New Analytic Story
- Azorult
- Windows System Binary Proxy Execution MSIExec
New Analytics
- Detect Risky SPL using Pretrained ML Model
- Living Off The Land (New Search type: RBA)
- Windows Application Layer Protocol RMS Radmin Tool Namedpipe
- Windows Binary Proxy Execution Mavinject DLL Injection
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows Identify Protocol Handlers
- Windows Impair Defense Add Xml Applocker Rules
- Windows Impair Defense Deny Security Software With Applocker
- Windows Modify Registry Disable Toast Notifications
- Windows Modify Registry Disable Win Defender Raw Write Notif
- Windows Modify Registry Disable Windows Security Center Notif
- Windows Modify Registry Disabling WER Settings
- Windows Modify Registry DisAllow Windows App
- Windows Modify Registry Regedit Silent Reg Import
- Windows Modify Registry Suppress Win Defender Notif
- Windows MOF Event Triggered Execution via WMI
- Windows Odbcconf Hunting
- Windows Odbcconf Load DLL
- Windows Odbcconf Load Response File
- Windows Powershell Import Applocker Policy
- Windows Remote Access Software RMS Registry
- Windows Remote Service Rdpwinst Tool Execution
- Windows Remote Services Allow Rdp In Firewall
- Windows Remote Services Allow Remote Assistance
- Windows Remote Services Rdp Enable
- Windows Service Stop By Deletion
- Windows Valid Account With Never Expires Password
Updated Analytics
- Allow Inbound Traffic By Firewall Rule Registry
- Cobalt Strike Named Pipes
- Office Product Writing cab or inf
- Powershell Disable Security Monitoring
- Suspicious Image Creation In Appdata Folder
New BA Analytics
- Windows Defender Tools in Non Standard Path
BA Updates
- Windows LOLBin Binary in Non Standard Path (Notes: Removed mpcmdrun.exe as the required path filters are too broad to include in this detection)
Other Updates
- Updated all 4104 Analytics and corresponding attack datasets to use the XML log format
- Adding
providing technologies
to populateRecommended Data Sources
in Usecase Library in Enterprise Security - Updated lookup typo:
security_services.csv
- Several updates to the
contentctl_project
anddocker_detection_testing
backend tooling - Updated Splunk app baseline to test against the latest TAs
- Deprecated:
GCP GCR container uploaded
andNew container uploaded to AWS ECR