New Analytic Story
- CVE-2022-40684 Fortinet Appliance Auth bypass
- GCP Account Takeover
- Qakbot
- Text4Shell CVE-2022-42889
Updated Analytic Story
- Splunk Vulnerabilities - Please refer here for more information around the November 2, 2022 Release
New Analytics
- Exploit Public Facing Application via Apache Commons Text
- Fortinet Appliance Auth bypass
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Multiple Failed MFA Requests For User
- GCP Multiple Users Failing To Authenticate From Ip
- GCP Successful Single-Factor Authentication
- GCP Unusual Number of Failed Authentications From Ip
- Splunk Code Injection via custom dashboard leading to RCE
- Splunk Data exfiltration from Analytics Workspace using sid query
- Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
- Splunk Reflected XSS in the templates lists radio
- Splunk Stored XSS via Data Model objectName field
- Splunk XSS in Save table dialog header in search page
- Windows App Layer Protocol Wermgr Connect To NamedPipe
- Windows Command Shell Fetch Env Variables
- Windows DLL Side-Loading In Calc
- Windows DLL Side-Loading Process Child Of Calc
- Windows Masquerading Explorer As Child Process
- Windows Modify Registry Qakbot Binary Data Registry
- Windows Process Injection Of Wermgr to Known Browser
- Windows Process Injection Remote Thread
- Windows Process Injection Wermgr Child Process
- Windows Regsvr32 Renamed Binary
- Windows System Discovery Using ldap Nslookup
- Windows System Discovery Using Qwinsta
- Windows WMI Impersonate Token
New BA Analytics
- Office Product Spawning Windows Script Host
- Windows COM Hijacking InprocServer32 Modification
- Windows Exchange PowerShell Module Usage
Other updates
- Added a tag called data_schema that has the version used for CIM/OCSF
- Updated a bug template for creating better Github Issues