Cortex XDR Articles
cancel
Showing results for 
Search instead for 
Did you mean: 
Cortex XDR Content Release Notes June 26 2022 Release: Removed an old High BIOC: Command-line creation of TCP stream (cb05480f-17d8-4138-9902-f0f9fb50b673) - removed an old High alert Improved logic of 18 High Analytics BIOCs: A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - improved logic of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - improved logic of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - improved logic of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - improved logic of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOCs Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - improved logic of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - improved logic of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - improved logic of a High Analytics BIOCs PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - improved logic of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - improved logic of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Improved logic of 2 High Analytics Alerts: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alerts Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alerts Added a new Medium Analytics BIOC: A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - added a new Medium alert Improved logic of 85 Medium Analytics BIOCs: Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - improved logic of a Medium Analytics BIOCs Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - improved logic of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - improved logic of a Medium Analytics BIOCs Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - improved logic of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - improved logic of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - improved logic of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - improved logic of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - improved logic of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - improved logic of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - improved logic of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - improved logic of a Medium Analytics BIOCs Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - improved logic of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - improved logic of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Medium Analytics BIOCs Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - improved logic of a Medium Analytics BIOCs Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - improved logic of a Medium Analytics BIOCs Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - improved logic of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - improved logic of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved logic of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - improved logic of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - improved logic of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - improved logic of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - improved logic of a Medium Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Medium Analytics BIOCs Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - improved logic of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - improved logic of a Medium Analytics BIOCs A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - improved logic of a Medium Analytics BIOCs A contained executable was executed by unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - improved logic of a Medium Analytics BIOCs PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - improved logic of a Medium Analytics BIOCs Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - improved logic of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - improved logic of a Medium Analytics BIOCs Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Added a new Medium Analytics Alert: A new machine attempted Kerberos delegation (0f9a92bd-916c-40ad-80a9-58c2adaaa946) - added a new Medium alert Improved logic of 13 Medium Analytics Alerts: An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - improved logic of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Medium Analytics Alerts A contained process attempted to escape using notify on release feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - improved logic of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Medium Analytics Alerts Added 2 new Low Analytics BIOCs: Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - added a new Low alert Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - added a new Low alert Improved logic of 127 Low Analytics BIOCs: Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - improved logic of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - improved logic of a Low Analytics BIOCs Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - improved logic of a Low Analytics BIOCs Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - improved logic of a Low Analytics BIOCs Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - improved logic of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - improved logic of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - improved logic of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - improved logic of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - improved logic of a Low Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - improved logic of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - improved logic of a Low Analytics BIOCs Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - improved logic of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - improved logic of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - improved logic of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - improved logic of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - improved logic of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs A disabled user successfully authenticated via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - improved logic of a Low Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Low Analytics BIOCs Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - improved logic of a Low Analytics BIOCs Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - improved logic of a Low Analytics BIOCs SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - improved logic of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - improved logic of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - improved logic of a Low Analytics BIOCs New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - improved logic of a Low Analytics BIOCs MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - improved logic of a Low Analytics BIOCs Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - improved logic of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Low Analytics BIOCs Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - improved logic of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - improved logic of a Low Analytics BIOCs A suspicious service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - improved logic of a Low Analytics BIOCs A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - improved logic of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - improved logic of a Low Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - improved logic of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - improved logic of a Low Analytics BIOCs Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - improved logic of a Low Analytics BIOCs Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOCs Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - improved logic of a Low Analytics BIOCs Improved logic of 31 Low Analytics Alerts: NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - improved logic of a Low Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - decreased the severity to Informational, and improved detection logic Improved logic of 178 Informational Analytics BIOCs: GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of an Informational Analytics BIOCs A user successfully authenticated via SSO for the first time (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - improved logic of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - improved logic of an Informational Analytics BIOCs System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - improved logic of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - improved logic of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - improved logic of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - improved logic of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - improved logic of an Informational Analytics BIOCs Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs Rare AppID usage for this destination port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - improved logic of an Informational Analytics BIOCs Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - improved logic of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - improved logic of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - improved logic of an Informational Analytics BIOCs Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - improved logic of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - improved logic of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - improved logic of an Informational Analytics BIOCs Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - improved logic of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - improved logic of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - improved logic of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - improved logic of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - improved logic of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - improved logic of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - improved logic of an Informational Analytics BIOCs VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - improved logic of an Informational Analytics BIOCs Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - improved logic of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - improved logic of an Informational Analytics BIOCs Improved logic of 23 Informational Analytics Alerts: Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alerts SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts A user accessed multiple time-wasting websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts June 19 2022 Release: Improved logic of a Medium Analytics Alert: NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alert Improved logic of 2 Low Analytics BIOCs: Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Improved logic of 4 Low Analytics Alerts: NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - added a new Informational alert Improved logic of 3 Informational Analytics BIOCs: Rare AppID usage for this destination port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - improved logic of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts June 12 2022 Release: Changed metadata of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert Improved logic of a Medium Analytics BIOC: Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOC Changed metadata of 4 Medium Analytics BIOCs: Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of a Medium Analytics BIOCs Added a new Medium Analytics Alert: A contained process attempted to escape using notify on release feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - added a new Medium alert Changed metadata of 4 Medium Analytics Alerts: An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - changed metadata of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Medium Analytics Alerts Decreased the severity to Low for an Analytics BIOC: Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - decreased the severity to Low Changed metadata of 11 Low Analytics BIOCs: AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alert Added 4 new Informational BIOCs: Print Processor Registration (d218018c-3fe1-43c3-816b-331dfb914401) - added a new Informational alert Time provider Registration (76d43800-76bb-459e-ad10-3e8b85e12a2f) - added a new Informational alert Port Monitor added in Registry (bc1df7df-f4a0-4470-bfbd-e042fc8cfe0a) - added a new Informational alert Active Setup Registry Autostart (6dedf6eb-38a0-467b-858c-cacef3ddb3bb) - added a new Informational alert Improved logic of 2 Informational Analytics BIOCs: Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Changed metadata of 71 Informational Analytics BIOCs: GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Changed metadata of 2 Informational Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts   June 07 2022 Release: Removed an old Medium BIOC: Suspicious .NET log file created (dd318916-3d0a-4801-aa0b-78f9b94d0323) - removed an old Medium alert Improved logic of 5 Medium Analytics BIOCs: Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alert Added a new Low Analytics BIOC: Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - added a new Low alert Improved logic of 6 Low Analytics BIOCs: Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Improved logic of 4 Low Analytics Alerts: User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts Added a new Informational BIOC: ISO mounted manually (a4978720-39fc-404f-bb74-c3db07ef4f9d) - added a new Informational alert Decreased the severity to Informational for an Analytics BIOC: Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - decreased the severity to Informational, and improved detection logic Added 11 new Informational Analytics BIOCs: Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - added a new Informational alert Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - added a new Informational alert A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - added a new Informational alert Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - added a new Informational alert VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - added a new Informational alert Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - added a new Informational alert System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - added a new Informational alert Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - added a new Informational alert File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - added a new Informational alert Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - added a new Informational alert Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - added a new Informational alert Improved logic of 6 Informational Analytics BIOCs: A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - improved logic of an Informational Analytics BIOCs A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - improved logic of an Informational Analytics BIOCs Added 2 new Informational Analytics Alerts: A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - added a new Informational alert Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - added a new Informational alert Improved logic of 5 Informational Analytics Alerts: Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts   May 29 2022 Release: Improved logic of a High Analytics BIOC: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOC Changed metadata of 16 High Analytics BIOCs: Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - changed metadata of a High Analytics BIOCs Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - changed metadata of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert Added a new Medium Analytics BIOC: A contained executable was executed by unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - added a new Medium alert Improved logic of 15 Medium Analytics BIOCs: Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Medium Analytics BIOCs A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - improved logic of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - improved logic of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs Changed metadata of 72 Medium Analytics BIOCs: Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Medium Analytics BIOCs Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Office process creates an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - changed metadata of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - changed metadata of a Medium Analytics BIOCs Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - changed metadata of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs Improved logic of 5 Medium Analytics Alerts: Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Medium Analytics Alerts Changed metadata of 7 Medium Analytics Alerts: Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts Increased the severity to Low for an Analytics BIOC: Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - increased the severity to Low, and improved detection logic Improved logic of 34 Low Analytics BIOCs: Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - improved logic of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - improved logic of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Changed metadata of 78 Low Analytics BIOCs: Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - changed metadata of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of a Low Analytics BIOCs Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - changed metadata of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - changed metadata of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - changed metadata of a Low Analytics BIOCs Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - changed metadata of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs Suspicious process changed ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOCs Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of a Low Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - changed metadata of a Low Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - changed metadata of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - changed metadata of a Low Analytics BIOCs Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs A suspicious service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - changed metadata of a Low Analytics BIOCs Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - changed metadata of a Low Analytics BIOCs Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs A disabled user successfully authenticated via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOCs Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - changed metadata of a Low Analytics BIOCs MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts Changed metadata of 24 Low Analytics Alerts: NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - changed metadata of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts Removed an old Informational BIOC: Executable or script created in the startup folder (5ee4f82d-6d98-4f94-a832-a62957234d69) - removed an old Informational alert Added 2 new Informational Analytics BIOCs: A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - added a new Informational alert A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - added a new Informational alert Improved logic of 54 Informational Analytics BIOCs: A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of an Informational Analytics BIOCs Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs Rare AppID usage for this destination port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs A user successfully authenticated via SSO for the first time (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Changed metadata of 48 Informational Analytics BIOCs: A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - changed metadata of an Informational Analytics BIOCs Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - changed metadata of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - changed metadata of an Informational Analytics BIOCs System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - changed metadata of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOCs New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - changed metadata of an Informational Analytics BIOCs VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs Decreased the severity to Informational for an Analytics Alert: SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - decreased the severity to Informational, and improved detection logic Improved logic of 12 Informational Analytics Alerts: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Changed metadata of 6 Informational Analytics Alerts: A user accessed multiple time-wasting websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - changed metadata of an Informational Analytics Alerts Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - changed metadata of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - changed metadata of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of an Informational Analytics Alerts   May 22 2022 Release: Removed an old Medium BIOC: Clear Windows event logs using PowerShell.exe (d9321f3f-d32e-4aa9-8f88-22b03c36139d) - removed an old Medium alert Improved logic of 6 Medium Analytics BIOCs: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Added 15 new Low Analytics BIOCs: Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - added a new Low alert Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - added a new Low alert Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - added a new Low alert A suspicious service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - added a new Low alert Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - added a new Low alert Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - added a new Low alert Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - added a new Low alert Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - added a new Low alert Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - added a new Low alert An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - added a new Low alert Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - added a new Low alert Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - added a new Low alert Suspicious process changed ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - added a new Low alert Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - added a new Low alert Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - added a new Low alert Improved logic of 3 Low Analytics BIOCs: Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs Improved logic of 2 Low Analytics Alerts: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Changed metadata of an Informational BIOC: Suspicious SDB file written to disk by unsigned process (95f23ec2-ebc5-493a-8884-1062e97a4787) - changed metadata of an Informational BIOC Decreased the severity to Informational for an Analytics BIOC: Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - decreased the severity to Informational, and improved detection logic Added 7 new Informational Analytics BIOCs: SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - added a new Informational alert Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - added a new Informational alert Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - added a new Informational alert Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - added a new Informational alert Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - added a new Informational alert Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - added a new Informational alert Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - added a new Informational alert Improved logic of 10 Informational Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs Rare AppID usage for this destination port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user accessed multiple time-wasting websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - added a new Informational alert Improved logic of an Informational Analytics Alert: Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alert   May 15 2022 Release: Removed an old Medium Analytics Alert: Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - removed an old Medium alert Added 3 new Low Analytics BIOCs: Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - added a new Low alert Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - added a new Low alert Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOC Added a new Low Analytics Alert: Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - added a new Low alert Improved logic of a Low Analytics Alert: Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alert Removed an old Low Analytics Alert: Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - removed an old Low alert Decreased the severity to Informational for 2 Analytics BIOCs: Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - decreased the severity to Informational, and improved detection logic Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - decreased the severity to Informational Improved logic of 6 Informational Analytics BIOCs: VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs Added 3 new Informational Analytics Alerts: A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - added a new Informational alert Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - added a new Informational alert Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - added a new Informational alert Improved logic of 3 Informational Analytics Alerts: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts   May 08 2022 Release: Changed metadata of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs Changed metadata of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert Improved logic of a Medium Analytics BIOC: Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Medium Analytics BIOC Changed metadata of 4 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of a Medium Analytics BIOCs Changed metadata of 3 Medium Analytics Alerts: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Medium Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - changed metadata of a Medium Analytics Alerts Decreased the severity to Low for 2 Analytics BIOCs: Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - decreased the severity to Low, and improved detection logic Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - decreased the severity to Low, and improved detection logic Improved logic of a Low Analytics BIOC: Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOC Changed metadata of 14 Low Analytics BIOCs: Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of a Low Analytics BIOCs Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs Changed metadata of 2 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts Improved logic of 2 Informational Analytics BIOCs: Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Changed metadata of 73 Informational Analytics BIOCs: Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - added a new Informational alert Improved logic of an Informational Analytics Alert: Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alert Changed metadata of 2 Informational Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts   May 01 2022 Release: Improved logic of 2 Medium Analytics BIOCs: Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Added a new Medium Analytics Alert: An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - added a new Medium alert Increased the severity to Low for an Analytics BIOC: Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - increased the severity to Low Decreased the severity to Low for an Analytics BIOC: Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - decreased the severity to Low, and improved detection logic Improved logic of a Low Analytics BIOC: Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOC Removed an old Low Analytics BIOC: A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - removed an old Low alert Added a new Low Analytics Alert: Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - added a new Low alert Improved logic of 2 Low Analytics Alerts: Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - decreased the severity to Informational, and improved detection logic Improved logic of 5 Informational Analytics BIOCs: Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs A user successfully authenticated via SSO for the first time (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - added a new Informational alert Improved logic of an Informational Analytics Alert: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alert   April 24 2022 Release: Added a new Informational Analytics BIOC: Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - added a new Informational alert Improved logic of 2 Informational Analytics BIOCs: A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Improved logic of 2 Informational Analytics Alerts: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts   April 19 2022 Release: Improved logic of 6 High Analytics BIOCs: Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - improved logic of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - improved logic of a High Analytics BIOCs Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - improved logic of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a High Analytics BIOCs Changed metadata of a High Analytics BIOC: Suspicious HTTP Request to a vulnerable Java class (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a High Analytics BIOC Added 2 new Medium Analytics BIOCs: A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - added a new Medium alert Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - added a new Medium alert Improved logic of 39 Medium Analytics BIOCs: Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - improved logic of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - improved logic of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - improved logic of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - improved logic of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs Office process creates an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - improved logic of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - improved logic of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - improved logic of a Medium Analytics BIOCs Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - improved logic of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - improved logic of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - improved logic of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - improved logic of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - improved logic of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - improved logic of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - improved logic of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - improved logic of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - improved logic of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - improved logic of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOC Removed an old Medium Analytics BIOC: Compiled HTML (help file) writes a script file to disk (19cb36a3-3d9b-9453-125c-f0b456d4cef4) - removed an old Medium alert Changed metadata of a Medium Analytics Alert: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alert Added a new Low Analytics BIOC: A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - added a new Low alert Improved logic of 24 Low Analytics BIOCs: Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - improved logic of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - improved logic of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - improved logic of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - improved logic of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOC Improved logic of 3 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts Changed metadata of 2 Informational BIOCs: Tampering with Windows Security Support Provider DLLs (1396a3ad-1b0a-4ad7-861b-a6a50104952e) - changed metadata of an Informational BIOCs Cleartext password harvesting using find tools (7ac5c888-838d-489c-a6a9-2bab9cec7e9d) - changed metadata of an Informational BIOCs Improved logic of 24 Informational Analytics BIOCs: A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - added a new Informational alert Improved logic of 3 Informational Analytics Alerts: Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts   April 11 2022 Release: Increased the severity to High for an Analytics BIOC: Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - increased the severity to High Added a new High Analytics BIOC: Suspicious HTTP Request to a vulnerable Java class (1028c23d-f8f0-4adb-9e12-bffce9104359) - added a new High alert Added a new Medium Analytics BIOC: Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - added a new Medium alert Improved logic of a Medium Analytics BIOC: Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOC Changed metadata of a Low BIOC: Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOC Improved logic of 2 Low Analytics BIOCs: A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs Changed metadata of 2 Low Analytics BIOCs: Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs Increased the severity to Low for 3 Analytics Alerts: Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - increased the severity to Low User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - increased the severity to Low, and improved detection logic Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - increased the severity to Low Improved logic of a Low Analytics Alert: Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alert Changed metadata of a Low Analytics Alert: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alert Added 4 new Informational Analytics BIOCs: Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - added a new Informational alert A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - added a new Informational alert Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - added a new Informational alert A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - added a new Informational alert Improved logic of 3 Informational Analytics BIOCs: Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs Changed metadata of 3 Informational Analytics BIOCs: A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - added a new Informational alert Improved logic of 3 Informational Analytics Alerts: Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts   April 05 2022 Release: Added a new High Analytics BIOC: Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - added a new High alert Removed 3 old Medium BIOCs: Fodhelper.exe UAC bypass (448f8a2e-eaf9-4ff7-ab84-5a582e837dfc) - removed an old Medium alert Scripting engine injects code to a process (1f985402-f4a4-4132-b74b-18a04a3620cd) - removed an old Medium alert Rundll32.exe running with no command-line arguments (0c0a801a-06ff-4a10-b555-67e56ecbd410) - removed an old Medium alert Added 4 new Medium Analytics BIOCs: Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - added a new Medium alert Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - added a new Medium alert Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - added a new Medium alert Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - added a new Medium alert Removed 3 old Medium Analytics BIOCs: Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - removed an old Medium alert LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - removed an old Medium alert LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - removed an old Medium alert Increased the severity to Low for an Analytics BIOC: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - increased the severity to Low, and improved detection logic Added a new Low Analytics BIOC: A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - added a new Low alert Improved logic of 9 Low Analytics BIOCs: Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs A disabled user successfully authenticated via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs Removed 2 old Low Analytics BIOCs: UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - removed an old Low alert MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - removed an old Low alert Added 3 new Low Analytics Alerts: New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - added a new Low alert Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - added a new Low alert SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - added a new Low alert Improved logic of a Low Analytics Alert: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alert Added 6 new Informational Analytics BIOCs: A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - added a new Informational alert VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - added a new Informational alert Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - added a new Informational alert A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - added a new Informational alert A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - added a new Informational alert A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - added a new Informational alert Improved logic of 11 Informational Analytics BIOCs: Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs Improved logic of an Informational Analytics Alert: Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alert   March 27 2022 Release: Changed metadata of a Medium Analytics BIOC: Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOC Added a new Medium Analytics Alert: Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - added a new Medium alert Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Added 7 new Low Analytics BIOCs: Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - added a new Low alert Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - added a new Low alert Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - added a new Low alert Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - added a new Low alert Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - added a new Low alert Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - added a new Low alert Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - added a new Low alert Improved logic of a Low Analytics BIOC: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Decreased the severity to Informational for an Analytics BIOC: Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of an Informational Analytics Alerts   March 20, 2022 Release: Changed metadata of 18 High Analytics BIOCs: Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - changed metadata of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs Windows Event Log cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a High Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs Changed metadata of 2 High Analytics Alerts: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alerts Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alerts Improved logic of a Medium Analytics BIOC: Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOC Changed metadata of 87 Medium Analytics BIOCs: Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs LOLBIN spawned by an Office executable connected to a rare external host (0aad6094-99a3-11ea-8544-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - changed metadata of a Medium Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Medium Analytics BIOCs Office process creates an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - changed metadata of a Medium Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs LOLBIN connecting to a rare host (4bcc13de-20b7-11ea-a54a-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs Script Connecting to Rare External Host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs Uncommon net group execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - changed metadata of a Medium Analytics BIOCs Autorun.inf created in root C:\ drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - changed metadata of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs Compiled HTML (help file) writes a script file to disk (19cb36a3-3d9b-9453-125c-f0b456d4cef4) - changed metadata of a Medium Analytics BIOCs Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - changed metadata of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs Uncommon msiexec execution of an arbitrary file from the web (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs Improved logic of 3 Medium Analytics Alerts: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Changed metadata of 8 Medium Analytics Alerts: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Medium Analytics Alerts Port Scan (885fc894-9b72-11ea-9067-88e9fe502c1f) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts Improved logic of 3 Low Analytics BIOCs: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Changed metadata of 93 Low Analytics BIOCs: Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - changed metadata of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - changed metadata of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of a Low Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Domain federation settings have been modified (050d189d-714a-46a0-b25d-2b295afd55b6) - changed metadata of a Low Analytics BIOCs MSBuild Makes a Rare Network Connection (633a8e38-c616-11ea-abb3-acde48001122) - changed metadata of a Low Analytics BIOCs MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of a Low Analytics BIOCs A rare disabled user attempted to log in (598e04de-0c13-46de-ad73-27ec4605da3f) - changed metadata of a Low Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs Unverified domain added to Azure AD (e4672ba4-6ba8-426c-82c1-9858f97a4221) - changed metadata of a Low Analytics BIOCs Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - changed metadata of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - changed metadata of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of a Low Analytics BIOCs Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - changed metadata of a Low Analytics BIOCs Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs UNIX LOLBIN connecting to a rare host (6a43f002-accf-11eb-8529-0242ac130003) - changed metadata of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of a Low Analytics BIOCs Increased the severity to Low for an Analytics Alert: TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - increased the severity to Low, and improved detection logic Added a new Low Analytics Alert: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - added a new Low alert Improved logic of a Low Analytics Alert: Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alert Changed metadata of 22 Low Analytics Alerts: Possible external RDP Brute-Force (f774f787-6763-4f3c-bc24-46d3183d26fe) - changed metadata of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - added a new Informational alert Changed metadata of 139 Informational Analytics BIOCs: An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs User connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs A user connected a USB storage device to a host for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - changed metadata of an Informational Analytics BIOCs Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - added a new Informational alert Changed metadata of 13 Informational Analytics Alerts: Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - changed metadata of an Informational Analytics Alerts Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of an Informational Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of an Informational Analytics Alerts March 13, 2022 Release: Improved logic of 3 High Analytics BIOCs:  Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Changed metadata of 15 High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Changed metadata of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alert Improved logic of 3 Medium Analytics BIOCs: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs Changed metadata of 85 Medium Analytics BIOCs Added a new Medium Analytics Alert: Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - added a new Medium alert Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Changed metadata of 9 Medium Analytics Alerts Removed an old Low BIOC: Office process loads a known PowerShell DLL (a088c900-5a69-4230-81c2-eb583abaa54a) - removed an old Low alert Increased the severity to Low for 2 Analytics BIOCs: Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - increased the severity to Low, and improved detection logic Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - increased the severity to Low, and improved detection logic Decreased the severity to Low for an Analytics BIOC: Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - decreased the severity to Low Improved logic of 12 Low Analytics BIOCs: AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Changed metadata of 82 Low Analytics BIOCs Removed an old Low Analytics BIOC: A cloud identity executed an API call from an unusual country (19c743b0-99ca-400c-b386-bcc99d846582) - removed an old Low alert Improved logic of a Low Analytics Alert: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alert Changed metadata of 22 Low Analytics Alerts Added a new Informational BIOC: WSL Feature Installation (73ef4c5f-41da-4e46-8a72-ccb54088f106) - added a new Informational alert Removed an old Informational BIOC: Non-PowerShell process loading a known PowerShell DLL (d2d23fdd-5fcb-4483-a14e-a187e87a58c7) - removed an old Informational alert Decreased the severity to Informational for 2 Analytics BIOCs: User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - decreased the severity to Informational, and improved detection logic First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - decreased the severity to Informational, and improved detection logic Improved logic of 68 Informational Analytics BIOCs Changed metadata of 69 Informational Analytics BIOCs Removed an old Informational Analytics BIOC: First cloud API call from a country in organization (575fd23b-30b1-48eb-b94c-c6ef4261e7c1) - removed an old Informational alert Decreased the severity to Informational for an Analytics Alert: TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - decreased the severity to Informational Improved logic of 2 Informational Analytics Alerts: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Changed metadata of 11 Informational Analytics Alerts Removed an old Informational Analytics Alert: Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - removed an old Informational alert   March 7, 2022 Release: Removed an old High BIOC:  Editing ld.so.preload for persistence and injection (9cb193d8-4f01-4c57-b21d-c3211e32fe5e) - removed an old High alert Increased the severity to High for an Analytics BIOC: Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - increased the severity to High, and improved detection logic  Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs Removed 5 old Medium BIOCs: Suspicious certutil command line (bcf4cd6b-1e7f-4b2c-b538-24dacd1a0421) - removed an old Medium alert Possible Persistence via group policy Registry keys (21ff020b-270f-4579-90ca-9d14638d4c46) - removed an old Medium alert LOLBAS executable injects into another process (c8ad0223-2018-11ea-a080-8c8590c9ccd1) - removed an old Medium alert Encoded information using Windows certificate management tool (ed18908a-2d6a-4d7d-a754-0a8ce32051a1) - removed an old Medium alert Suspicious .NET process loads an MSBuild DLL (5ed99c87-daf2-11ea-93df-faffc26aac4a) - removed an old Medium alert Increased the severity to Medium for 4 Analytics BIOCs: Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - increased the severity to Medium Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - increased the severity to Medium, and improved detection logic Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - increased the severity to Medium, and improved detection logic Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - increased the severity to Medium Improved logic of 7 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Improved logic of 3 Low Analytics BIOCs: Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Added a new Informational BIOC: Execution of WSL Distro (ff4f73d0-8adf-4861-b743-25bd071e6a5a) - added a new Informational alert Decreased the severity to Informational for an Analytics BIOC: Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - decreased the severity to Informational Added a new Informational BIOCs: A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - added a new Informational alert Improved logic of 8 Informational Analytics BIOCs: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Rare AppID usage for port to rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs Process connecting to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Changed metadata of an Informational Analytics BIOC: Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOC Removed an old Informational Analytics BIOC: Rare LOLBAS executable injects into another process (48374128-3426-47f1-8bbd-08780ab08c60) - removed an old Informational alert
View full article
Detecting and Preventing the Path to a Golden Ticket With Cortex XDR Click below to read the latest blog about XDR protection capabilities for known attack methods with an informative explanation about how Cortex XDR  approaches golden ticket attacks. Cortex XDR Golden Ticket Blog Post    Have a question about it? Post it on the Cortex XDR discussion page  
View full article
SYMPHONY 2022 Watch the instructive sessions on-demand by clicking here: Symphony 2022 Learn more about Cortex XDR  future events by visiting our  event page
View full article
Simplify each step of building an API and streamline collaboration so you can create better APIs faster with Postman.  
View full article
Read this article, written by Cortex XDR experts, to learn how we distinguish ourselves from an SIEM solution.  
View full article
We highly advise Palo Alto Networks customers update to the latest XDR Agent and content version.
View full article
The Cortex XDR August release unifies the Analytics and Investigation and Response apps into a single Cortex XDR app, with a unified and streamlined user interface.
View full article
Here you will find Older Cortex XDR release notes from 2019. Review release notes from April 2019 to December 2019.
View full article
Hunt down and stop stealthy attacks by unifying network, endpoint, and cloud data.
View full article
Top Contributors
Top Liked Authors