New Detections
- Ryuk Test Files Detected
- Windows connhost exe started forcefully
- Windows DisableAntiSpyware Registry
- Windows Security Account Manager Stopped
Updates
- Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass detection
- Detect Deleting of Shadow Copies
- Detect Excessive Account Lockouts From Endpoint
- Detect mshta exe running scripts in command-line arguments
- Detect newly created accounts that have been elevated
- Detect Windows event log cleared
- Detect Attempt To Add Certificate To Untrusted Store
- Detect Attempted credentials dump from registry via reg exe
- Detect Attempted creation_of_shadow_copy_with_wmic_and_powershell.yml
- Detect Path Interception By Creation Of program exe
- Detect malicious powershell process encoded_command
- Common Ransomware Extensions (The search looks for file modifications with extensions commonly used)
- Common Ransomware Notes (The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.)
Other
- Circle CI Config updates
- Increase in testing coverage
NOTE we updated how we version our releases hence the jump from 3.0.8 to 3.8.1 and then 3.9.0 see this wiki page for details