New Analytic Story
- CISA AA22-277A
- ProxyNotShell
New Analytics
- AWS Console Login Failed During MFA Challenge
- AWS Multi-Factor Authentication Disabled
- AWS Multiple Failed MFA Requests For User
- AWS Successful Single-Factor Authentication
- Detect Exchange Web Shell
- ProxyShell ProxyNotShell Behavior Detected
- Windows Create Local Account
- Windows Exchange Autodiscover SSRF Abuse (Thank you Nathaniel Stearns!)
- Windows Mshta Execution In Registry
Updated Analytics
- Detect SharpHound File Modifications
- Exchange PowerShell Abuse via SSRF
- Exchange PowerShell Module Usage
- Unified Messaging Service Spawning a Process
New BA Analytics
- Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
- Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
- Windows Rename System Utilities Advpack dll LOLBAS in Non Standard
- Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
- Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
- Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
- Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
- Windows Rename System Utilities At exe LOLBAS in Non Standard Path
- Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Other updates
- Added a new tool
lolbas_enrichment.pywhen executed builds a csv of all the lolbas paths: ./lolbas_file_path.csv and auto generated the BA detection with the latest lolbas paths: ./ssa___windows_lolbin_binary_in_non_standard_path.yml and its required supporting testing artifacts. - Updated Attacker Tools lookup with Mimikatz and Advanced IP Scanner