Key highlights
Enterprise Security Content Updates version 4.33.0 adds a new detection, CrushFTP Server Side Template Injection. This detection highlights any attempts to exploit CVE-2024-4040, a critical vulnerability that allows unauthenticated remote attackers to run arbitrary code and bypass authentication in CrushFTP versions before 10.7.1 and 11.1.0.
Additionally, this release includes updates to the detection logic of some analytics that use lookups. This includes changing the order of operations in the SPL so that the lookup command is run after the stats command. Thus, in a distributed environment, lookups don't need to be replicated and the search performance improves slightly in all environments because it involves looking up values for fewer events.
New Analytic Story - [1]
New Analytics - [1]
Updated Analytics - [12]
- Azure AD Privileged Role Assigned
- Azure AD Privileged Role Assigned to Service Principal
- Kubernetes Nginx Ingress LFI
- Windows AppLocker Block Events
- Windows Credential Access From Browser Password Store
- Windows Defender ASR Audit Events
- Windows Defender ASR Block Events
- Windows Defender ASR Registry Modification
- Windows Defender ASR Rule Disabled
- Windows Defender ASR Rules Stacking
- Windows AppLocker Privilege Escalation via Unauthorized Bypass
- Windows Domain Admin Impersonation Indicator
Other Updates
- Updated descriptions for 80+ analytics to have a consistent standard and formatting.