New Analytic Story
- Azure Active Directory Persistence
- Brute Ratel C4
- CISA AA22-257A
New Analytics
- Azure AD External Guest User Invited
- Azure AD Global Administrator Role Assigned
- Azure AD Multiple Failed MFA Requests For User
- Azure AD New Custom Domain Added
- Azure AD New Federated Domain Added
- Azure AD Privileged Role Assigned
- Azure AD Service Principal Created
- Azure AD Service Principal Credentials Added
- Azure AD Service Principal Owner Added
- Azure AD User Enabled And Password Reset
- Azure AD User ImmutableId Attribute Updated
- Azure Automation Account Created
- Azure Automation Runbook Created
- Azure Runbook Webhook Created
- Windows Access Token Manipulation SeDebugPrivilege
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Windows Defacement Modify Transcodedwallpaper File
- Windows Event Triggered Image File Execution Options Injection
- Windows Gather Victim Identity SAM Info
- Windows Hijack Execution Flow Version Dll Side Load
- Windows Input Capture Using Credential UI Dll
- Windows Phishing Recent ISO Exec Registry
- Windows Process Injection With Public Source Path
- Windows Protocol Tunneling with Plink
- Windows Remote Access Software BRC4 Loaded Dll
- Windows Service Deletion In Registry
- Windows System Binary Proxy Execution Compiled HTML File Decompile
Updated Analytics
- AdsiSearcher Account Discovery
- Get ADUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
- Get DomainUser with PowerShell Script Block(Thanks to @TheLawsOfChaos)
- High Process Termination Frequency
- Linux Persistence and Privilege Escalation Risk Behavior
- Living Off The Land
- Log4Shell CVE-2021-44228 Exploitation
- Recursive Delete of Directory In Batch CMD(Thanks to @TheLawsOfChaos)
- Remote Process Instantiation via WMI and PowerShell Script Block(Thanks to @TheLawsOfChaos)
- Svchost LOLBAS Execution Process Spawn(Thanks to @swe)
New BA Analytics
- Windows Execute Arbitrary Commands with MSDT
- Windows Ingress Tool Transfer Using Explorer
- Windows Odbcconf Load Response File
- Windows OS Credential Dumping with Ntdsutil Export NTDS
- Windows OS Credential Dumping with Procdump
- Windows System Binary Proxy Execution Compiled HTML File Decompile
- Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
- Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
- Windows System Binary Proxy Execution MSIExec DLLRegisterServer
- Windows System Binary Proxy Execution MSIExec Remote Download
- Windows System Binary Proxy Execution MSIExec Unregister DLL
BA Updates
- Tagged several BA analytics with
Insider Threat
andInformation Sabotage
analytic story
Other updates
Correlation type searches have a new set of behaviors:
- The action.notable.param.rule_tile is now prefixed with “RBA:”, for example “RBA: Living Off The Land”
- The action.correlationsearch.label is now updated to reflect “ESCU - RIR - <rule_name> - Rule”, for example: “ESCU - RIR - Living Off The Land - Rule”
- The action.risk, action.risk.param.* fields have been removed to avoid a circular loop of increasing risk scores.