Key highlights
Enterprise Security Content Update version 4.38.0 introduces new detections focusing on Windows Endpoints and Office365 with specific attention to identity and access management vulnerabilities. This version also includes detections to identify unusual NTLM authentication patterns. A number of new detections are included for Crowdstrike environments to identify weak password policies, detect duplicate passwords among users and administrators, assess identity risk with various severity levels, and detect privilege escalation attempts in non-administrative accounts. For Office 365 environments, this update includes detections to monitor cross-tenant access changes, external guest invitations, changes in external identity policies, and privileged role assignments. Finally, two new analytic stores are included for help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.
New Analytic Story - [2]
Updated Analytic Story - [1]
New Analytics - [20]
- Crowdstrike Admin Weak Password Policy
- Crowdstrike Admin With Duplicate Password
- Crowdstrike High Identity Risk Severity
- Crowdstrike Medium Identity Risk Severity
- Crowdstrike Medium Severity Alert
- Crowdstrike Multiple LOW Severity Alerts
- Crowdstrike Privilege Escalation For Non-Admin User
- Crowdstrike User Weak Password Policy
- Crowdstrike User with Duplicate Password
- O365 Application Available To Other Tenants
- O365 Cross-Tenant Access Change
- O365 External Guest User Invited
- O365 External Identity Policy Changed
- O365 Privileged Role Assigned To Service Principal
- O365 Privileged Role Assigned
- Windows Multiple NTLM Null Domain Authentications
- Windows Unusual NTLM Authentication Destinations By Source
- Windows Unusual NTLM Authentication Destinations By User
- Windows Unusual NTLM Authentication Users By Destination
- Windows Unusual NTLM Authentication Users By Source
Updated Analytics - [13]
- Detect Regasm Spawning a Process
- Detect Regasm with Network Connection
- Detect Regasm with no Command Line Arguments
- Executables Or Script Creation In Suspicious Path
- Internal Horizontal Port Scan
- Linux c99 Privilege Escalation
- Powershell Windows Defender Exclusion Commands
- Suspicious Process File Path
- Windows AutoIt3 Execution
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows High File Deletion Frequency
- Windows Vulnerable Driver Installed
Macros Added - [3]
- crowdstrike_identities
- crowdstrike_stream
- ntlm_audit
Macros Updated - [1]
- linux_hosts
Lookups Updated - [1]
- privileged_azure_ad_roles
Other Updates
- Added new data_source objects
- Changes TA names in data sources to match the name in Splunk
- Updated TA version to match the latest (new check in contentctl)
- Add configuration file to Sysmon and Windows Event Code 4688
- Update analytic story on detections for Handala Wiper