Release notes for ESCUv4.24.0
New Analytics Story
Updated Analytics Story
New Analytics
- Azure AD Admin Consent Bypassed by Service Principal
- Azure AD FullAccessAsApp Permission Assigned
- Azure AD Multiple Service Principals Created by SP
- Azure AD Multiple Service Principals Created by User
- Azure AD Privileged Graph API Permission Assigned
- Azure AD Service Principal Authentication
- O365 Admin Consent Bypassed by Service Principal
- O365 FullAccessAsApp Permission Assigned
- O365 Multiple Mailboxes Accessed via API
- O365 Multiple Service Principals Created by SP
- O365 Multiple Service Principals Created by User
- O365 OAuth App Mailbox Access via EWS
- O365 OAuth App Mailbox Access via Graph API
- O365 Privileged Graph API Permission Assigned
- Network Traffic to Active Directory Web Services Protocol
- Windows Privilege Escalation Suspicious Process Elevation
- Windows Privilege Escalation System Process Without System Parent
- Windows Privilege Escalation User Process Spawn System Process
- Windows SOAPHound Binary Execution
- Ivanti Connect Secure SSRF in SAML Component
Updated Analytics
- Splunk unnecessary file extensions allowed by lookup table uploads
- Azure AD High Number Of Failed Authentications From Ip
- Azure AD Multi-Source Failed Authentications Spike
- Azure AD Privileged Role Assigned
- Azure AD Privileged Role Assigned to Service Principal
- Azure AD Service Principal Created
- Azure AD Service Principal New Client Credentials
- Azure AD Service Principal Owner Added
- Azure AD Tenant Wide Admin Consent Granted
- O365 Added Service Principal
- O365 Application Registration Owner Added
- O365 ApplicationImpersonation Role Assigned
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Mailbox Read Access Granted to Application
- O365 Multi-Source Failed Authentications Spike
- O365 Multiple Users Failing To Authenticate From Ip
- O365 Service Principal New Client Credentials
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- O365 Tenant Wide Admin Consent Granted
- Correlation by Repository and Risk
- Correlation by User and Risk
- Any Powershell DownloadFile
- Any Powershell DownloadString
- Attacker Tools On Endpoint
- Create local admin accounts using net exe
- Create Remote Thread In Shell Application
- Creation of Shadow Copy
- Detect Certify Command Line Arguments
- Detect Certify With PowerShell Script Block Logging
- Detect Excessive Account Lockouts From Endpoint
- Detect New Local Admin account
- Detect Regasm with Network Connection
- Detect Regsvcs with Network Connection
- Detect Use of cmd exe to Launch Script Interpreters
- Disable Show Hidden Files
- Disable Windows SmartScreen Protection
- Disabling ControlPanel
- Disabling SystemRestore In Registry
- Download Files Using Telegram
- Elevated Group Discovery with PowerView
- Executable File Written in Administrative SMB Share
- Executables Or Script Creation In Suspicious Path
- Execute Javascript With Jscript COM CLSID
- Execution of File with Multiple Extensions
- Extraction of Registry Hives
- Hiding Files And Directories With Attrib exe
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- MacOS LOLbin
- MacOS plutil
- Network Discovery Using Route Windows App
- Non Chrome Process Accessing Chrome Default Dir
- Non Firefox Process Access Firefox Profile Dir
- Overwriting Accessibility Binaries
- PowerShell - Connect To Internet With Hidden Window
- Rundll32 Process Creating Exe Dll Files
- Scheduled Task Deleted Or Created via CMD
- Schtasks scheduling job on remote system
- Spoolsv Spawning Rundll32
- Spoolsv Writing a DLL
- Spoolsv Writing a DLL - Sysmon
- Suspicious Driver Loaded Path
- Suspicious mshta child process
- Suspicious Process DNS Query Known Abuse Web Services
- Suspicious Process File Path
- System Processes Run From Unexpected Locations
- Trickbot Named Pipe
- Windows Account Discovery for None Disable User Account
- Windows AD Replication Request Initiated by User Account
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows Admin Permission Discovery
- Windows Alternate DataStream - Base64 Content
- Windows Alternate DataStream - Executable Content
- Windows Credentials from Password Stores Chrome Extension Access
- Windows Credentials from Password Stores Chrome LocalState Access
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows Process Injection Remote Thread
- Windows Registry Payload Injection
- Windows Replication Through Removable Media
- Windows Rundll32 WebDav With Network Connection
- Windows Scheduled Task Created Via XML
- Windows Scheduled Task Service Spawned Shell
- Windows Security Account Manager Stopped
- Windows Suspect Process With Authentication Traffic
- Windows UAC Bypass Suspicious Child Process
- Windows UAC Bypass Suspicious Escalation Behavior
- Windows WinLogon with Public Network Connection
- WinEvent Scheduled Task Created Within Public Path
- Detect DGA domains using pretrained model in DSDL
- DNS Query Length With High Standard Deviation
- Multiple Archive Files Http Post Traffic
- Plain HTTP POST Exfiltrated Data