New Analytic Story
- Azure Active Directory Privilege Escalation
- PaperCut MF NG Vulnerability
- Snake Malware
- Windows BootKits
Updated Analytic Story
- Data Exfiltration
- Suspicious AWS S3 Activities
New Analytics
- AWS AMI Attribute Modification for Exfiltration
- AWS Disable Bucket Versioning
- AWS EC2 Snapshot Shared Externally
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Batch Service
- AWS Exfiltration via Bucket Replication
- AWS Exfiltration via DataSync Task
- AWS Exfiltration via EC2 Snapshot
- AWS S3 Exfiltration Behavior Identified
- Azure AD Application Administrator Role Assigned
- Azure AD Global Administrator Role Assigned
- Azure AD PIM Role Assigned
- Azure AD PIM Role Assignment Activated
- Azure AD Privileged Authentication Administrator Role Assigned
- Azure AD Privileged Role Assigned to Service Principal
- Azure AD Service Principal Owner Added
- PaperCut Remote Web Access Attempt
- PaperCut Suspicious Behavior Debug Log
- Windows PaperCut Spawn Shell
- Windows Registry Bootexecute Modification
- Windows Snake Malware File Modification Crmlog
- Windows Snake Malware Kernel Driver Comadmin
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Windows Snake Malware Service Create
- Windows Winlogon with Public Network Connection
Other Updates:
- Updated several detection analytics to not use the
join
command to improve search performance. - Added improvements for BA detections and the conversion tool and added ocsf fields