New Analytic Story
- Hermetic Wiper
- Living Off The Land
- Data Destruction
- Network Discovery
- Active Directory Kerberos Attacks
New Analytics
- Windows Modify Show Compress Color And Info Tip Registry
- AWS Lambda UpdateFunctionCode
- Windows Disable Memory Crash Dump
- Windows File Without Extension In Critical Folder
- Windows Raw Access To Disk Volume Partition
- Windows Event For Service Disabled
- Windows Excessive Disabled Services Event
- Windows Process With NamedPipe CommandLine
- Windows Raw Access To Master Boot Record Drive
- Windows Service Creation Using Registry Entry
- Windows WMI Process Call Create
- Windows Diskshadow Proxy Execution
- Linux DD File Overwrite
- Linux System Network Discovery
- Kerberoasting spn request with RC4 encryption
- Mimikatz PassTheTicket CommandLine Parameters
- Rubeus Command Line Parameters
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- Unusual Number of Kerberos Service Tickets Requested
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Kerberos Pre-Authentication Flag Disabled with PowerShell
Updated Analytics
- Excessive number of distinct processes created in Windows Temp folder
- O365 Excessive Authentication Failures Alert (thanks to @schwedenmut)
- Excessive number of distinct processes created in Windows Temp folder (Issue #1526)
- Scheduled Task Deleted Or Created via
- Windows High File Deletion Frequency
- Linux At Application Execution
New BA Analytics
- Windows Eventvwr UAC Bypass
- Windows MSHTA Command-Line URL
- Windows Rundll32 Inline HTA Execution
- Windows MSHTA Inline HTA Execution
- Windows MSHTA Child Process
- TCP Command and Scripting Interpreter Outbound LDAP Traffic
- Windows Diskshadow Proxy Execution
- Windows Rasautou DLL Execution
- Windows Bits Job Persistence
- Windows Bitsadmin Download File
- Windows PowerShell Start-BitsTransfer
- Windows CertUtil URLCache Download
- Windows CertUtil VerifyCtl Download
- Windows CertUtil Decode File
- Windows WSReset UAC Bypass(experimental)
Updated BA Analytics
- Unusual Volume of Data Download from Internal Server Per Entity(experimental)
- Detect Prohibited Applications Spawning cmd exe
Other ESCU updates
- Updated lookups/ransomware_extensions.csv
- Updated functions in several playbooks and added a new type field in the ymls
- Updated detection testing CI job to report failure when the testing fails
- Updated the Application Baseline that we use for CI/CD in Github Actions for detection-testing