Cortex XDR Articles
cancel
Showing results for 
Search instead for 
Did you mean: 
Featured Article
Cortex XDR Content Release Notes November 28, 2021 Release: Changed metadata of 2 High Analytics BIOCs: A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert Increased the severity to Medium for an Analytics BIOC: Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - increased the severity to Medium, and improved detection logic Improved logic of 4 Medium Analytics BIOCs: Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - improved logic of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics BIOCs: Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - removed an old Medium alert Improved logic of a Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert Changed metadata of a Medium Analytics Alert: Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alert Increased the severity to Low for an Analytics BIOC: A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - increased the severity to Low, and improved detection logic Decreased the severity to Low for an Analytics BIOC: WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - decreased the severity to Low, and improved detection logic Added 3 new Low Analytics BIOCs: WmiPrvSe.exe Rare Child Command Line - Test (940d6895-b1e1-4bcc-9325-ccd1169574a9) - added a new Low alert Unsigned and unpopular process performed a DLL injection - Multi Severity (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - added a new Low alert Unsigned and unpopular process performed an injection - Multi Severity (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - added a new Low alert Improved logic of 5 Low Analytics BIOCs: Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs Changed metadata of 2 Low Analytics BIOCs: SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Changed metadata of 2 Low Analytics Alerts: Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts Decreased the severity to Informational for a BIOC: Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - decreased the severity to Informational Added 4 new Informational Analytics BIOCs: VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - added a new Informational alert Signed process performed an unpopular DLL injection - Multi Severity (9e699960-30e7-4b6e-bb71-30cdbf635307) - added a new Informational alert Signed process performed an unpopular injection - Multi Severity (365bfca2-a3e1-4a44-9487-1353903a6c61) - added a new Informational alert VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - added a new Informational alert Improved logic of 5 Informational Analytics BIOCs: Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - improved logic of an Informational Analytics BIOCs Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs Changed metadata of 8 Informational Analytics BIOCs: C2 from contextual causality signal (f53f53ae-4ccc-11ea-9102-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs First session from external IP to vCenter (4ad03760-f701-4f40-b01f-d1ddefda4002) - changed metadata of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of an Informational Analytics BIOCs Suspicious remote execution from a vCenter server (6213c66f-e269-4d16-9db7-86015b5a2f4d) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Port Scan with partial connections (ab93cb66-1d50-4f1f-a840-15d9d7d232b8) - added a new Informational alert Changed metadata of 6 Informational Analytics Alerts: Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts Random-Looking Domain Names v2 (3db83477-0c4d-44ac-bc64-dbfe50c845c4) - changed metadata of an Informational Analytics Alerts Weakly-Encrypted Kerberos Ticket Requested v2 (4afa8fa6-281e-4c81-a10e-b61d7de11cc6) - changed metadata of an Informational Analytics Alerts Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) - changed metadata of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts   November 21, 2021 Release: Improved logic of 2 High Analytics BIOCs: Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) improved logic of a High Analytics BIOCs Improved logic of 6 Medium Analytics BIOCs: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf)  improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) improved logic of a Medium Analytics BIOCs improved logic of 2 Medium Analytics Alerts: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) improved logic of a Medium Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of a Medium Analytics Alerts Increased the severity to Low for an Analytics BIOC: Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) increased the severity to Low, and improved detection logic Improved logic of 13 Low Analytics BIOCs: Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs Increased the severity to Low for an Analytics Alert: Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) increased the severity to Low, and improved detection logic Improved logic of 2 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of a Low Analytics Alerts Added 3 new Informational Analytics BIOCs: First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) added a new Informational alert VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) added a new Informational alert First VPN access from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) added a new Informational alert Improved logic of 70 Informational Analytics BIOCs Changed metadata of 2 Informational Analytics BIOCs: DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) changed metadata of an Informational Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Possible LDAP enumeration by unsigned process-multi severity (85c187ec-80d1-464e-ab1e-a9aa5af7f191) added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) improved logic of an Informational Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) improved logic of an Informational Analytics Alerts   November 15, 2021 Release: Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs Improved logic of a Medium BIOC: Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) improved logic of a Medium BIOC Improved logic of 3 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) improved logic of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) improved logic of a Medium Analytics BIOCs Improved logic of 4 Medium Analytics Alerts: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) improved logic of a Medium Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) improved logic of a Medium Analytics Alerts Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) improved logic of a Medium Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) improved logic of a Medium Analytics Alerts increased the severity to Low for an Analytics BIOC: Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) increased the severity to Low, and improved detection logic Improved logic of 12 Low Analytics BIOCs: UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) improved logic of a Low Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) improved logic of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) improved logic of a Low Analytics Alerts Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) improved logic of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) decreased the severity to Informational, and improved detection logic Added 6 new Informational Analytics BIOCs: A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) added a new Informational alert MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) added a new Informational alert DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) added a new Informational alert First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) added a new Informational alert A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) added a new Informational alert Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) added a new Informational alert Improved logic of 68 Informational Analytics BIOCs Added a new Informational Analytics Alert: Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) improved logic of an Informational Analytics Alerts Random-Looking Domain Names v2 (3db83477-0c4d-44ac-bc64-dbfe50c845c4) improved logic of an Informational Analytics Alerts   November 07, 2021 Release: Increased the severity to Medium for an Analytics BIOC: Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - increased the severity to Medium, and improved detection logic Improved logic of a Medium Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOC Improved logic of 2 Medium Analytics Alerts: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts Added a new Low Analytics BIOC: Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - improved logic of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alert Added 2 new Informational Analytics BIOCs: Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - added a new Informational alert Hiding a user as a computer account (eeb7b678-3c9b-11ec-879d-acde48001122) - added a new Informational alert Improved logic of 3 Informational Analytics BIOCs: Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs   October 31, 2021 Release: Improved logic of 2 High Analytics BIOCs: A Successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs Added a new Medium Analytics BIOC: Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - added a new Medium alert Changed metadata of 2 Medium Analytics BIOCs: Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs Improved logic of 9 Low Analytics BIOCs: SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - improved logic of a Low Analytics BIOCs Improved logic of 2 Low Analytics Alerts: Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Changed metadata of a Low Analytics Alert: NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alert Decreased the severity to Informational for a BIOC: Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - decreased the severity to Informational Added a new Informational BIOC: An executable compiled with a py2exe-like program was executed (5a1516d6-9082-4c19-8c03-8c70ddc5ce7f) - added a new Informational alert Improved logic of an Informational BIOC: WinPmem Forensics Tool (b66e6a72-09fd-42ad-98fe-a866907c593f) - improved logic of an Informational BIOC Removed an old Informational BIOC: Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - removed an old Informational alert Decreased the severity to Informational for an Analytics BIOC: Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - decreased the severity to Informational Added 5 new Informational Analytics BIOCs: New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - added a new Informational alert Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - added a new Informational alert Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - added a new Informational alert PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - added a new Informational alert Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - added a new Informational alert Improved logic of 3 Informational Analytics BIOCs: First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs Decreased the severity to Informational for an Analytics Alert: Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - decreased the severity to Informational Added a new Informational Analytics Alert: Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - added a new Informational alert October 24, 2021 Release: Improved logic of 2 High Analytics BIOCs: Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Improved logic of 2 Medium Analytics BIOCs: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs Increased the severity to Medium for an Analytics Alert: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - increased the severity to Medium, and improved detection logic Improved logic of a Medium Analytics Alert: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert Added 4 new Low Analytics BIOCs: Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - added a new Low alert Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - added a new Low alert Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - added a new Low alert A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - added a new Low alert Improved logic of 12 Low Analytics BIOCs: AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of a Low Analytics BIOCs Added 2 new Low Analytics Alerts: A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - added a new Low alert NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - added a new Low alert Improved logic of 6 Low Analytics Alerts: Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Changed metadata of a Low Analytics Alert: Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert Added a new Informational BIOC: Credential dumping via LaZagne (8e9e0996-eb08-48b2-a234-730c8227bbdd) - added a new Informational alert Added 4 new Informational Analytics BIOCs: Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - added a new Informational alert A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - added a new Informational alert Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - added a new Informational alert Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - added a new Informational alert Improved logic of 69 Informational Analytics BIOCs: Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs A cloud identity connected from a new country (19c743b0-99ca-400c-b386-bcc99d846582) - improved logic of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs Improved logic of 3 Informational Analytics Alerts: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts October 17, 2021 Release: Removed an old High BIOC: Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - removed an old High alert Added a new High Analytics BIOC: Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - added a new High alert Improved logic of 2 Medium Analytics BIOCs: Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOCs Added a new Low Analytics BIOC: Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - added a new Low alert Improved logic of a Low Analytics BIOC: Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of a Low Analytics BIOC Removed an old Low Analytics BIOC: Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - removed an old Low alert Improved logic of a Low Analytics Alert: Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alert Removed 59 old Informational BIOCs Added a new Informational Analytics BIOC: A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - added a new Informational alert October 11, 2021 Release: Added 2 new Medium Analytics BIOCs: The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - added a new Medium alert Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - added a new Medium alert Improved logic of a Medium Analytics BIOC: LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOC Decreased the severity to Low for an Analytics BIOC: Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - decreased the severity to Low, and improved detection logic Improved logic of a Low Analytics BIOC: Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - improved logic of a Low Analytics Alert Removed an old Low Analytics Alert: Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - removed an old Low alert Added a new Informational Analytics BIOC: A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - added a new Informational alert Improved logic of an Informational Analytics BIOC: System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOC     October 03, 2021 Release: Added 3 new High Analytics BIOCs: A Successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - added a new High alert A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - added a new High alert A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - added a new High alert Added a new High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - added a new High alert Added 4 new Medium Analytics BIOCs: LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - added a new Medium alert Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - added a new Medium alert Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - added a new Medium alert Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - added a new Medium alert Improved logic of 5 Medium Analytics BIOCs: Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - removed an old Medium alert Added a new Medium Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - added a new Medium alert Changed metadata of a Medium Analytics Alert: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Medium Analytics Alert Added 3 new Low Analytics BIOCs: Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - added a new Low alert Unsigned and unpopular process performed a DLL injection (6cbd636f-6f55-480c-872d-7611840a7f0a) - added a new Low alert Unsigned and unpopular process performed an injection (30f78c0f-4f8b-4969-bb00-809cf72a3eed) - added a new Low alert Improved logic of 3 Low Analytics BIOCs: Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Added 2 new Low Analytics Alerts: Possible LDAP enumeration by unsigned process (12540bdc-b34f-4190-880b-40cb1cda0618) - added a new Low alert Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - added a new Low alert Improved logic of a Low Analytics Alert: Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert Decreased the severity to Informational for an Analytics BIOC: A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - added a new Informational alert   September 19, 2021 Release: Improved logic of 2 High Analytics BIOCs: Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Removed an old Medium BIOC: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - removed an old Medium alert Added a new Medium Analytics BIOC: Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Medium Analytics Alert Improved logic of 11 Low Analytics BIOCs: GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs Improved logic of 3 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of a Low Analytics Alerts Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of a Low Analytics Alerts Added 2 new Informational BIOCs: Unsigned process accessed a credential locker file (4f7818dc-5c6b-49db-a716-a2dd0094a424) - added a new Informational alert Unsigned process accessed a Thunderbird Mail profiles folder (c9f80771-a56a-4a13-99c9-cbd4a52187ac) - added a new Informational alert Improved logic of 2 Informational BIOCs: Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - improved logic of an Informational BIOCs Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved logic of an Informational BIOCs Decreased the severity to Informational for an Analytics BIOC: Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - decreased the severity to Informational, and improved detection logic Improved logic of 66 Informational Analytics BIOCs Improved logic of an Informational Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of an Informational Analytics Alert August 29, 2021 Release: Removed an old High BIOC: Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - removed an old High alert Added 2 new High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - added a new High alert Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - added a new High alert Improved logic of a High Analytics BIOC: Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - improved logic of a High Analytics BIOC Added 4 new Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - added a new Medium alert Possible DHCP poisoning (e5afa116-5041-4ed9-9d0c-18eaac133173) - added a new Medium alert Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - added a new Medium alert Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - added a new Medium alert Added 2 new Medium Analytics Alerts: Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - added a new Medium alert An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - added a new Medium alert Removed an old Medium Analytics Alert: Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - removed an old Medium alert Added 16 new Low Analytics BIOCs: AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - added a new Low alert A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - added a new Low alert Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - added a new Low alert Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - added a new Low alert Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - added a new Low alert Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - added a new Low alert AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - added a new Low alert Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - added a new Low alert Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - added a new Low alert AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - added a new Low alert Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - added a new Low alert GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - added a new Low alert An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - added a new Low alert Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - added a new Low alert Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - added a new Low alert AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - added a new Low alert Improved logic of a Low Analytics BIOC: UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOC Added 3 new Low Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - added a new Low alert Cloud identity performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - added a new Low alert IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - added a new Low alert Improved logic of 4 Low Analytics Alerts: Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Added 2 new Informational BIOCs: Forensics Driver Loaded (a9da7ef7-9708-4a39-b4f1-b17ebbd8b399) - added a new Informational alert WinPmem Forensics Tool (b66e6a72-09fd-42ad-98fe-a866907c593f) - added a new Informational alert Added 66 new Informational Analytics BIOCs: AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - added a new Informational alert GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - added a new Informational alert GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - added a new Informational alert AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - added a new Informational alert S3 configuration was deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - added a new Informational alert An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - added a new Informational alert First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - added a new Informational alert GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - added a new Informational alert Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - added a new Informational alert IAM enumeration activity executed by an IAM user Identity (037eab86-c495-11eb-8c75-acde48001122) - added a new Informational alert Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - added a new Informational alert An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - added a new Informational alert Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - added a new Informational alert GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - added a new Informational alert GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - added a new Informational alert AWS CloudWatch log group was deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - added a new Informational alert Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - added a new Informational alert Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - added a new Informational alert AWS CloudWatch log stream was deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - added a new Informational alert Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - added a new Informational alert GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - added a new Informational alert AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - added a new Informational alert Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - added a new Informational alert First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - added a new Informational alert Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - added a new Informational alert GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - added a new Informational alert GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - added a new Informational alert Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - added a new Informational alert AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - added a new Informational alert GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - added a new Informational alert GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - added a new Informational alert GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - added a new Informational alert EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - added a new Informational alert Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - added a new Informational alert Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - added a new Informational alert Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - added a new Informational alert GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - added a new Informational alert GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - added a new Informational alert Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - added a new Informational alert Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - added a new Informational alert Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - added a new Informational alert Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - added a new Informational alert AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - added a new Informational alert GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - added a new Informational alert AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - added a new Informational alert AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - added a new Informational alert GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - added a new Informational alert AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - added a new Informational alert MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - added a new Informational alert External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - added a new Informational alert Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - added a new Informational alert An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - added a new Informational alert Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - added a new Informational alert Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - added a new Informational alert Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - added a new Informational alert GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - added a new Informational alert AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - added a new Informational alert IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - added a new Informational alert Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - added a new Informational alert System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - added a new Informational alert AWS IAM resource group was deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - added a new Informational alert GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - added a new Informational alert GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - added a new Informational alert GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - added a new Informational alert A cloud identity connected from a new country (19c743b0-99ca-400c-b386-bcc99d846582) - added a new Informational alert GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - added a new Informational alert Added a new Informational Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - added a new Informational alert   August 23, 2021 Release: Added a new High Analytics BIOC: Cloud compute remote command execution (8874d560-5469-413b-bb9c-07a870f478db) - added a new High alert Improved logic of 6 High Analytics BIOCs Increased the severity to Medium for a BIOC: Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - increased the severity to Medium Removed 2 old Medium BIOCs: Privilege escalation using local named pipe impersonation through DLL (d915cff3-5ce9-493f-9973-808a93ed50ad) - removed an old Medium alert Privilege escalation using local named pipe impersonation (dd0ac223-8aaa-4630-988d-de39eba83d29) - removed an old Medium alert Added 2 new Medium Analytics BIOCs: Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - added a new Medium alert Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - added a new Medium alert Improved logic of 44 Medium Analytics BIOCs Improved logic of 9 Medium Analytics Alerts Decreased the severity to Low for a BIOC: Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - decreased the severity to Low Improved logic of 58 Low Analytics BIOCs Removed an old Low Analytics BIOC: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - removed an old Low alert Improved logic of 16 Low Analytics Alerts Added 2 new Informational Analytics BIOCs: Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - added a new Informational alert VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - added a new Informational alert Improved logic of 24 Informational Analytics BIOCs Improved logic of 3 Informational Analytics Alerts   August 15, 2021 Release: Increased the severity to Medium for an Analytics BIOC: Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - increased the severity to Medium Added 2 new Medium Analytics BIOCs: Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - added a new Medium alert Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - added a new Medium alert Improved logic of 3 Medium Analytics BIOCs: Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Medium Analytics BIOCs Increased the severity to Medium for an Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - increased the severity to Medium Removed an old Low BIOC: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - removed an old Low alert Added 2 new Low Analytics BIOCs: PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - added a new Low alert Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - added a new Low alert Improved logic of 5 Low Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs Decreased the severity to Informational for a BIOC: Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - decreased the severity to Informational August 08, 2021 Release: Changed metadata of a High BIOC: Kerberos service ticket request in PowerShell command (90e501248bf24631861e4b3e1766af5f) changed metadata of a High BIOC Improved logic of a High Analytics BIOC: Unprivileged process opened a registry hive (9937ddbfbeb949b0ac34e005d53a127b) improved logic of a High Analytics BIOC Removed an old Medium BIOC: Windows certificate management tool makes a network connection (0179177fe5ec4101a238c0372b239afb) removed an old Medium alert Increased the severity to Medium for 3 Analytics BIOCs: WmiPrvSe.exe Rare Child Command Line (f4c5d502e95211e980aa8c8590c9ccd1) increased the severity to Medium, and improved detection logic Scrcons.exe Rare Child Process (f62553d1e95211e981c48c8590c9ccd1) increased the severity to Medium, and improved detection logic PowerShell suspicious flags (4ce1b55945b811ea81bb88e9fe502c1f) increased the severity to Medium, and improved detection logic Improved logic of 5 Medium Analytics BIOCs: Microsoft Office Process Spawning a Suspicious OneLiner (aca7aaa1436111ea8fed88e9fe502c1f) improved logic of a Medium Analytics BIOCs Execution of renamed lolbin (fdb82a708f9a11ea991888e9fe502c1f) improved logic of a Medium Analytics BIOCs LOLBIN connecting to a rare host (4bcc13de20b711eaa54a8c8590c9ccd1) improved logic of a Medium Analytics BIOCs LOLBIN spawned by an Office executable connected to a rare external host (0aad609499a311ea854488e9fe502c1f) improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11e95411e990028c8590c9ccd1) improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Mshta.exe launched with suspicious arguments (0b174006394643b6af3cab400e6c7a87) changed metadata of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: NTLM Hash Harvesting (3cc30c5c2d7311eba32aacde48001122) improved logic of a Medium Analytics Alert Changed metadata of 2 Low BIOCs: Screensaver process executed from users or temporary folder (e07f68e227bb46fa97b1a7b6b59feb16) changed metadata of a Low BIOCs DLL sideloading attack using Xwizard (2b8385b9ca8346819cab739091ee2da1) changed metadata of a Low BIOCs Removed 2 old Low BIOCs: MSBuild.exe makes a network connection (bb459bb4e8644008a12a10ed4df3d753) removed an old Low alert Visual Basic compiler makes unusual net connection (5ace24876b004582a6316e1ca419c458) removed an old Low alert Added 2 new Low Analytics BIOCs: Rare communication over email ports to external email server by unsigned process (7b424216fe614589bcee67e9e7b267be) added a new Low alert Suspicious process executed with a high integrity level (81e70ab2b1f14a1cbf943929f6d7e1b2) added a new Low alert Improved logic of 5 Low Analytics BIOCs: LOLBIN process executed with a high integrity level (365221fa4c36440f824a43885e9f3a6e) improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f9cd04e26891fbe1a01652715) improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba39d4640f4909d05ee574e1f57) improved logic of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4ce48141de81e4ec618fb1f004) improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccfd9cb4efe8dccbcffca46d24b) improved logic of a Low Analytics BIOCs Improved logic of 3 Low Analytics Alerts: Multiple discovery commands (97dd1d4d602a4bc7b39a73fdad3d6053) improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308fb954d9cafc3a5ca9c7ab50d) improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8641211eb9fa5acde48001122) improved logic of a Low Analytics Alerts Improved logic of an Informational BIOC: Windows Registry Editor being disabled via Registry (7da63563a9bd46b39deb4177d2645851) improved logic of an Informational BIOC Changed metadata of 5 Informational BIOCs: Dllhost.exe makes network connections (d4b8bd1df1fb4fde954733494049c44a) changed metadata of an Informational BIOCs Crash dump file created (e6cb68b97bb34be29b7cd66d560e5a3b) changed metadata of an Informational BIOCs Compiled HTML (help file) makes network connections (858a4ed736c44c439bffd142f300035d) changed metadata of an Informational BIOCs Security Support Provider (SSP) registered via a registry key (2b72b7fd5b134ff1ba5b6b149c76f032) changed metadata of an Informational BIOCs Web server process drops an executable to disk (20a37717dd614fe5a73b80d9fb2a8862) changed metadata of an Informational BIOCs Removed 2 old Informational BIOCs: Service execution via sc.exe (a1c6c171005c403ba60bfb85e6ecb81a) removed an old Informational alert Manipulation of LSA 'Authentication Packages' Registry key (4f133949205d4abfbbf64fc6e48bc6c4) removed an old Informational alert Added 4 new Informational Analytics BIOCs: Commonly abused process launched as a system service (3cbd172e6e2f11ea8d8e88e9fe502c1f) added a new Informational alert Rare SMTP/S Session (4a634ad4e95411e9b86b8c8590c9ccd1) added a new Informational alert WebDAV drive mounted from net.exe over HTTPS (233491cae95411e990bd8c8590c9ccd1) added a new Informational alert Service execution via sc.exe (d25d07fa015c47a6a6a015ff46020cc5) added a new Informational alert Improved logic of an Informational Analytics BIOC: LDAP Traffic from NonStandard Process (5e72a7b439ed466998cab2495088f653) improved logic of an Informational Analytics BIOC   August 01, 2021 Release: Increased the severity to High for 2 BIOCs: Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - increased the severity to High Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - increased the severity to High Increased the severity to Medium for 15 BIOCs: Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - increased the severity to Medium NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - increased the severity to Medium WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - increased the severity to Medium Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - increased the severity to Medium WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - increased the severity to Medium Socat/Netcat connects to TOR domain (450e1ab2-22f5-4efd-beb9-ddd81823a5b9) - increased the severity to Medium Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - increased the severity to Medium Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - increased the severity to Medium Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - increased the severity to Medium Manipulation of Winlogon 'UserInit' autostart Registry key (d6af8739-01f2-4f29-80a0-c1b05d70b874) - increased the severity to Medium PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - increased the severity to Medium Impersonation using Rubeus tool (0e6a7a3a-1059-11ea-b96d-8c8590c9ccd1) - increased the severity to Medium Manipulation of the sticky keys file (7a201c2e-5b4e-478d-a504-773762bd3c90) - increased the severity to Medium Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - increased the severity to Medium DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - increased the severity to Medium Removed 2 old Medium BIOCs: Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - removed an old Medium alert Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - removed an old Medium alert Added 2 new Medium Analytics BIOCs: Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - added a new Medium alert Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - added a new Medium alert Improved logic of 4 Medium Analytics BIOCs: Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics BIOCs: Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Changed metadata of a Medium Analytics Alert: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert Increased the severity to Low for 6 BIOCs: Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - increased the severity to Low Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - increased the severity to Low UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - increased the severity to Low Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - increased the severity to Low Nagios enumeration (2f6f3ade-073e-11eb-9c0f-faffc26aac4a) - increased the severity to Low Internet Explorer home page modification (e4cf6b6e-70cc-4b02-a82d-148e10c36f76) - increased the severity to Low Removed an old Low BIOC: System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - removed an old Low alert Added 7 new Low Analytics BIOCs: LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - added a new Low alert Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - added a new Low alert A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - added a new Low alert Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - added a new Low alert Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - added a new Low alert System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - added a new Low alert Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - added a new Low alert Improved logic of 4 Low Analytics BIOCs: Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - improved logic of a Low Analytics BIOCs Removed an old Low Analytics BIOC: PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - removed an old Low alert Improved logic of a Low Analytics Alert: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert July 25, 2021 Release: Added a new High Analytics BIOC: Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - added a new High alert Removed 2 old Medium BIOCs: Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - removed an old Medium alert Non-browser failed access to a pastebin-like site (c1f7607b-e56c-43ca-b072-5b266bb4133b) - removed an old Medium alert Added 3 new Medium Analytics BIOCs: Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - added a new Medium alert Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - added a new Medium alert Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - added a new Medium alert Improved logic of a Medium Analytics BIOC: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC Added a new Low Analytics BIOC: Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - added a new Low alert Improved logic of 4 Low Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Removed an old Low Analytics Alert: High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - removed an old Low alert   July 19, 2021 Release: Added 4 new Medium Analytics BIOCs: Suspicious unsigned process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - added a new Medium alert Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - added a new Medium alert Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - added a new Medium alert Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - added a new Medium alert Improved logic of 5 Medium Analytics BIOCs: Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Removed an old Low BIOC: Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - removed an old Low alert Increased the severity to Low for an Analytics BIOC: UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - increased the severity to Low Decreased the severity to Low for 2 Analytics BIOCs: Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - decreased the severity to Low WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - decreased the severity to Low Added 3 new Low Analytics BIOCs: Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - added a new Low alert Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - added a new Low alert Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - added a new Low alert Improved logic of 3 Low Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of a Low Analytics BIOCs Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs Added a new Low Analytics Alert: Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - added a new Low alert Improved logic of 3 Low Analytics Alerts: Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts Decreased the severity to Informational for a BIOC: Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - decreased the severity to Informational Added 6 new Informational BIOCs: Execution privileges added to a temporary file (8d888902-486c-49a5-b675-8ba9280533b6) - added a new Informational alert SELinux was set to permissive mode (e1912c54-c1a4-4091-8b1d-019c3ceac2d6) - added a new Informational alert Hidden file and directory creation (84de44f2-8d06-452e-8322-e36e90cf3292) - added a new Informational alert Execution from inside the /tmp directory (a4e680e8-f9e8-4c58-bd29-7616a6445505) - added a new Informational alert Possible log destruction using dd command (7620b496-3804-4b00-83eb-85378033b6bd) - added a new Informational alert Possible XDG autostart persistency (41eac860-a716-420e-b48a-492b3142ecb6) - added a new Informational alert Improved logic of 3 Informational BIOCs: Persistence using bashrc files (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - improved logic of an Informational BIOCs Shell history access (735fd839-4959-4e5d-9207-fdf517b977a1) - improved logic of an Informational BIOCs Persistence through service registration (c69ed984-a260-4ba9-990f-bc762a4a3223) - improved logic of an Informational BIOCs Removed an old Informational BIOC: Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - removed an old Informational alert Added 9 new Informational Analytics BIOCs: Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - added a new Informational alert Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - added a new Informational alert Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - added a new Informational alert Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - added a new Informational alert Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - added a new Informational alert Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - added a new Informational alert Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - added a new Informational alert Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - added a new Informational alert Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - added a new Informational alert Added a new Informational Analytics Alert: Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - added a new Informational alert Improved logic of an Informational Analytics Alert: Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alert July 11, 2021 Release: Added a new Medium Analytics BIOC: Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - added a new Medium alert Increased the severity to Low for an Analytics BIOC: PowerShell suspicious flags signal (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - increased the severity to Low Improved logic of 3 Low Analytics BIOCs: Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert Removed an old Informational BIOC: Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - removed an old Informational alert Improved logic of 2 Informational Analytics BIOCs: User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs   July 4, 2021 Release: Improved logic of a Medium Analytics BIOC: Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Decreased the severity to Low for a BIOC: Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - decreased the severity to Low Improved logic of 2 Low Analytics Alerts: Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts June 28, 2021 Release: Changed metadata of 4 High BIOCs Changed metadata of 3 High Analytics BIOCs Changed metadata of 5 Medium BIOCs Improved logic of a Medium Analytics BIOC: Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOC Changed metadata of 10 Medium Analytics BIOCs Decreased the severity to Medium for an Analytics Alert: Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - decreased the severity to Medium, and improved detection logic Changed metadata of 5 Medium Analytics Alerts Changed metadata of 3 Low BIOCs Added a new Low Analytics BIOC: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - added a new Low alert Changed metadata of 12 Low Analytics BIOCs Changed metadata of 8 Low Analytics Alerts Added 7 new Informational BIOCs: Log deletion using the truncate command (1afe4c22-2163-45ad-a90a-f130eaed6ff2) - added a new Informational alert Log deletion in known log file directories (4c91da94-296f-49c3-9e3d-4f040269391e) - added a new Informational alert Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - added a new Informational alert Clearing logs by executing cat /dev/null (787aa313-7ef6-40a9-a68c-bdcc9610c35f) - added a new Informational alert Clearing logs by copying /dev/null to a log file (62affbe1-1c47-4dc1-88d2-bd701e9be6d7) - added a new Informational alert Installation of networking security tools (45818abb-9462-4074-ae83-fd56f715ef11) - added a new Informational alert Network Packet Capture - tshark\tcpdump (9e72d135-0782-48dd-8b4f-da2dd4d1599f) - added a new Informational alert Changed metadata of 20 Informational BIOCs Changed metadata of 4 Informational Analytics BIOCs Changed metadata of an Informational Analytics Alert   June 20, 2021 Release: Changed metadata of a High Analytics BIOC: Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC Changed metadata of a Medium BIOC: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - changed metadata of a Medium BIOC Added a new Medium Analytics BIOC: Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOC Changed metadata of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alert Improved logic of a Low BIOC: Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved logic of a Low BIOC Changed metadata of a Low BIOC: Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata of a Low BIOC Improved logic of a Low Analytics BIOC: Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOC Changed metadata of a Low Analytics BIOC: Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOC Changed metadata of 3 Informational BIOCs: Manipulation of default file association configuration (9ac339af-aa0c-4fac-8117-33d4b4123ee3) - changed metadata of an Informational BIOCs Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata of an Informational BIOCs Windows process masquerading by an unsigned process (a39a60db-05a6-4b77-ab09-6bd8852e1b1d) - changed metadata of an Informational BIOCs Added a new Informational Analytics BIOC: UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - added a new Informational alert Removed an old Informational Analytics BIOC: Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - removed an old Informational alert   June 13, 2021 Release: Improved logic of a Medium BIOC: Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved logic of a Medium BIOC Changed metadata of a Medium BIOC: User added to local administrator group using a PowerShell command (7135da01-046f-452b-99d3-974795aca8c6) - changed metadata of a Medium BIOC Improved logic of 2 Medium Analytics BIOCs: Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics Alert: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert Changed metadata of a Low BIOC: Remote command executed from a Linux host (e311896f-8299-4041-abd9-05db740f0ecd) - changed metadata of a Low BIOC Improved logic of 2 Low Analytics BIOCs: Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alert Changed metadata of 3 Informational BIOCs: Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata of an Informational BIOCs WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs   June 06, 2021 Release: Changed metadata of a High BIOC: Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - changed metadata of a High BIOC Removed an old High BIOC: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - removed an old High alert Added a new High Analytics BIOC: Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - added a new High alert Changed metadata of a High Analytics Alert: Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) - changed metadata of a High Analytics Alert Changed metadata of 2 Medium BIOCs: Rundll32.exe was used to run JavaScript (c9207f63-0b78-4488-9668-e24bc1b2f9d6) - changed metadata of a Medium BIOCs Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - changed metadata of a Medium BIOCs Added 2 new Medium Analytics BIOCs: Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - added a new Medium alert Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - removed an old Medium alert Changed metadata of a Medium Analytics Alert: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert Added a new Low Analytics BIOC: User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - added a new Low alert Improved logic of a Low Analytics BIOC: Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC Changed metadata of a Low Analytics BIOC: Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Impossible traveler (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert Decreased the severity to Informational for a BIOC: Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - decreased the severity to Informational, and improved detection logic Added 5 new Informational BIOCs: Reading the contents of /etc/mtab or /etc/fstab (5745ac31-522d-4d8a-b86f-b78260f6d609) - added a new Informational alert Wzzip.exe execution with password protection parameters (427a5f1d-eec4-4de4-927f-58daf0a0817d) - added a new Informational alert Base64 decoding using the base64 utility (1682c4a4-39ef-49ce-9cbc-cd7d08888553) - added a new Informational alert 7z.exe execution with password protection parameters (edaa5d9d-9c9d-443f-bd60-f4e887d48ac9) - added a new Informational alert Rar.exe execution with password protection parameters (03664565-3629-4267-91e7-a3fe7e91d4cc) - added a new Informational alert Changed metadata of 5 Informational BIOCs: Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata of an Informational BIOCs Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - changed metadata of an Informational BIOCs Service enumeration via sc (f5ad264a-fc27-4cef-9a94-245150ace5b1) - changed metadata of an Informational BIOCs Enumeration of services via PowerShell (6977966b-14e9-11ea-b5d7-88e9fe502c1f) - changed metadata of an Informational BIOCs PowerShell calling Invoke-Expression argument (d9e32419-d8f0-4b2b-b395-6c27be156d56) - changed metadata of an Informational BIOCs Removed 2 old Informational BIOCs: Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - removed an old Informational alert Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - removed an old Informational alert Decreased the severity to Informational for an Analytics BIOC: User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - decreased the severity to Informational Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC Changed metadata of an Informational Analytics BIOC: User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOC May 30, 2021 Release: Changed metadata of 11 High BIOCs Improved logic of 2 High Analytics BIOCs: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) improved logic of a High Analytics BIOCs Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) improved logic of a High Analytics BIOCs Changed metadata of a High Analytics BIOC: Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) changed metadata of a High Analytics BIOC Improved logic of a High Analytics Alert: Kerberos User Enumeration (97b4a03a-24f4-11eb-97dd-acde48001122) improved logic of a High Analytics Alert Changed metadata of 45 Medium BIOCs Increased the severity to Medium for an Analytics BIOC: Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) increased the severity to Medium, and improved detection logic Added 2 new Medium Analytics BIOCs: Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) added a new Medium alert Recurring access to rare domain categorized as malicious (8c2e83de-5071-4b38-8153-f130e6eee885) added a new Medium alert Improved logic of 12 Medium Analytics BIOCs: Possible DCSync Attempt (a420aa30-20c3-11ea-b525-8c8591c0ccb0) improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) improved logic of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs Commonly-abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) improved logic of a Medium Analytics BIOCs LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) improved logic of a Medium Analytics BIOCs Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) improved logic of a Medium Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) improved logic of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) improved logic of a Medium Analytics BIOCs Changed metadata of 7 Medium Analytics BIOCs Improved logic of 5 Medium Analytics Alerts: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) improved logic of a Medium Analytics Alerts Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) improved logic of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) improved logic of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) improved logic of a Medium Analytics Alerts Changed metadata of 30 Low BIOCs Removed an old Low BIOC: Windows Firewall being disabled using netsh (23407a88-c820-4b42-8400-46fe6025cfe6) removed an old Low alert Increased the severity to Low for an Analytics BIOC: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) increased the severity to Low, and improved detection logic Improved logic of 6 Low Analytics BIOCs: Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) improved logic of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) improved logic of a Low Analytics BIOCs MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) improved logic of a Low Analytics BIOCs Changed metadata of 25 Low Analytics BIOCs Improved logic of 11 Low Analytics Alerts: Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) improved logic of a Low Analytics Alerts High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) improved logic of a Low Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) improved logic of a Low Analytics Alerts Changed metadata of 3 Low Analytics Alerts Changed metadata of 148 Informational BIOCs Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) improved logic of an Informational Analytics BIOC Changed metadata of 6 Informational Analytics BIOCs   May 12, 2021 Release: Added a new Medium Analytics BIOC: Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - added a new Medium alert Improved logic of a Medium Analytics BIOC: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert Changed metadata of a Medium Analytics Alert: Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alert Changed metadata of 4 Low Analytics BIOCs: Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs May 10, 2021 Release: Improved logic of a High BIOC: Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - improved logic of a High BIOC Changed metadata of 3 High BIOCs: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOCs Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata of a High BIOCs Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of a High BIOCs Removed an old High BIOC: SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - removed an old High alert Changed metadata of 2 Medium BIOCs: Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs Dumping lsass.exe memory for credential extraction (cb05480f-17d8-4138-aa38-f0f9fb50b671) - changed metadata of a Medium BIOCs Improved logic of 5 Medium Analytics BIOCs: LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - improved logic of a Medium Analytics BIOCs LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Improved logic of a Low Analytics BIOC: MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - improved logic of a Low Analytics BIOC Changed metadata of 3 Low Analytics BIOCs: Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Changed metadata of 7 Informational BIOCs: Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata of an Informational BIOCs Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs Compressed archive created using tar (e9e007db-a8a7-4ae5-b758-5cacbe0ab46e) - changed metadata of an Informational BIOCs Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata of an Informational BIOCs Persistence using bashrc files (b6a766b5-29e7-44b2-8e68-7a4f78a5fd46) - changed metadata of an Informational BIOCs Write to .bash_profile (1119d1ec-cdfb-404b-ae82-475b8fcf8ddc) - changed metadata of an Informational BIOCs Improved logic of an Informational Analytics BIOC: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC Changed metadata of an Informational Analytics BIOC: Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOC   April 28, 2021 Release: Improved logic of a Medium BIOC: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved logic of a Medium BIOC   Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of 2 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Improved logic of an Informational BIOC: Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - improved logic of an Informational BIOC Changed metadata of an Informational BIOC: Manipulation of Windows folder options (7cb8c831-ba6e-4cde-83db-3762d94cd1fa) - changed metadata of an Informational BIOC   April 18, 2021 Release: Improved logic of a Medium BIOC: Manipulation of netsh helper DLLs Registry keys (79d203ef-e417-4c8d-87c8-776c6ec4967f) - improved logic of a Medium BIOC Added a new Medium Analytics BIOC: Execution of a password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - added a new Medium alert Improved logic of a Medium Analytics BIOC: Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC April 11, 2021 Release: Improved logic of a High Analytics BIOC: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOC Improved logic of 3 Medium Analytics BIOCs: Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs Added a new Medium Analytics Alert: Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - added a new Medium alert Improved logic of a Medium Analytics Alert: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert Improved logic of 5 Low Analytics BIOCs: Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOC Improved logic of 4 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Added a new Informational BIOC: SharpHound LDAP query (5f50bb22-588c-4d48-8600-446df59d8a51) - added a new Informational alert Changed metadata of 3 Informational BIOCs: Crash dump file created (e6cb68b9-7bb3-4be2-9b7c-d66d560e5a3b) - changed metadata of an Informational BIOCs Enumeration command executes (6958a24d-f33a-45f2-819c-b47c1e03964d) - changed metadata of an Informational BIOCs Enumeration command called by commonly abused CGO (e7d21bc3-3190-4b25-a2f4-20c6242b1029) - changed metadata of an Informational BIOCs Improved logic of an Informational Analytics BIOC: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC   April 4, 2021 Release: Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Added a new Low Analytics BIOC: Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alert Improved logic of an Informational Analytics BIOC: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC   March 29, 2021 Release: Decreased the severity to Medium for an Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Medium Improved logic of a Medium Analytics BIOC: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Improved logic of a Low Analytics BIOC: Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Low Analytics BIOC Improved logic of 2 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC   March 22, 2021 Release: Improved logic of a Medium Analytics BIOC: Execution of renamed lolbin (fdb82a70-8f9a-11ea-9918-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alert Improved logic of 5 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics Alerts Removed an old Informational BIOC: Network configuration discovery (d69c1be0-a351-469d-a47c-34e1f0562690) - removed an old Informational alert March 16, 2021 Release: Changed metadata of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC Improved logic of a Medium Analytics BIOC: Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOC   March 14, 2021 Release: Added a new High Analytics BIOC: Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - added a new High alert Improved logic of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC Removed an old Medium BIOC: Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - removed an old Medium alert Added a new Medium Analytics BIOC: Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved logic of a Medium Analytics BIOCs Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC   March 3, 2021 Release: Added a new High BIOC: Exchange process writing aspx files (c926dbe2-c56a-4d1b-bf7e-d5b759082912) - added a new High alert   February 28, 2021 Release: Changed metadata of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a High Analytics BIOC Improved logic of a Medium BIOC: LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved logic of a Medium BIOC Improved logic of a Medium Analytics BIOC: LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Changed metadata of 2 Medium Analytics BIOCs: WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Increased the severity to Low for a BIOC: Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - increased the severity to Low Improved logic of 2 Low Analytics BIOCs: Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOC Added a new Low Analytics Alert: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - added a new Low alert   February 21, 2021 Release: Added a new High Analytics BIOC: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - added a new High alert Improved logic of a High Analytics BIOC: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a High Analytics BIOC Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Improved logic of an Informational BIOC: Non-browser process downloads content from GitHub (75c22cca-c58a-4319-881b-1f7b917cdad2) - improved logic of an Informational BIOC Improved logic of an Informational Analytics BIOC: Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of an Informational Analytics BIOC   February 14, 2021 Release: Added a new Medium Analytics BIOC: Reverse SSH tunnel to external domain/ip (1511885b-1fb5-4118-b8a9-fedd43a285c1) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Decreased the severity to Low for a BIOC: Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - decreased the severity to Low, and improved detection logic Added a new Low Analytics BIOC: Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - added a new Low alert Improved logic of a Low Analytics BIOC: Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOC Decreased the severity to Informational for an Analytics BIOC: Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - decreased the severity to Informational Improved logic of an Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOC   February 07, 2021 Release: Increased the severity to Medium for a BIOC: Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - increased the severity to Medium Removed an old Informational BIOC: Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - removed an old Informational alert Added a new Informational Analytics BIOC: Commonly-abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - added a new Informational alert   January 24, 2021 Release: Increased the severity to High for 4 BIOCs: LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - increased the severity to High, and improved detection logic Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - increased the severity to High, and improved detection logic Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - increased the severity to High, and improved detection logic Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - increased the severity to High Removed an old High BIOC: Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - removed an old High alert Increased the severity to Medium for 9 BIOCs: Office process creates an unusual .LNK file (fc55f1f8-f1e7-11ea-84f5-faffc26aac4a) - increased the severity to Medium Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - increased the severity to Medium Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - increased the severity to Medium, and improved detection logic Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - increased the severity to Medium Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - increased the severity to Medium, and improved detection logic Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - increased the severity to Medium, and improved detection logic Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - increased the severity to Medium, and improved detection logic Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - increased the severity to Medium Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - increased the severity to Medium Added 2 new Medium Analytics BIOCs: LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - added a new Medium alert Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs - SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Increased the severity to Low for 7 BIOCs: Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - increased the severity to Low, and improved detection logic Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - increased the severity to Low, and improved detection logic System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - increased the severity to Low, and improved detection logic Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - increased the severity to Low, and improved detection logic Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - increased the severity to Low, and improved detection logic Plink/SSH reverse tunnel (d793d95c-0236-11eb-9597-faffc26aac4a) - increased the severity to Low, and improved detection logic Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - increased the severity to Low Added 4 new Low Analytics BIOCs: Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - added a new Low alert Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - added a new Low alert Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - added a new Low alert Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - added a new Low alert Added 3 new Informational BIOCs: Remote wmiexec execution (070094f8-87c3-47c4-92c8-82bcad12116f) - added a new Informational alert Service execution via sc.exe (a1c6c171-005c-403b-a60b-fb85e6ecb81a) - added a new Informational alert - Security Support Provider (SSP) registered via a registry key (2b72b7fd-5b13-4ff1-ba5b-6b149c76f032) - added a new Informational alert Improved logic of 4 Informational BIOCs: Modification of NTLM restrictions in the Registry (207bde33-2c02-4aa7-ae4f-e22146b79ba6) - improved logic of an Informational BIOCs Suspicious SDB file written to disk (cb9bd832-3391-4501-8ed3-95c56a7c3d08) - improved logic of an Informational BIOCs Wget connection to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - improved logic of an Informational BIOCs Print spooler set to load new DLL on boot (87bff3b7-1bdb-4e2d-8bea-36bfb0a5da11) - improved logic of an Informational BIOCs Added a new Informational Analytics BIOC: Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - added a new Informational alert January 18, 2021 Release: Improved logic of a Medium BIOC: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC Added 2 new Informational BIOCs: Possible reverse SSH tunnel (7314accf-0f4a-4c08-a33c-f894fdd01e44) - added a new Informational alert Gost Tunnel tool in the Command String (e88e4718-9211-4365-8700-103f86a39573) - added a new Informational alert   January 10, 2021 Release: Improved logic of a Medium BIOC: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved logic of a Medium BIOC Improved logic of a Medium Analytics BIOC: WmiPrvSe.exe Rare Child Process (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Medium Analytics BIOC Changed metadata of 2 Low BIOCs: Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOCs Accessing bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - changed metadata of a Low BIOCs Changed metadata of 4 Informational BIOCs: System package enumeration (50dd2a0c-114b-11eb-a1fc-faffc26aac4a) - changed metadata of an Informational BIOCs Screen capture via command-line tool (593bc5d9-8bdf-482a-8d84-34b6045cf4d8) - changed metadata of an Informational BIOCs OS information listing via distro version file (3a85fbc4-a63f-4e0d-8c06-af22383db482) - changed metadata of an Informational BIOCs Collect network configuration (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs   December 29, 2020 Release: Increased the severity to Medium for an Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - increased the severity to Medium Improved logic of a Medium Analytics Alert: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alert Added 2 new Low Analytics BIOCs: Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - added a new Low alert Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - added a new Low alert Improved logic of a Low Analytics Alert: Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alert Changed metadata of 3 Low Analytics Alerts: High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - changed metadata of a Low Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts Added 4 new Informational BIOCs: Virtual Directory configuration access via PowerShell (4920f289-67f2-482a-9320-a4532ca12845) - added a new Informational alert ADFind queries Active Directory for Exchange groups (f623125f-b4e5-4e47-a5be-8fa788e7bb05) - added a new Informational alert PowerShell dumps users and roles from Exchange server (01ac823a-d1fc-4621-8bce-cb78d1dc83a0) - added a new Informational alert Malicious NetSetupSvc.dll loaded into svchost.exe (495195f9-3947-4fc7-913b-6e84fc937730) - added a new Informational alert   December 17, 2020 Release: Added 2 new High BIOCs: SunBurst domain access (9cd4bdd1-939a-4dce-a466-752843bf5f41) - added a new High alert SunBurst Module loaded (89308c56-40e9-43d4-8f0a-1c7f018a15d4) - added a new High alert Improved logic of 2 Informational BIOCs: Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - improved logic of an Informational BIOCs Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - improved logic of an Informational BIOCs   December 13, 2020 Release: Improved logic of a Medium BIOC: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - improved logic of a Medium BIOC Improved logic of 2 Medium Analytics Alerts: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts Improved logic of 2 Low Analytics BIOCs: Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Recurring Rare IP Access (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Improved logic of 4 Low Analytics Alerts: Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Added a new Informational BIOC: EventLog service disabled by a Registry operation (b7c919b6-b653-49c6-bd20-2441160ec75e) - added a new Informational alert Improved logic of an Informational Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of an Informational Analytics Alert   December 1, 2020 Release: Improved logic of a Medium BIOC: Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved logic of a Medium BIOC Improved logic of 2 Medium Analytics BIOCs: SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Improved logic of a Low Analytics BIOC: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOC November 22, 2020 Release: Improved logic of 3 Low Analytics MultiEvents: High Connection Rate (bce7d695-69c6-4a03-a728-0254fd22c116) - improved logic of a Low Analytics MultiEvents Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics MultiEvents Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics MultiEvents   November 8, 2020 Release: Added a new Informational BIOC: Lsmod execution (9e13baeb-f82d-11ea-a61b-faffc26aac4a) - added a new Informational alert Improved logic of a Medium BIOC: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved logic of a Medium BIOC Changed metadata of 4 High BIOCs: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - changed metadata of a High BIOC Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - changed metadata of a High BIOCs Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - changed metadata of a High BIOCs Bitsadmin.exe used to upload data (6ba957eb-d63e-4cee-99aa-89e21ef3acc8) - changed metadata of a High BIOCs Changed metadata of 10 Medium BIOCs: Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - changed metadata of a Medium BIOCs WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - changed metadata of a Medium BIOCs Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata of a Medium BIOCs Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - changed metadata of a Medium BIOCs Binary file being created to disk with a double extension (3a461861-7d8b-4a7c-8265-cb05f4fa0dd8) - changed metadata of a Medium BIOCs Credential dumping via pwdumpx.exe (8e3f6394-1633-47c9-8ca8-63b5c0187983) - changed metadata of a Medium BIOCs UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - changed metadata of a Medium BIOCs Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - changed metadata of a Medium BIOCs Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - changed metadata of a Medium BIOCs Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata of a Medium BIOCs Changed metadata of 6 Low BIOCs: Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - changed metadata of a Low BIOCs Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - changed metadata of a Low BIOCs Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - changed metadata of a Low BIOCs Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - changed metadata of a Low BIOCs Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - changed metadata of a Low BIOCs Remote process execution using WMI (5bab2bb9-882a-4101-ace1-700f84171a52) - changed metadata of a Low BIOCs Changed metadata of 26 Informational BIOCs: Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - changed metadata of an Informational BIOCs Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - changed metadata of an Informational BIOCs Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - changed metadata of an Informational BIOCs Enumeration of services via WMIC (3654c173-14e9-11ea-8723-88e9fe502c1f) - changed metadata of an Informational BIOCs Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - changed metadata of an Informational BIOCs Manipulation of service imagepath configuration (73001df6-ff14-44d5-a2ed-08804880b46c) - changed metadata of an Informational BIOCs Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata of an Informational BIOCs Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - changed metadata of an Informational BIOCs Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - changed metadata of an Informational BIOCs Bypassing Windows UAC using sysprep (dbefa4ae-3797-11ea-a926-f218983c2a51) - changed metadata of an Informational BIOCs User added to local administrator group using net.exe command (8cb7771f-5f9e-4450-9a8a-fb5d6083fd05) - changed metadata of an Informational BIOCs Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - changed metadata of an Informational BIOCs PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata of an Informational BIOCs Manipulation of Winlogon 'Notify' autostart Registry key (27dbcdd3-08d3-4859-ae8e-e6caef1f17ab) - changed metadata of an Informational BIOCs WMIC enumerates running processes (8b916e98-5122-4a50-a8cc-b0207d5f5c28) - changed metadata of an Informational BIOCs Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - changed metadata of an Informational BIOCs Scripting engine called to run in the command line (7e274c6d-e617-4b92-b13f-f27b882932eb) - changed metadata of an Informational BIOCs Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata of an Informational BIOCs MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - changed metadata of an Informational BIOCs Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - changed metadata of an Informational BIOCs MacOS firewall manipulation (d445a34f-07c3-11eb-82a7-faffc26aac4a) - changed metadata of an Informational BIOCs Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata of an Informational BIOCs PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata of an Informational BIOCs Windows Firewall policy edited via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11703) - changed metadata of an Informational BIOCs Tampering with Windows Control Panel configuration (2ba4c53b-03de-4a34-92ec-225cfe1fe0b4) - changed metadata of an Informational BIOCs Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - changed metadata of an Informational BIOCs Removed an old Low BIOC: Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - removed an old Low alert September 14, 2020 Release: Increased the severity to medium for a BIOC rule: Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - increased the severity to medium, and improved detection logic Added 5 new informational BIOC rules: Permissive file privileges were granted (1fc409f0-ec4e-11ea-829b-faffc26aac4a) - added a new informational alert Modifying ELF file capabilities via setcap (55ed9751-ec6d-11ea-a1c2-faffc26aac4a) - added a new informational alert Space after filename creation (5a1902e6-ec6b-11ea-843f-faffc26aac4a) - added a new informational alert Collect Linux network configuration via bash (7b65214c-ed03-11ea-bd53-faffc26aac4a) - added a new informational alert Write to /etc/hosts file (7cf74026-ec6a-11ea-9593-faffc26aac4a) - added a new informational alert   August 30, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic Improved detection logic for a low-severity BIOC rule: MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - improved detection logic   August 23, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - changed metadata, and improved detection logic Improved detection logic for a low-severity BIOC rule: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - changed metadata, and improved detection logic Added 12 new informational BIOC rules: Rundll32.exe spawns conhost.exe (9606ea78-dbef-11ea-b978-faffc26aac4a) - added a new informational alert Certutil execution (ffe4d5cc-e0c2-11ea-84ba-faffc26aac4a) - added a new informational alert Non-PowerShell process accessed the PowerShell history file (5ea6cb9c-dfc3-11ea-94f1-faffc26aac4a) - added a new informational alert Suspicious executable created in .NET directory (5bc9ba00-d590-11ea-ba6f-faffc26aac4a) - added a new informational alert Shim database registration via Registry (746eabe1-e0c3-11ea-88e5-faffc26aac4a) - added a new informational alert MSBuild execution (7f046414-e0c3-11ea-9d8b-faffc26aac4a) - added a new informational alert Wscript.exe execution (5b9151cc-e0c3-11ea-8c4b-faffc26aac4a) - added a new informational alert LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - added a new informational alert Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - added a new informational alert Shim database file access (69db2597-e0c3-11ea-b0e2-faffc26aac4a) - added a new informational alert Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - added a new informational alert Suspicious lock screen image file written to disk (7b6d6987-2aa8-4b85-a9d4-d7708a7d15da) - added a new informational alert Decreased the severity to informational for 2 BIOC rules: Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - decreased the severity to informational PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata, decreased the severity to informational, and improved detection logic   August 16, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Tampering with Internet Explorer Protected Mode configuration (2875c302-c815-468d-ac43-a56bba89bfe2) - improved detection logic, and changed metadata Added a new informational BIOC rule: Suspicious .NET process spawns csc.exe (993f8e66-d59d-11ea-a6c7-faffc26aac4a) - added a new informational alert   August 09, 2020 Release: Improved detection logic for a medium-severity BIOC rule: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic   August 02, 2020 Release: Increased the severity to high for a BIOC rule: Encoded VBScript executed (b38b98bc-e2d4-4719-b863-d9142bf8d647) - changed metadata, and increased the severity to high Increased the severity to medium for 2 BIOC rules:  Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - increased the severity to medium, and improved detection logic Manipulation of the MonitorProcess Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - changed metadata, increased the severity to medium, and improved detection logic Increased the severity to low for 3 BIOC rules: MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - changed metadata, increased the severity to low, and improved detection logic Built-in SoundRecorder tool capturing audio (d9d22a46-efbf-4d97-9e2b-625e1d6fcc91) - increased the severity to low, and improved detection logic Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - changed metadata, increased the severity to low, and improved detection logic Added 2 new informational BIOC rules: Suspicious printer port creation via Registry (20acf754-7deb-4732-b6f6-56bc88b618db) - added a new informational alert Suspicious printer driver installation (f21127cf-cf34-11ea-b1bd-acde48001122) - added a new informational alert   July 26, 2020 Release: Increased the severity to high for 3 BIOC rules: Memory dumping with comsvcs.dll (9873cd8b-2220-4384-a99f-712ad0ccfb45) - increased the severity to high, and changed metadata  Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - increased the severity to high, and improved detection logic Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - increased the severity to high, changed metadata, and improved detection logic Increased the severity to medium for 6 BIOC rules: Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - increased the severity to medium, and changed metadata Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - increased the severity to medium Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - increased the severity to medium Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - increased the severity to medium, changed metadata, and improved detection logic  UAC bypass using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - increased the severity to medium, and changed metadata MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - increased the severity to medium, and improved detection logic Increased the severity to low for 2 BIOC rules: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to low, and improved detection logic Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - increased the severity to low, changed metadata, and improved detection logic Decreased the severity to informational for a BIOC rule: Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - decreased the severity to informational Added 2 new informational BIOC rules: Suspicious process loads AMSI DLL (d0ce0ecf-50f0-4dff-83f0-8bdc6b5d8dbd) - added a new informational alert Suspicious AMSI DLL load location (f332b6ef-ac49-484c-9258-d6396650912a) - added a new informational alert Improved detection logic for an informational BIOC rule: Windows PowerShell Logging being disabled via Registry (a649172a-7c6a-4a14-8022-b8d53f9d9ad6) - changed metadata, and improved detection logic Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata, and improved detection logic Removed a BIOC rule: Manipulation of Winlogon 'Shell' autostart Registry key (f111b9b1-f9f6-464f-91a0-52abd2c5f797) - removed July 19, 2020 Release: Increased the severity to high for a BIOC rule: Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - increased the severity to high Increased the severity to medium for 5 BIOC rules: Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - changed metadata, increased the severity to medium, and improved detection logic Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - increased the severity to medium, and improved detection logic Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - changed metadata, increased the severity to medium, and improved detection logic Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - changed metadata, increased the severity to medium, and improved detection logic Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata, increased the severity to medium, and improved detection logic Increased the severity to low for a BIOC rule: Microsoft Office executes an unsigned process in a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - changed metadata, increased the severity to low, and improved detection logic Added 4 new informational BIOC rules: Connection to a TOR anonymization proxy (a009535f-54b4-4d38-9ee7-5ea0f7431c4e) - added a new informational alert Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - added a new informational alert Unsigned process loads a known PowerShell DLL (447fc1fe-4ff7-4668-a6c0-4ff929469234) - added a new informational alert Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - added a new informational alert   July 12, 2020 Release: Increased the severity to medium for a BIOC rule: Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - changed metadata, and increased the severity to medium Added 5 new informational BIOC rules: LOLBAS access to database service (c115727b-a1c7-4909-88d0-e6ae866a0e7a) - added a new informational alert Suspicious setspn.exe execution (09939895-1ee6-468c-9588-61a3e2d57124) - added a new informational alert WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - added a new informational alert BitTorrent P2P file sharing (e0879f94-a9c9-42b0-9eb7-0aa038f89dac) - added a new informational alert Autorun.inf created in root C:\ drive (43fea42c-fbca-4e68-8f4b-7956f4397671) - added a new informational alert Improved detection logic for 2 informational BIOC rules: Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata, and improved detection logic Changed metadata for 8 BIOC rules: Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - changed metadata Netcat shell via named pipe (cb05480f-17d8-4138-9902-f0f9fb50b674) - changed metadata Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata Wscript.exe connects to an external network (deef10e3-42b1-45fa-a957-9713755fa514) - changed metadata Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata New service created via command line (cd9af829-d0ed-4c7f-b8da-6d6d23824562) - changed metadata Commonly-abused host process tried to kill a running process (393c5b71-2b2f-4290-be33-752015973161) - changed metadata Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata June 21, 2020 Release: Increased the severity to medium for a BIOC rule: Possible UAC bypass via Event Viewer (55644e90-38b9-4233-aa11-eefe85561184) - increased the severity to medium, improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Reading .ssh files (cb05480f-17d8-4138-9905-f0f9fb50b671) - improved detection logic, and changed metadata Added 6 new informational BIOC rules: Manipulation of the 'SilentProcessExit' Registry key (36a92409-c69e-45fa-a206-5c6058d3d48a) - added a new informational alert Creation of a new Microsoft Office default template (3272b10a-d3f1-4bef-82c6-4502eab0eaef) - added a new informational alert Office process creates a scheduled task via file access (b97e91dc-7ca9-4e77-a595-e214eb462f27) - added a new informational alert WptsExtensions.dll created to disk (4cde444e-aa7f-4f1a-8c75-855c3c9e50e9) - added a new informational alert Office process spawned with suspicious command-line arguments (29f7499b-2464-479d-9e49-10911bc02945) - added a new informational alert Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - added a new informational alert Improved detection logic for an informational BIOC rule: Encrypted zip archive creation (88836a02-95e6-47d1-a619-90a2de0165ff) - improved detection logic, and changed metadata Unsigned process creates a scheduled task via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - improved detection logic, and changed metadata   June 7, 2020 Release: Added 17 new informational BIOC rules: Microsoft Office process spawns conhost.exe (1dd1585b-632f-48f0-8eea-637a9e5e4fc7) - added a new informational alert Possible C2 via dnscat2 (f9127d2b-3bf1-4d30-9258-d4d4aa0ebbb0) - added a new informational alert Possible user enumeration via finger (84b6d1e8-812a-4ac7-a977-b88f26d32342) - added a new informational alert Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - added a new informational alert Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - added a new informational alert Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - added a new informational alert Suspicious execution of ODBCConf (f35fb52f-f2a8-4568-b2f4-660910109efb) - added a new informational alert UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - added a new informational alert SMB enumeration via command-line tool (a8480241-6aa6-43d1-aae2-a53b22220b1d) - added a new informational alert Execution of a password brute-force tool (5271e598-1eca-4abb-8f96-803e7674ff61) - added a new informational alert DNS reconnaissance or enumeration via DNSRecon (58ee2732-5c4e-468c-a878-4a524d8d5f81) - added a new informational alert Credential dumping via LaZagne (928b756c-8328-4dd8-9b41-5461d590589f) - added a new informational alert Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - added a new informational alert Unusual process spawned by changepk.exe (b81c79bc-3781-4657-af0d-4bc49856332b) - added a new informational alert Permission groups discovery via ldapsearch (c72123f7-2612-4797-a919-3ab9511fd5e6) - added a new informational alert Possible Oracle enumeration via Oscanner (81714e7d-a315-11ea-baaf-acde48001122) - added a new informational alert Possible ARP reconnaissance via netdiscover (304eb4e4-1052-416e-8a13-1222a61bc672) - added a new informational alert Improved detection logic for 2 high-severity BIOC rules: Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic Wbadmin.exe deletes recovery files in quiet mode (24be0d84-2203-4d60-a1f0-39e4f80eee3a) - improved detection logic, and changed metadata Improved detection logic for 4 medium-severity BIOC rules: Executable created to disk by lsass.exe (8d61c71e-3224-453f-aa1a-28de92d85b13) - improved detection logic, and changed metadata Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Compiled HTML (help file) writes a script file to disk (122e2d05-593a-4739-b498-6c5252c0dc00) - improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Notepad process makes a network connection (558de43f-e8ff-4222-bb82-4419868088cd) - improved detection logic, and changed metadata Improved detection logic for 9 informational BIOC rules: Commonly abused process launches as a system service (3a426a71-9c12-4146-a916-c2db387280ed) - improved detection logic, and changed metadata Unsigned process makes connections over DNS ports (99470a0e-c311-42a1-872f-74fde3326794) - improved detection logic, and changed metadata Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - improved detection logic, and changed metadata Scripting engine makes connections over DNS ports (b3779123-e79d-43b5-b1f5-2fb41093afef) - improved detection logic, and changed metadata Dllhost.exe makes network connections (d4b8bd1d-f1fb-4fde-9547-33494049c44a) - improved detection logic, and changed metadata Suspicious runonce.exe parent process (029129fa-20ad-11ea-b86e-8c8590c9ccd1) - improved detection logic, and changed metadata Unsigned process executed as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - improved detection logic, and changed metadata Outlook data files accessed by an unsigned process (ea7088cd-90e4-4750-b65c-61743e3c4bb3) - improved detection logic Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - improved detection logic, and changed metadata   May 31, 2020 Release Improved detection logic for a high-severity BIOC rule: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic May 24, 2020 Release Improved detection logic for 3 medium-severity BIOC rules: Process runs with a double extension (f8890ac0-dc0b-4bd2-915f-932145147d73) - improved detection logic, and changed metadata Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and changed metadata LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - improved detection logic Added 5 new informational BIOC rules: Fontdrvhost.exe makes network connections (7d43a35a-d5f1-4d00-b755-3e62db2e70db) - added a new informational alert Unusual process spawned by fontdrvhost.exe (3e6054cf-8ba3-4550-ba4f-9308a537342f) - added a new informational alert Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - added a new informational alert Suspicious debug file created in a temporary folder (887e00c4-ec12-4490-b9bc-0db49a010fba) - added a new informational alert Bypass UAC using the changepk.exe Registry key (8abd3382-cf28-4906-b379-a3976dc0cd21) - added a new informational alert Changed metadata for a BIOC rule: Psexesvc.exe executes a command from a remote host (ced869bc-88ee-4c67-a6d9-92002800403a) - changed metadata    May 17, 2020 Release Increased the severity to medium for 2 BIOC rules: WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium Improved detection logic for a medium-severity BIOC rule: Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - improved detection logic Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - improved detection logic Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic Executable moved to Windows system folder (045190df-f5ab-491a-b214-199dc17f9e3b) - improved detection logic Manipulation of Firefox plugins and extensions via Registry (98a1a1e1-5b03-4aa4-95ce-77ef7a52e600) - improved detection logic Improved detection logic for a low-severity BIOC rule: Image File Execution Options Registry key injection by unsigned process (98430360-5b37-465e-acd6-bafa9325110c) - improved detection logic Added 11 new informational BIOC rules: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert SmartScreen disabled via Registry (51680cd3-af12-4140-ab98-af8694e36409) - added a new informational alert Suspicious process spawns MSBuild.exe (681dab98-d443-4327-9fd3-5f5bd33a3adb) - added a new informational alert Suspicious SearchProtocolHost.exe parent process (6e717721-732f-44e3-b826-602ae8bb6b67) - added a new informational alert Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert MSBuild.exe makes a network connection (bb459bb4-e864-4008-a12a-10ed4df3d753) - added a new informational alert Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - added a new informational alert Microsoft Office adds a value to autostart Registry key (db0da9c7-b7b6-43ab-a53b-5854b6da9ce5) - added a new informational alert Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - added a new informational alert Microsoft Office executes an unsigned process under a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - added a new informational alert Improved detection logic for an informational BIOC rule: Unsigned process reads Chromium credentials file (da3cedf6-9fd3-4e00-b2ca-9cedbd8b098a) - improved detection logic, and changed metadata Outlook creates an executable file on disk (deafab32-3050-467d-a742-92f6453a152e) - improved detection logic Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - improved detection logic, and changed metadata   May 10, 2020 Release  Increased the severity to medium for 2 BIOC rules:  WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - increased the severity to medium Rundll32.exe used to run JavaScript (b6315a3-e1cd-4bfb-baa7-5609cd7f8756) - increased the severity to medium Added 3 new informational BIOC rules: Microsoft Office injects code into a process (17b8c759-512d-4c13-9fe4-71dcdeb97c29) - added a new informational alert Encoded script running (b38b98bc-e2d4-4719-b863-d9142bf8d647) - added a new informational alert LOLBAS reading a Windows credential manager file (3155db03-35a0-4341-9415-1c3bff40d3e0) - added a new informational alert   May 3, 2020 Release Increased the severity to high for 2 BIOC rules: Rubeus tool execution (be12107d-1056-11ea-874c-8c8590c9ccd1) - changed metadata, and increased the severity to high Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - increased the severity to high Increased the severity to medium for 2 BIOC rules: Possible network connection to a TOR relay server (996c74f1-f154-466a-8f93-154a43c6fb90) - improved detection logic, and increased the severity to medium AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - increased the severity to medium   April 26, 2020 Release Increased the severity to medium for 2 BIOC rules: Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - increased the severity to medium, changed metadata, and improved detection logic Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - increased the severity to medium, and changed metadata Improved detection logic for a medium-severity BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic Added 3 new informational BIOC rules: Access to Opera browser credentials file (01de8317-d3e7-4d4b-871f-e86a775a1c1e) - added a new informational alert Memory dumping with comsvcs (9873cd8b-2220-4384-a99f-712ad0ccfb45) - added a new informational alert SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - added a new informational alert   April 19, 2020 Release Added 3 new informational BIOC rules: Modification of default Windows startup path via Registry (fbacd7dc-f835-436b-9e83-9c20d74732e2) - added a new informational alert Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - added a new informational alert Password-related Mozilla files were read by a non-Mozilla process (4d52183d-193b-4cca-8e17-d4dcfb5a388c) - added a new informational alert Improved detection logic for a medium-severity BIOC rule: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic Changed metadata for 8 BIOC rules: Executable file written to a temporary folder (73adac7b-e1c0-47d0-9767-f491e92008eb) - changed metadata Hidden directory creation (d4049817-ff73-460a-b752-21c86c6efdc8) - changed metadata Unsigned process running from a temporary directory (e9d12cc6-69a2-4cce-b58e-4db58b9176cf) - changed metadata DNS resolution to the Palo Alto Networks sinkhole (03347621-15db-11ea-8454-88e9fe502c1f) - changed metadata Cscript.exe connects to an external network (9410a485-491b-42e4-af6c-de4a76e12f0c) - changed metadata PowerShell possibly attempting to execute as administrator (765c164d-7170-4e1c-a463-a5ecf41617dd) - changed metadata Process calls ActiveX Object with a shell command (82485794-7e5b-48da-aacf-926d031b8f62) - changed metadata Process runs from the recycle bin (98134120-eed2-4252-b6d6-d130743018c6) - changed metadata   April 12, 2020 Release Increased the severity to medium for a BIOC rule: Script file added to startup-related Registry keys (1db69ccd-b068-40b1-aeec-ce987021cdfc) - improved detection logic, increased the severity to medium, and changed metadata Changed metadata for 5 BIOC rules: Manipulation of Windows Safe Boot configuration (bf8923ca-bfe8-4cdd-89ac-3b2b7938976c) - changed metadata Shutdown command issued (6c60836a-382a-460e-9208-4b59f4fc68a9) - changed metadata Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata Manipulation of Volume Shadow Copy configuration (ceaedeba-68c1-4c99-87b2-98872b4aeca3) - changed metadata Tampering with the Windows System Restore configuration (710b1aaa-cfdf-42b5-9615-447cedc5e5f0) - changed metadata   April 6, 2020 Release Increased the severity to high for a BIOC rule: Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - improved detection logic, increased the severity to high, and changed metadata Increased the severity to low for a BIOC rule: Manipulation of Windows DNS configuration using WMIC (ff9612ae-22ca-4ac2-bd3b-6bf1244dad8a) - improved detection logic, increased the severity to low, and changed metadata Added 3 new informational BIOC rules: Disabling Windows Defender via Registry (d18483d3-1e7c-48cc-b1d9-6e1ab8592667) - added a new informational alert WMI access to shadow copy interface (b6cd123b-e5a0-4aa3-ac43-3398d6a93ca7) - added a new informational alert Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - added a new informational alert Decreased the severity to informational for a BIOC rule: Modification of password filter DLL(s) Registry key (ea98601c-e552-4b9b-8164-f085a38d383d) - decreased the severity to informational Removed 2 BIOC rule: PowerShell enumerates running processes (932681e4-919a-4151-921f-adcb1088bb86) - removed Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - removed Changed metadata for 118 BIOC rules   March 30, 2020 Release Increased the severity to high for 2 BIOC rules: Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - improved detection logic, changed metadata, and increased the severity to high Netcat makes or gets connections (44bf3d02-3081-4222-814f-6d47958c502a) - improved detection logic, changed metadata, and increased the severity to high Increased the severity to medium for 5 BIOC rules: Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - improved detection logic, changed metadata, and increased the severity to medium Non-browser access to a pastebin-like site (6b394799-0a16-4d03-b8b4-e9a062965ad7) - improved detection logic, changed metadata, and increased the severity to medium Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - improved detection logic, and increased the severity to medium LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - improved detection logic, and increased the severity to medium Network sniffing via command-line tool (4b25dcce-0ac3-4cb2-8c97-939a1077af84) - improved detection logic, and increased the severity to medium Increased the severity to low for 6 BIOC rules: Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - improved detection logic, changed metadata, and increased the severity to low Base64 encoding used (e8ffb33b-f1a8-4687-9ad7-cd2654d73b4f) - improved detection logic, changed metadata, and increased the severity to low Kernel modules loaded via command-line tool (49dbb669-e1f4-4ca7-a7e4-36478b780e74) - improved detection logic, and increased the severity to low Possible network service discovery via command-line tool (d2f959f3-d463-4d73-92bf-4c3664a5d956) - improved detection logic, and increased the severity to low Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - improved detection logic, changed metadata, and increased the severity to low Bash creating network traffic (8bbc8c26-45dd-436c-9d89-98f76164daee) - improved detection logic, and increased the severity to low Added 4 new informational BIOC rules: Direct scheduled task creation via file access (116a3cfb-2fd3-4d99-800b-e93fe158b211) - added a new informational alert Disable outlook security via Registry (a6311886-ab62-4df9-862f-b999a0c3a995) - added a new informational alert Ping to a known external IP address (61079392-db2f-4b7a-b7f8-b87562137f73) - added a new informational alert File renamed to have a script extension (51bd180f-ae84-450d-b0a6-b1a67300ef4d) - added a new informational alert Removed a BIOC rule: Common Google process name missing Google digital signature (417426e1-363c-4dbc-928d-ff7cd5f114d0) - removed Changed the metadata for 115 BIOC rules   March 24, 2020 Release Decreased the severity to informational for a BIOC rule: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - improved detection logic, and decreased the severity to informational   March 23, 2020 Release Increased the severity to low for a BIOC rule: Persistence using cron jobs (3a73f6c2-ce9a-4eca-a4b5-a62a8e548319) - increased the severity to low, and improved detection logic Improved detection logic for a high-severity BIOC rule: Windows Event Log cleared using wevtutil.exe (938176d0-d14a-49a0-9159-6081627eba03) - changed metadata, and improved detection logic Improved detection logic for a medium-severity BIOC rule: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - changed metadata, and improved detection logic Improved detection logic for an informational BIOC rule: Manipulation of permissions for the Application Event Log (6a8acb51-2331-4384-a247-a27cc9f12c84) - changed metadata, and improved detection logic Added 7 new informational BIOC rules: Interactive at.exe privilege escalation method (0b41de4f-7d6e-4969-8636-56a98e2b6533) - added a new informational alert Suspicious file created in AppData directory (b2ad90f1-11ac-4a98-9c85-0526953f2879) - added a new informational alert Root certificate installed (c7f92662-5a28-48da-845a-34a7876c3eb3) - added a new informational alert Injection into ping.exe (cc960d74-2582-42cd-aaa7-6ef1282e5029) - added a new informational alert MSI accessed a web page running a server-side script (d24d3083-703e-4216-b248-eb6fa7cefc85) - added a new informational alert Persistence via Registry screensaver key change (dac7763e-7a68-43b0-98eb-e79e7f80db76) - added a new informational alert Root certificate installed (e48ab0ac-e71b-40b1-8035-cc5033b7dd87) - added a new informational alert Changed metadata for 43 BIOC rules: New certificate added to the trusted root store (01c10219-918d-4c45-bd0d-daf63ef6903c) - changed metadata Commonly-abused AutoIT script connects to a remote host (429e8b36-070c-44ae-ae6d-50f89d31261e) - changed metadata Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - changed metadata Commonly-abused process executes as a scheduled task (1fe9ecf8-64e7-4547-8a67-9f188d694550) - changed metadata WMI terminated a process (5c93679e-ea6c-4b88-8ba9-24446f6665dd) - changed metadata Chrome launched in Incognito mode (5119f194-5362-4141-8212-cba47a3530b9) - changed metadata Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata Registry change to hide known file extension (6110979a-b0ba-4384-955c-a73438ef38a9) - changed metadata PowerShell process connects to the internet (5e1b87b5-e0db-4ff9-806b-ed73a5190222) - changed metadata Accessibility tool 'Debugger' Registry key created (47b4051d-2e74-46a5-ad41-35302a8fdef7) - changed metadata Unsigned process spawned a browser (3baa64a2-09b6-4af7-9305-0a0dd2297b15) - changed metadata Enumeration of running processes via command line (621fe652-fc63-4eae-9a29-6a436b70e985) - changed metadata Executable copied to remote host via admin share (63181adb-96a2-441b-8367-6a1e91ef1e02) - changed metadata New scheduled task created (00e82bfd-a179-4293-b1e0-976ba382e136) - changed metadata Driver written to a temporary directory (5edceb49-5371-476e-94d5-442337a14cff) - changed metadata Manipulation of LSA 'Authentication Packages' Registry key (4f133949-205d-4abf-bbf6-4fc6e48bc6c4) - changed metadata Modification of the Winlogon\Shell Registry key (0d390f7f-d8bb-4803-8b1d-ca41d54ad600) - changed metadata Windows certificate management tool makes a network connection (0179177f-e5ec-4101-a238-c0372b239afb) - changed metadata Windows hosts file written to (54d01b86-4b6a-4554-81f8-214f2d7d6c32) - changed metadata Unsigned process creates an Alternate Data Stream (ADS) (51be6542-3345-464a-8c0a-11f90fb97331) - changed metadata Ping executed with loopback address (363bfa0b-95f7-43c8-a699-0670f9bbebfe) - changed metadata Wget connecting to an external network (5e1b87b5-e0db-4ff9-9901-ed73a5190322) - changed metadata Tampering with Windows Security Support Provider DLLs  (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - changed metadata PowerShell running with download in the command line (59de217d-211f-468b-a2a8-60324a305513) - changed metadata Excel Web Query file created on disk (5f29933c-46ae-45f4-b5ce-fc59f12240bf) - changed metadata Manipulation of 'BootExecute' Registry run key (68136813-901d-411a-b2e8-48bcf22af1ec) - changed metadata Unsigned process executes as a scheduled task (12766be6-50be-4cac-b6a4-6f3b5b8bd8ab) - changed metadata Enumeration using net.exe or net1.exe (53edfa8f-b0d3-4960-9a16-98d53be6ae44) - changed metadata New environment variable set (0df2d00a-e4eb-4198-8573-962de02885ff) - changed metadata Unsigned process executing whoami (690a8894-5827-4f70-ac30-61f26feb1e34) - changed metadata PsExec attempts to execute a command on a remote host (5863cb1a-598f-49b1-b4a9-a444f70e596e) - changed metadata Windows 10 Developer Mode enabled (4e4a3361-3863-4a98-a08c-4992b43ca7e4) - changed metadata Commonly-abused process spawned by web server (0e2c294f-cd18-44bf-8d93-edf98c4a41c3) - changed metadata Modification of Windows boot configuration using bcdedit.exe (154dbe5f-ba64-4c31-899a-f64bc9983d12) - changed metadata PowerShell runs base64-encoded commands (50e811bd-49bc-47cb-bffc-4daf4c844d26) - changed metadata Changing permissions or ownership of a file or folder (0c6d31b7-78c5-4244-90ac-5fb26952d54f) - changed metadata Execution of commonly-abused AutoIT script (13b17653-c885-4d10-bce2-51a63419cf8f) - changed metadata Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - changed metadata Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - changed metadata PsExec execution EulaAccepted flag added to the Registry (076f18f5-7b94-45ec-b880-bf3827ae53de) - changed metadata Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - changed metadata Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - changed metadata   March 15, 2020 Release Improved detection logic for a low-severity BIOC rule: Manipulation of MMC Registry configuration (6b29c2d9-4675-426c-b5f2-67f93c5c0ac4) - improved detection logic Added 10 new informational BIOC rules: System information discovery via psinfo.exe (9eafe6a7-b0fa-4f85-867f-8ef01412e124) - added a new informational alert WSReset.exe UAC bypass (c07d1939-f759-4b5e-905a-fdd777ac3fda) - added a new informational alert Usage of tracing tool (4446f8cf-6859-4af0-8da0-17f4503077d5) - added a new informational alert Modification of logon scripts via Registry (c77e2bc0-d77a-4c54-91bc-63f0415c2821) - added a new informational alert Reverse shell one-liner using a scripting engine (59be79be-d4e3-41f8-ba81-08ff8f5830f1) - added a new informational alert Office process writes an executable file to disk (235ffb55-8b93-4ff0-b5b1-f6ed864995e0) - added a new informational alert Bypass UAC using the IsolatedCommand Registry value (888395ea-2630-404e-a30c-c1ae4e352631) - added a new informational alert Suspicious usage of cytool.exe (9e389768-e7ad-428c-9e2b-916a979950ca) - added a new informational alert Bypass UAC using the control.exe Registry key (263c2cfb-e511-446e-8263-14d0a985b445) - added a new informational alert Suspicious access to /etc/shadow (e5fa37b4-939d-434e-9065-9723c06790fb) - added a new informational alert Improved detection logic for an informational BIOC rule: Sudoers discovery (2ed43b35-f9ca-4df4-a796-c5e88da0ed3a) - improved detection logic, and changed metadata   March 8, 2020 Release Increased the severity to medium for 2 BIOC rules: Unsigned process injecting into a Windows system binary with no command line (0c0a801f-06ff-4a10-b555-67e5aecbd410) - improved detection logic, increased the severity to medium, and changed metadata Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - increased the severity to medium Increased the severity to low for a BIOC rule: RDP connections enabled via Registry by unsigned process (6d432610-7ee0-4857-a8f5-009dfd4bde14) - improved detection logic, increased the severity to low, and changed metadata Added 13 new informational BIOC rules: WMI execution of cmd.exe with output redirection (af8d1cd7-7e8f-4084-b698-b47ca9e2c8b2) - added a new informational alert Discovery of files with setgid or setuid bits (6e873af1-fa2b-46f2-b641-f64b55db5db2) - added a new informational alert Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - added a new informational alert Remote RDP session enumeration via query.exe (ba98e718-1bc4-427d-9ccf-44c80b40f2b7) - added a new informational alert Command-line creation of a RAR archive (0276283f-7696-45d4-82dc-a4195d9b849b) - added a new informational alert NTLM Credential dumping via RpcPing.exe (6bebf7c5-47a2-4c35-8786-6b64a27a35f5) - added a new informational alert Possible UAC bypass using Eventvwr.exe (55644e90-38b9-4233-aa11-eefe85561184) - added a new informational alert Kernel modules loaded via compiled loader and .ko file (371c8d3b-560a-456e-802d-394aea248f1d) - added a new informational alert Potential web shell installation (4cc829d5-6fba-4167-8c4c-25e538bcd993) - added a new informational alert Collecting audio via PowerShell command (b519acb0-9cda-4a5c-8b36-f8b3533f6607) - added a new informational alert Modification of SSH authorized keys (7f5acbc4-8574-4cd6-aeb5-411c21e38a41) - added a new informational alert Credential Vault command-line access (e57fdcf6-5bbf-46b7-a697-83042df49c5a) - added a new informational alert Remote RDP session enumeration via qwinsta.exe (5f017d4f-f526-46f6-9f32-a63d16639637) - added a new informational alert Improved detection logic for a medium-severity BIOC rule: Credential dumping via wce.exe (0c468243-6943-4871-be10-13fb68c0a8ef) - improved detection logic, and changed metadata Improved detection logic for a low-severity BIOC rule: Dumping Registry hives with passwords (824a3186-b262-4e01-b45c-35cca8efa233) - improved detection logic   February 23, 2020 Release Increased the severity to medium for a BIOC rule: Possible ping sweep (362649fe-9028-4166-baf8-b58c8dab8bee) - improved detection logic, and increased the severity to medium Added 2 new informational BIOC rules: PsExec runs with System privileges (b834289d-44f9-4e05-9411-4dd8dfff8959) - added a new informational alert Possible RDP session hijacking using tscon.exe (32c6e7f9-ccd0-48a4-8bc9-3e460653cb75) - added a  new informational alert   February 16, 2020 Release Increased the severity to high for a BIOC rule: Debug.bin file dropped to Temp folder (5b161cc7-20d1-11ea-bf45-8c8590c9ccd1) - increased the severity to high Increased the severity to medium for 9 BIOC rules: Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved detection logic, increased the severity to medium, and changed metadata Reading bash command history file (cb05480f-17d8-4138-9902-f0f9fb50b672) - increased the severity to medium, and changed metadata Multiple RDP sessions enabled via Registry (b1ac2867-7f82-4d99-b565-2fb5425c1bb5) - increased the severity to medium, and changed metadata Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - increased the severity to medium, and changed metadata Regsvr32 possibly downloading code from a remote host (a5ee0040-949c-4a4f-a5b8-dd5c079f9ba0) - improved detection logic, increased the severity to medium, and changed metadata Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - improved detection logic, increased the severity to medium, and changed metadata Unsigned integer Sudo privilege escalation (1974dd9e-20c1-11ea-ab34-8c8590c9ccd1) - increased the severity to medium Indirect command execution using the Program Compatibility Assistant (18447eac-7ad6-44a8-aaf5-7e75b0151166) - improved detection logic, increased the severity to medium, and changed metadata Procdump executed from an atypical directory (e8338494-20af-11ea-bbde-8c8590c9ccd1) - improved detection logic, and increased the severity to medium Increased the severity to low for a BIOC rule: Possible data destruction via dd (c7492f51-dbb6-4973-bdd4-4b482f4c3497) - improved detection logic, and increased the severity to low Added 9 new informational BIOC rules: Execution of regsvcs/regasm with uncommon paths (a1ce5d8b-5ea0-49d2-8d91-8ae4ea752ec0) - added a new informational alert Possible malicious .NET compilation started by a commonly-abused process (9eb14342-4742-11ea-8105-88e9fe502c1f) - added  a new informational alert WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - added a new informational alert LSASS dump file written to disk (90226942-3721-4df4-9b26-577ed1e9c34d) - added a new informational alert Possible LSASS memory dump (b744a41d-1ee9-4d09-908e-cf3fdc27fa4c) - added a new informational alert Suspicious access to NTDS.dit (eeeee3a5-a22f-4850-8022-17684a8c5227) - added a new informational alert Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - added a new informational alert AMSI Bypass (7cdcafb1-cc36-4608-87da-eaed966d3c7e) - added a new informational alert VBScript execution from the command line (e71d7a58-f4c9-4582-bdb9-e86beb803d0c) - added a new informational alert
View full article
Simplify each step of building an API and streamline collaboration so you can create better APIs faster with Postman.  
View full article
Read this article, written by Cortex XDR experts, to learn how we distinguish ourselves from an SIEM solution.  
View full article
We highly advise Palo Alto Networks customers update to the latest XDR Agent and content version.
View full article
The Cortex XDR August release unifies the Analytics and Investigation and Response apps into a single Cortex XDR app, with a unified and streamlined user interface.
View full article
Here you will find Older Cortex XDR release notes from 2019. Review release notes from April 2019 to December 2019.
View full article
Hunt down and stop stealthy attacks by unifying network, endpoint, and cloud data.
View full article
Top Contributors
Top Liked Authors