New Analytic Story
- NjRat
- WS FTP Server Critical Vulnerabilities
- JetBrains TeamCity Unauthenticated RCE
New Analytics
- Windows Abused Web Services
- Windows Admin Permission Discovery
- Windows Delete or Modify System Firewall
- Windows Disable or Modify Tools Via Taskkill
- Windows Executable in Loaded Modules
- Windows Njrat Fileless Storage via Registry
- Windows Modify Registry With MD5 Reg Key Name
- Splunk Absolute Path Traversal Using runshellscript
- Splunk DoS Using Malformed SAML Request
- Splunk RCE via Serialized Session Payload
- Splunk Reflected XSS on App Search Table Endpoint
- WS FTP Remote Code Execution
- JetBrains TeamCity RCE Attempt
Updated Analytics
- Windows Replication Through Removable Media"
- TOR Traffic
Other Updates
- Updates to the lookup file :
splunk_risky_command - Tagged relevant detections with NjRat Behavior
- Updates to pretrained_dga_model_dsdl.ipynb notebook for better performance
- Several production detections have correct observables to produce accurate risk objects
- Updates to the generate code for creating BA detection files in the latest SPLv2