New Analytic Story
- Warzone RAT
New Analytics
- Windows Bypass UAC via Pkgmgr Tool
- Windows Mark Of The Web Bypass
- Windows Modify Registry MaxConnectionPerServer
- Windows Unsigned DLL Side-Loading
- Detect Certify Command Line Arguments (External Contributor @nterl0k )
- Detect Certify With PowerShell Script Block Logging (External Contributor @nterl0k )
- Windows Steal Authentication Certificates - ESC1 Authentication (External Contributor @nterl0k )
- Windows Suspect Process With Authentication Traffic (External Contributor @nterl0k )
Updated Analytics
- Azure AD Global Administrator Role Assigned
- Azure AD Multiple Users Failing To Authenticate From Ip
- Azure AD Service Principal Owner Added
- Azure AD Unusual Number of Failed Authentications From Ip
- Azure AD Service Principal Created
- Azure AD Privileged Role Assigned
- Azure AD Privileged Authentication Administrator Role Assigned
- Azure AD Application Administrator Role Assigned
- Azure AD Multi-Factor Authentication Disabled
- Azure AD External Guest User Invited
- Azure AD User Enabled And Password Reset
- Azure AD Service Principal New Client Credentials
- Azure AD New Federated Domain Added
- Azure AD New Custom Domain Added
- Azure AD Successful Single-Factor Authentication
- Azure AD Authentication Failed During MFA Challenge
- Azure AD Successful PowerShell Authentication
- Azure AD Multiple Failed MFA Requests For User
- Azure AD User ImmutableId Attribute Updated
- Azure Active Directory High Risk Sign-in
- Unusually Long Command Line
- Suspicious Copy on System32
New Playbooks
- AD LDAP Account Unlocking
- AWS IAM Account Unlocking
- Azure AD Account Unlocking
- Active Directory Enable Account Dispatch
Updated Playbook
- Active Directory Disable Account Dispatch
Other Updates
- Updated several detections for better output and risk objects