improved detection logic   August 23, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - changed metadata, and improved detection logic Improved detection logic for a low-severity BIOC rule: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - changed metadata, and improved detection logic Added 12 new informational BIOC rules: Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - added a new informational alert Certutil execution (ffe4d5cc-e0c2-11ea-84ba-faffc26aac4a) - added a new informational alert Non-PowerShell process accessed the PowerShell history file (5ea6cb9c-dfc3-11ea-94f1-faffc26aac4a) - added a new informational alert Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - added a new informational alert Shim database registration via Registry (746eabe1-e0c3-11ea-88e5-faffc26aac4a) - added a new informational alert MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - added a new informational alert Wscript.exe execution (5b9151cc-e0c3-11ea-8c4b-faffc26aac4a) - added a new informational alert LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - added a new informational alert Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - added a new informational alert Shim database file access (69db2597-e0c3-11ea-b0e2-faffc26aac4a) - added a new informational alert Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - added a new informational alert Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - added a new informational alert Decreased the severity to informational for 2 BIOC rules: Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - decreased the severity to informational PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata, decreased the severity to informational, and improved detection logic   August 16, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Tampering with Internet Explorer Protected Mode configuration (2875c302-c815-468d-ac43-a56bba89bfe2) - improved detection logic, and changed metadata Added a new informational BIOC rule: Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - added a new informational alert   August 09, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic   August 02, 2020 Release: Increased the severity to high for a BIOC rule: Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata, and increased the severity to high Increased the severity to medium for 2 BIOC rules:  Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - increased the severity to medium, and improved detection logic Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata, increased the severity to medium, and improved detection logic Increased the severity to low for 3 BIOC rules: MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - changed metadata, increased the severity to low, and improved detection logic Built-in SoundRecorder tool capturing audio (d9d22a46-efbf-4d97-9e2b-625e1d6fcc91) - increased the severity to low, and improved detection logic Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - changed metadata, increased the severity to low, and improved detection logic Added 2 new informational BIOC rules: Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - added a new informational alert Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - added a new informational alert   July 26, 2020 Release: Increased the severity to high for 3 BIOC rules: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - increased the severity to high, and changed metadata  Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - increased the severity to high, and improved detection logic Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - increased the severity to high, changed metadata, and improved detection logic Increased the severity to medium for 6 BIOC rules: Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - increased the severity to medium, and changed metadata Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - increased the severity to medium Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - increased the severity to medium Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - increased the severity to medium, changed metadata, and improved detection logic  UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - increased the severity to medium, and changed metadata MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - increased the severity to medium, and improved detection logic Increased the severity to low for 2 BIOC rules: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to low, and improved detection logic Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - increased the severity to low, changed metadata, and improved detection logic Decreased the severity to informational for a BIOC rule: Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - decreased the severity to informational Added 2 new informational BIOC rules: Suspicious process loads AMSI DLL (d0ce0ecf-50f0-4dff-83f0-8bdc6b5d8dbd) - added a new informational alert Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - added a new informational alert Improved detection logic for an informational BIOC rule: Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata, and improved detection logic Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata, and improved detection logic Removed a BIOC rule: Manipulation of Winlogon 'Shell' autostart Registry key (f111b9b1-f9f6-464f-91a0-52abd2c5f797) - removed July 19, 2020 Release: Increased the severity to high for a BIOC rule: Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - increased the severity to high Increased the severity to medium for 5 BIOC rules: Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - changed metadata, increased the severity to medium, and improved detection logic Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - increased the severity to medium, and improved detection logic Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - changed metadata, increased the severity to medium, and improved detection logic Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - changed metadata, increased the severity to medium, and improved detection logic Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata, increased the severity to medium, and improved detection logic Increased the severity to low for a BIOC rule: Microsoft Office executes an unsigned process in a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - changed metadata, increased the severity to low, and improved detection logic Added 4 new informational BIOC rules: Connection to a TOR anonymization proxy (a009535f-54b4-4d38-9ee7-5ea0f7431c4e) - added a new informational alert Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - added a new informational alert Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - added a new informational alert Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - added a new informational alert   July 12, 2020 Release: Increased the severity to medium for a BIOC rule: Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata, and increased the severity to medium Added 5 new informational BIOC rules: LOLBAS access to database service (c115727b-a1c7-4909-88d0-e6ae866a0e7a) - added a new informational alert Suspicious setspn.exe execution (09939895-1ee6-468c-9588-61a3e2d57124) - added a new informational alert WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - added a new informational alert BitTorrent P2P file sharing (e0879f94-a9c9-42b0-9eb7-0aa038f89dac) - added a new informational alert Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - added a new informational alert Improved detection logic for 2 informational BIOC rules: Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata, and improved detection logic Changed metadata for 8 BIOC rules: Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - changed metadata Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - changed metadata Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata New service created via command line (cd9af829-d0ed-4c7f-b8da-6d6d23824562) - changed metadata Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata June 21, 2020 Release: Increased the severity to medium for a BIOC rule: Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - increased the severity to medium, improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and changed metadata Added 6 new informational BIOC rules: Manipulation of the 'SilentProcessExit' Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - added a new informational alert Creation of a new Microsoft Office default template (3272b10a-d3f1-4bef-82c6-4502eab0eaef) - added a new informational alert Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - added a new informational alert WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - added a new informational alert Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - added a new informational alert Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - added a new informational alert Improved detection logic for an informational BIOC rule: Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - improved detection logic, and changed metadata Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - improved detection logic, and changed metadata   June 7, 2020 Release: Added 17 new informational BIOC rules: Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - added a new informational alert Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - added a new informational alert Possible user enumeration via finger (84b6d1e8-812a-4ac7-a977-b88f26d32342) - added a new informational alert Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - added a new informational alert Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - added a new informational alert Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - added a new informational alert Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - added a new informational alert UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - added a new informational alert SMB enumeration via command-line tool (a8480241-6aa6-43d1-aae2-a53b22220b1d) - added a new informational alert Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - added a new informational alert DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - added a new informational alert Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - added a new informational alert Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - added a new informational alert Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - added a new informational alert Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - added a new informational alert Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - added a new informational alert Possible ARP reconnaissance via netdiscover (304eb4e4-1052-416e-8a13-1222a61bc672) - added a new informational alert Improved detection logic for 2 high-severity BIOC rules: Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, and changed metadata Improved detection logic for 4 medium-severity BIOC rules: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic, and changed metadata Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Notepad process makes a network connection (558de43f-e8ff-4222-bb82-4419868088cd) - improved detection logic, and changed metadata Improved detection logic for 9 informational BIOC rules: Commonly abused process launches as a system service (3a426a71-9c12-4146-a916-c2db387280ed) - improved detection logic, and changed metadata Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - improved detection logic, and changed metadata Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - improved detection logic, and changed metadata Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - improved detection logic, and changed metadata Dllhost.exe makes network connections (d4b8bd1d-f1fb-4fde-9547-33494049c44a) - improved detection logic, and changed metadata Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic, and changed metadata Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - improved detection logic, and changed metadata Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - improved detection logic Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - improved detection logic, and changed metadata   May 31, 2020 Release Improved detection logic for a high-severity BIOC rule: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic May 24, 2020 Release Improved detection logic for 3 medium-severity BIOC rules: Process runs with a double extension (f8890ac0-dc0b-4bd2-915f-932145147d73) - improved detection logic, and changed metadata Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and changed metadata LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic Added 5 new informational BIOC rules: Fontdrvhost.exe makes network connections (7d43a35a-d5f1-4d00-b755-3e62db2e70db) - added a new informational alert Unusual process spawned by fontdrvhost.exe (3e6054cf-8ba3-4550-ba4f-9308a537342f) - added a new informational alert Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - added a new informational alert Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - added a new informational alert Bypass UAC using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - added a new informational alert Changed metadata for a BIOC rule: Psexesvc.exe executes a command from a remote host (ced869bc-88ee-4c67-a6d9-92002800403a) - changed metadata    May 17, 2020 Release Increased the severity to medium for 2 BIOC rules: WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium Improved detection logic for a medium-severity BIOC rule: Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - improved detection logic Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic Improved detection logic for a low-severity BIOC rule: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic Added 11 new informational BIOC rules: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert SmartScreen disabled via Registry (51680cd3-af12-4140-ab98-af8694e36409) - added a new informational alert Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - added a new informational alert Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - added a new informational alert Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - added a new informational alert Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - added a new informational alert Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - added a new informational alert Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - added a new informational alert Microsoft Office executes an unsigned process under a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - added a new informational alert Improved detection logic for an informational BIOC rule: Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved detection logic, and changed metadata Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - improved detection logic, and changed metadata   May 10, 2020 Release  Increased the severity to medium for 2 BIOC rules:  WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium Added 3 new informational BIOC rules: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert   May 3, 2020 Release Increased the severity to high for 2 BIOC rules: Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - changed metadata, and increased the severity to high Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - increased the severity to high Increased the severity to medium for 2 BIOC rules: Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic, and increased the severity to medium AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - increased the severity to medium   April 26, 2020 Release Increased the severity to medium for 2 BIOC rules: Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - increased the severity to medium, changed metadata, and improved detection logic Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - increased the severity to medium, and changed metadata Improved detection logic for a medium-severity BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic Added 3 new informational BIOC rules: Access to Opera browser credentials file (01de8317-d3e7-4d4b-871f-e86a775a1c1e) - added a new informational alert Memory dumping with comsvcs (9873cd8b-2220-4384-a99f-712ad0ccfb45) - added a new informational alert SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - added a new informational alert   April 19, 2020 Release Added 3 new informational BIOC rules: Modification of default Windows startup path via Registry (fbacd7dc-f835-436b-9e83-9c20d74732e2) - added a new informational alert Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - added a new informational alert Password-related Mozilla files were read by a non-Mozilla process (4d52183d-193b-4cca-8e17-d4dcfb5a388c) - added a new informational alert Improved detection logic for a medium-severity BIOC rule: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Changed metadata for 8 BIOC rules: Executable file written to a temporary folder (73adac7b-e1c0-47d0-9767-f491e92008eb) - changed metadata Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - changed metadata Unsigned process running from a temporary directory (e9d12cc6-69a2-4cce-b58e-4db58b9176cf) - changed metadata DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - changed metadata Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata PowerShell possibly attempting to execute as administrator (765c164d-7170-4e1c-a463-a5ecf41617dd) - changed metadata Process calls ActiveX Object with a shell command (82485794-7e5b-48da-aacf-926d031b8f62) - changed metadata Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - changed metadata   April 12, 2020 Release Increased the severity to medium for a BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to medium, and changed metadata Changed metadata for 5 BIOC rules: Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - changed metadata Shutdown command issued (6c60836a-382a-460e-9208-4b59f4fc68a9) - changed metadata Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata Manipulation of Volume Shadow Copy configuration (ceaedeba-68c1-4c99-87b2-98872b4aeca3) - changed metadata Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata   April 6, 2020 Release Increased the severity to high for a BIOC rule: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic, increased the severity to high, and changed metadata Increased the severity to low for a BIOC rule: Manipulation of Windows DNS configuration using WMIC (ff9612ae-22ca-4ac2-bd3b-6bf1244dad8a) - improved detection logic, increased the severity to low, and changed metadata Added 3 new informational BIOC rules: Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - added a new informational alert WMI access to shadow copy interface (b6cd123b-e5a0-4aa3-ac43-3398d6a93ca7) - added a new informational alert Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - added a new informational alert Decreased the severity to informational for a BIOC rule: Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - decreased the severity to informational Removed 2 BIOC rule: PowerShell enumerates running processes (932681e4-919a-4151-921f-adcb1088bb86) - removed Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - removed Changed metadata for 118 BIOC rules   March 30, 2020 Release Increased the severity to high for 2 BIOC rules: Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - improved detection logic, changed metadata, and increased the severity to high Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic, changed metadata, and increased the severity to high Increased the severity to medium for 5 BIOC rules: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic, changed metadata, and increased the severity to medium Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved detection logic, changed metadata, and increased the severity to medium Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - improved detection logic, and increased the severity to medium LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - improved detection logic, and increased the severity to medium Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved detection logic, and increased the severity to medium Increased the severity to low for 6 BIOC rules: Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - improved detection logic, changed metadata, and increased the severity to low Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - improved detection logic, changed metadata, and increased the severity to low Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - improved detection logic, and increased the severity to low Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - improved detection logic, and increased the severity to low Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved detection logic, changed metadata, and increased the severity to low Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - improved detection logic, and increased the severity to low Added 4 new informational BIOC rules: Direct scheduled task creation via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - added a new informational alert Disable outlook security via Registry (a6311886-ab62-4df9-862f-b999a0c3a995) - added a new informational alert Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - added a new informational alert File renamed to have a script extension (51bd180f-ae84-450d-b0a6-b1a67300ef4d) - added a new informational alert Removed a BIOC rule: Common Google process name missing Google digital signature (417426e1-363c-4dbc-928d-ff7cd5f114d0) - removed Changed the metadata for 115 BIOC rules   March 24, 2020 Release Decreased the severity to informational for a BIOC rule: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and decreased the severity to informational   March 23, 2020 Release Increased the severity to low for a BIOC rule: Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - increased the severity to low, and improved detection logic Improved detection logic for a high-severity BIOC rule: Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - changed metadata, and improved detection logic Improved detection logic for a medium-severity BIOC rule: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - changed metadata, and improved detection logic Improved detection logic for an informational BIOC rule: Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata, and improved detection logic Added 7 new informational BIOC rules: Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - added a new informational alert Suspicious file created in AppData directory (b2ad90f1-11ac-4a98-9c85-0526953f2879) - added a new informational alert Root certificate installed (c7f92662-5a28-48da-845a-34a7876c3eb3) - added a new informational alert Injection into ping.exe (cc960d74-2582-42cd-aaa7-6ef1282e5029) - added a new informational alert MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - added a new informational alert Persistence via Registry screensaver key change (dac7763e-7a68-43b0-98eb-e79e7f80db76) - added a new informational alert Root certificate installed (e48ab0ac-e71b-40b1-8035-cc5033b7dd87) - added a new informational alert Changed metadata for 43 BIOC rules: New certificate added to the trusted root store (01c10219-918d-4c45-bd0d-daf63ef6903c) - changed metadata Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - changed metadata Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - changed metadata Commonly-abused process executes as a scheduled task (1fe9ecf8-64e7-4547-8a67-9f188d694550) - changed metadata WMI terminated a process (5c93679e-ea6c-4b88-8ba9-24446f6665dd) - changed metadata Chrome launched in Incognito mode (5119f194-5362-4141-8212-cba47a3530b9) - changed metadata Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata Registry change to hide known file extension (6110979a-b0ba-4384-955c-a73438ef38a9) - changed metadata PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - changed metadata Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata Unsigned process spawned a browser (3baa64a2-09b6-4af7-9305-0a0dd2297b15) - changed metadata Enumeration of running processes via command line (621fe652-fc63-4eae-9a29-6a436b70e985) - changed metadata Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - changed metadata New scheduled task created (00e82bfd-a179-4293-b1e0-976ba382e136) - changed metadata Driver written to a temporary directory (5edceb49-5371-476e-94d5-442337a14cff) - changed metadata Manipulation of LSA 'Authentication Packages' Registry key (4f133949-205d-4abf-bbf6-4fc6e48bc6c4) - changed metadata Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - changed metadata Windows hosts file written to (54d01b86-4b6a-4554-81f8-214f2d7d6c32) - changed metadata Unsigned process creates an Alternate Data Stream (ADS) (51be6542-3345-464a-8c0a-11f90fb97331) - changed metadata Ping executed with loopback address (363bfa0b-95f7-43c8-a699-0670f9bbebfe) - changed metadata Wget connecting to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - changed metadata Tampering with Windows Security Support Provider DLLs  (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - changed metadata PowerShell running with download in the command line (59de217d-211f-468b-a2a8-60324a305513) - changed metadata Excel Web Query file created on disk (5f29933c-46ae-45f4-b5ce-fc59f12240bf) - changed metadata Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata Unsigned process executes as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - changed metadata New environment variable set (0df2d00a-e4eb-4198-8573-962de02885ff) - changed metadata Unsigned process executing whoami (690a8894-5827-4f70-ac30-61f26feb1e34) - changed metadata PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata Windows 10 Developer Mode enabled (4e4a3361-3863-4a98-a08c-4992b43ca7e4) - changed metadata Commonly-abused process spawned by web server (0e2c294f-cd18-44bf-8d93-edf98c4a41c3) - changed metadata Modification of Windows boot configuration using bcdedit.exe (154dbe5f-ba64-4c31-899a-f64bc9983d12) - changed metadata PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata Changing permissions or ownership of a file or folder (0c6d31b7-78c5-4244-90ac-5fb26952d54f) - changed metadata Execution of commonly-abused AutoIT script (13b17653-c885-4d10-bce2-51a63419cf8f) - changed metadata Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - changed metadata Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - changed metadata PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - changed metadata Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - changed metadata   March 15, 2020 Release Improved detection logic for a low-severity BIOC rule: Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - improved detection logic Added 10 new informational BIOC rules: System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - added a new informational alert WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - added a new informational alert Usage of tracing tool (4446f8cf-6859-4af0-8da0-17f4503077d5) - added a new informational alert Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - added a new informational alert Reverse shell one-liner using a scripting engine (59be79be-d4e3-41f8-ba81-08ff8f5830f1) - added a new informational alert Office process writes an executable file to disk (235ffb55-8b93-4ff0-b5b1-f6ed864995e0) - added a new informational alert Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - added a new informational alert Suspicious usage of cytool.exe (9e389768-e7ad-428c-9e2b-916a979950ca) - added a new informational alert Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - added a new informational alert Suspicious access to /etc/shadow (e5fa37b4-939d-434e-9065-9723c06790fb) - added a new informational alert Improved detection logic for an informational BIOC rule: Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - improved detection logic, and changed metadata   March 8, 2020 Release Increased the severity to medium for 2 BIOC rules: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved detection logic, increased the severity to medium, and changed metadata Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - increased the severity to medium Increased the severity to low for a BIOC rule: RDP connections enabled via Registry by unsigned process (6d432610-7ee0-4857-a8f5-009dfd4bde14) - improved detection logic, increased the severity to low, and changed metadata Added 13 new informational BIOC rules: WMI execution of cmd.exe with output redirection (af8d1cd7-7e8f-4084-b698-b47ca9e2c8b2) - added a new informational alert Discovery of files with setgid or setuid bits (6e873af1-fa2b-46f2-b641-f64b55db5db2) - added a new informational alert Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - added a new informational alert Remote RDP session enumeration via query.exe (ba98e718-1bc4-427d-9ccf-44c80b40f2b7) - added a new informational alert Command-line creation of a RAR archive (0276283f-7696-45d4-82dc-a4195d9b849b) - added a new informational alert NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - added a new informational alert Possible UAC bypass using Eventvwr.exe (55644e90-38b9-4233-aa11-eefe85561184) - added a new informational alert Kernel modules loaded via compiled loader and .ko file (371c8d3b-560a-456e-802d-394aea248f1d) - added a new informational alert Potential web shell installation (4cc829d5-6fba-4167-8c4c-25e538bcd993) - added a new informational alert Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - added a new informational alert Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - added a new informational alert Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - added a new informational alert Remote RDP session enumeration via qwinsta.exe (5f017d4f-f526-46f6-9f32-a63d16639637) - added a new informational alert Improved detection logic for a medium-severity BIOC rule: Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Dumping Registry hives with passwords (824a3186-b262-4e01-b45c-35cca8efa233) - improved detection logic   February 23, 2020 Release Increased the severity to medium for a BIOC rule: Possible ping sweep (362649fe-9028-4166-baf8-b58c8dab8bee) - improved detection logic, and increased the severity to medium Added 2 new informational BIOC rules: PsExec runs with System privileges (b834289d-44f9-4e05-9411-4dd8dfff8959) - added a new informational alert Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - added a  new informational alert   February 16, 2020 Release Increased the severity to high for a BIOC rule: Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - increased the severity to high Increased the severity to medium for 9 BIOC rules: Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved detection logic, increased the severity to medium, and changed metadata Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - increased the severity to medium, and changed metadata Multiple RDP sessions enabled via Registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - increased the severity to medium, and changed metadata Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - increased the severity to medium, and changed metadata Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic, increased the severity to medium, and changed metadata Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic, increased the severity to medium, and changed metadata Unsigned integer Sudo privilege escalation (1974dd9e-20c1-11ea-ab34-8c8590c9ccd1) - increased the severity to medium Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - improved detection logic, increased the severity to medium, and changed metadata Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - improved detection logic, and increased the severity to medium Increased the severity to low for a BIOC rule: Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - improved detection logic, and increased the severity to low Added 9 new informational BIOC rules: Execution of regsvcs/regasm with uncommon paths (a1ce5d8b-5ea0-49d2-8d91-8ae4ea752ec0) - added a new informational alert Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - added  a new informational alert WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - added a new informational alert LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - added a new informational alert Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - added a new informational alert Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - added a new informational alert Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - added a new informational alert AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - added a new informational alert VBScript execution from the command line (e71d7a58-f4c9-4582-bdb9-e86beb803d0c) - added a new informational alert   February 9, 2020 Release Increased the severity to medium for a BIOC rule: Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - increased the severity to medium, changed metadata, and improved detection logic Added a new informational BIOC rule: Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - added a new informational alert   February 2, 2020 Release Increased the severity to medium for 4 BIOC rules: Hash cracking using Hashcat tool (f09765e8-105f-11ea-af82-8c8590c9ccd1) - improved detection logic, increased the severity to medium, and changed metadata Non-browser failed access to a pastebin-like site (c1f7607b-e56c-43ca-b072-5b266bb4133b) - improved detection logic, increased the severity to medium, and changed metadata Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic, increased the severity to medium, and changed metadata RDP connections enabled via Registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - improved detection logic, increased the severity to medium, and changed metadata Decreased the severity to medium for 4 BIOC rules: Microsoft Office Equation Editor spawns a commonly abused process (68d5ddf7-50b4-49e0-be96-863cf763a2b1) - decreased the severity to medium PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - decreased the severity to medium Perl script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b676) - decreased the severity to medium Python script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b675) - decreased the severity to medium Added 46 new informational BIOC rules: Setgid on file (0826210d-ddd8-44e7-98fb-399083b15e97) - added a new informational alert Impersonation using Rubeus tool (0e6a7a3a-1059-11ea-b96d-8c8590c9ccd1) - added a new informational alert Write to .bash_profile (1119d1ec-cdfb-404b-ae82-475b8fcf8ddc) - added a new informational alert OS information listing via uname (1170aaf5-cac9-452b-bd8d-25712b06007b) - added a new informational alert Setuid on file (17da1f84-5419-4fd6-ade0-ce5bad273c21) - added a new informational alert Kerberos brute-force attack using Rubeus (2823e64c-105b-11ea-b732-8c8590c9ccd1) - added a new informational alert Account creation via command-line tool (28b4bc7c-4c08-43fb-b9e8-8798ef0c8684) - added a new informational alert Possible sudoers enumeration (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - added a new informational alert Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - added a new informational alert OS information listing via distro version file (3a85fbc4-a63f-4e0d-8c06-af22383db482) - added a new informational alert Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - added a new informational alert Grepping for passwords (4ab8f6a2-9aea-4e6f-a2e5-1e8530a3ed7d) - added a new informational alert User and/or group enumeration via command-line tools (4ae09e1b-999d-47e1-8aca-aba083b96c90) - added a new informational alert Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - added a new informational alert User creation or modification via /etc file (4d411087-50ed-461e-83fc-17e76cb092f4) - added a new informational alert Password policy discovery via command-line tool (4e9766dd-2530-4fe9-920f-1b8a7ec29b8e) - added a new informational alert Log deletion via command-line tool (55ed9a90-b68b-4e55-a165-eda5d1cab906) - added a new informational alert Linux screen capture via command-line tool (593bc5d9-8bdf-482a-8d84-34b6045cf4d8) - added a new informational alert Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - added a new informational alert File timestamp tampering (624b8f91-842c-4f04-87e1-71aa7bdb727c) - added a new informational alert Bash history access (735fd839-4959-4e5d-9207-fdf517b977a1) - added a new informational alert SSH key pair discovery (76d3e2e8-77dc-47a4-902f-f8189da8e883) - added a new informational alert Hardware information gather via command-line tool (7d710f85-8712-4357-9fe3-c26740a5bfd8) - added a new informational alert Encryped zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - added a new informational alert Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - added a new informational alert Document discovery (90eadd45-60c0-40e0-9df8-c5185ed8496e) - added a new informational alert Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - added a new informational alert Persistence using .bashrc (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - added a new informational alert Possible user enumeration via /etc/passwd (b8bdaf34-b94c-45c6-aaba-c7032d32f0b9) - added a new informational alert Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - added a new informational alert Process discovery via ps (c5ece13d-a2ff-465c-af4c-0424ae00559f) - added a new informational alert Persistence through service registration (c69ed984-a260-4ba9-990f-bc762a4a3223) - added a new informational alert Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - added a new informational alert Network share discovery via command-line tool (c8a48667-d44e-4ffb-b6f7-2b42a3bf6328) - added a new informational alert Shell binary copied to another location (cd582eaf-1497-4bbd-9361-79c7a18050fa) - added a new informational alert Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - added a new informational alert Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - added a new informational alert Network configuration discovery (d69c1be0-a351-469d-a47c-34e1f0562690) - added a new informational alert Mounted NFS share discovery (de770795-9c63-463f-a7bd-427b21807b28) - added a new informational alert Security services stopped (e126fe04-a77a-46d7-9b49-f032b20b828e) - added a new informational alert Interrupt trap registration (e74fcf13-6b1e-48ca-8b43-a50dacf9ecf2) - added a new informational alert Password complexity enumeration (e86d9dc7-e59d-44d0-a611-5480d390eff0) - added a new informational alert Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - added a new informational alert Compressed archive created using tar (e9e007db-a8a7-4ae5-b758-5cacbe0ab46e) - added a new informational alert Logged in user enumeration via command-line (f47ea4fa-0265-4e3d-b65b-213a24493c71) - added a new informational alert Kerberos brute-force attack using Kerbrute (f8836c4f-0a03-11ea-84d4-acde48001122) - added a new informational alert Improved detection logic for a BIOC rule: Process termination by WMI (5c93679e-ea6c-4b88-8ba9-24446f6665dd) - improved detection logic, and changed metadata Changed metadata for a BIOC rule: Commonly-abused process spawns from Scripted Diagnostics Host (f1c690ce-5475-4d44-8d68-5e0ce2882b1a) - changed metadata   January 26, 2020 Release Increased the severity to high for 2 BIOC rules: Command-line arguments match Mimikatz execution (5f426ff8-fefa-4a17-91f2-25bd081c0a7a) - increased the severity to high, and changed metadata Kerberos service ticket request in PowerShell command (90e50124-8bf2-4631-861e-4b3e1766af5f) - increased the severity to high, and changed metadata Increased the severity to medium for 7 BIOC rules: PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - improved detection logic, increased the severity to medium, and changed metadata LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic, increased the severity to medium, and changed metadata Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - improved detection logic, increased the severity to medium, and changed metadata Kerberos ticket forging using Impacket ticketer (08222430-105d-11ea-8d11-8c8590c9ccd1) - increased the severity to medium, and changed metadata Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic, increased the severity to medium, and changed metadata Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic, increased the severity to medium, and changed metadata Reverse shell using PowerShell (9d4f3b07-77ea-4d29-904c-c2b485ebc113) - improved detection logic, increased the severity to medium, and changed metadata Increased the severity to low for 3 BIOC rules: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to low, and changed metadata Accessing Linux bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - improved detection logic, increased the severity to low, and changed metadata Accessing Linux bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - increased the severity to low, and changed metadata Improved detection logic for a low-severity BIOC rule: Dumping Registry hives with passwords (824a3186-b262-4e01-b45c-35cca8efa233) - improved detection logic, and changed metadata Improved detection logic for an informational BIOC rule: Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - improved detection logic, and changed metadata Added 5 new informational BIOC rules: Fltmc.exe used to unload filter driver (a2dcfb49-57eb-4aa8-8128-d7ec307d4d18) - added a new informational alert Scripting engine creates an Alternate Data Stream (ADS) (76edcbf3-4f54-45e2-abc3-b7b8725d5658) - added a new informational alert PsExec executed with plain-text credentials in command line (a783f9ec-30b3-41be-a8f8-7bba9553dc32) - added a new informational alert Non-PowerShell process loading a known PowerShell DLL (d2d23fdd-5fcb-4483-a14e-a187e87a58c7) - added a new informational alert Bypassing Windows UAC using sysprep (dbefa4ae-3797-11ea-a926-f218983c2a51) - added a new informational alert   January 12, 2020 Release Updated the names and descriptions for multiple BIOCs Where names are concerned - only capitalization changes were made   January 5, 2020 Release Increased the severity to medium for 2 BIOC rules: Encoded information using Windows certificate management tool (ed18908a-2d6a-4d7d-a754-0a8ce32051a1) - increased severity to medium, improved detection logic, and changed metadata Manipulation of netsh helper DLLs Registry keys ( 79d203ef-e417-4c8d-87c8-776c6ec4967f) -  increased severity to medium, improved detection logic, and changed metadata Increased the severity to low for a BIOC rule: Manipulation of MMC Registry configuration ( 6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) -  increased severity to low, and changed metadata Added 4 new informational BIOCs: Scripting engine reads document files from local system ( 80956b85-286b-4b3a-9adf-355a18484ab8) -  added a new informational alert Unsigned process reads document files from local system ( 0b13ab84-47d7-4fae-a764-699a646fffd1) -  added a new informational alert Scripting process reads Outlook data files ( e1ffaea1-c6eb-45ad-83aa-c7b40e3a7cb9) -  added a new informational alert Scripting engine creates a compressed file under a suspicious folder ( e3f936b0-3fc1-4305-a02b-f5af1ae38abf) -  added a new informational alert Deleted a BIOC rule: Bypassing Windows UAC using disk cleanup ( ec03c0fd-03df-4963-b5c7-e665c853a6cd) - removed the alert ... View more

Hunt down and stop stealthy attacks by unifying network, endpoint, and cloud data. ... View more