New Analytic Stories
- IcedID
New Analytics
- Attacker Tools On Endpoint
- SAM Database File Access Attempt
- Detect shared ec2 snapshot
- CHCP Command Execution
- Create Remote Thread In Shell Application
- Drop IcedID License dat
- IcedID Exfiltrated Archived File Creation
- Office Application Spawn Regsvr32 process
- Rundll32 Create Remote Thread To A Process
- Rundll32 CreateRemoteThread In Browser
- Rundll32 DNSQuery
- Rundll32 Process Creating Exe Dll Files
- Sqlite Module In Temp Folder
- Suspicious IcedID Regsvr32 Cmdline
- Suspicious IcedID Rundll32 Cmdline
- Suspicious Rundll32 PluginInit
Updated Analytics
- Detect New Open S3 Buckets over AWS CLI( thank you @BlackB0lt)
- Detect processes used for System Network Configuration Discovery ( thank you @BlackB0lt)
- Revil Common Exec Parameter ( thank you @BlackB0lt)
- DNS Query Length With High Standard Deviation(thank you @sec-researcher)
- AWS CreateAccessKey
- AWS UpdateLoginProfile
- AWS CreateLoginProfile
- Detect New Open S3 buckets
- Detect New Open S3 Buckets over AWS CLI
- O365 Bypass MFA via Trusted IP
- Recon AVProduct Through Pwh or WMI
Other Updates
Adding new tags to support multi risk entities and threat objects in Risk Analysis Framework
Updated dashboards to use version=1.1