STRT is excited to welcome @nasbench to the team! Congrats on your first of many PRs! #3213

Release notes - v4.44.0

Total New and Updated Content: [357]

Key highlights

• Windows Defender: Two new analytics now surface and summarize alerts from Microsoft Defender Advanced Threat Protection (ATP) as well as Microsoft Defender O365 Incidents.
• BitLockerToGo Abuse: Two new analytics search for use of the legitimate BitLockerToGo.exe Windows utility. This application has been abused by the Lumma Stealer malware to manipulate registry keys, search for cryptocurrency wallets or credentials, and exfiltrate sensitive data.
• VaultCLI Usage: One new analytic flags suspicious usage of the VaultCLI.dll, a technique observed by Information-Stealing Malware such as Meduza. This DLL allows processes to extract sensitive credentials from the Windows Credential Vault.
• Windows RDP Activities: Two new analytics look for potentially suspicious Windows RDP activities.
• Windows RunMRU Modifications: One analytic monitors changes to the RunMRU registry key. This key, which stores a history of commands executed via the windows Run dialog box, may capture commands run by malware attempting to appear legitimate.

New Analytic Story - [3]

• Lumma Stealer
• Meduza Stealer
• PXA Stealer

New Analytics - [8]

• Microsoft Defender ATP Alerts
• Microsoft Defender Incident Alerts
• Windows BitLockerToGo Process Execution
• Windows BitLockerToGo with Network Activity
• Windows Credentials Access via VaultCli Module
• Windows RDP File Execution
• Windows RDPClient Connection Sequence Events
• Windows RunMRU Command Execution

Updated Analytics - [261]

• 7zip CommandLine To SMB Share Path
• Active Setup Registry Autostart
• Add DefaultUser And Password In Registry
• Add or Set Windows Defender Exclusion
• Allow Inbound Traffic By Firewall Rule Registry
• Allow Operation with Consent Admin
• Any Powershell DownloadFile
• Attacker Tools On Endpoint
• Attempted Credential Dump From Registry via Reg exe
• Auto Admin Logon Registry Entry
• BCDEdit Failure Recovery Modification
• Batch File Write to System32
• CMD Echo Pipe - Escalation
• CertUtil Download With URLCache and Split Arguments
• CertUtil Download With VerifyCtl and Split Arguments
• Certutil exe certificate extraction
• Clear Unallocated Sector Using Cipher App
• Clop Common Exec Parameter
• Clop Ransomware Known Service Name
• ConnectWise ScreenConnect Path Traversal Windows SACL
• Conti Common Exec parameter
• Control Loading from World Writable Directory
• Create Remote Thread In Shell Application
• Create local admin accounts using net exe
• Creation of Shadow Copy with wmic and powershell
• Creation of Shadow Copy
• Credential Dumping via Copy Command from Shadow Copy
• Credential Dumping via Symlink to Shadow Copy
• Curl Download and Bash Execution
• DNS Exfiltration Using Nslookup App
• DSQuery Domain Discovery
• Deleting Shadow Copies
• Detect AzureHound Command-Line Arguments
• Detect Certify Command Line Arguments
• Detect Distributed Password Spray Attempts
• Detect Exchange Web Shell
• Detect HTML Help Spawn Child Process
• Detect HTML Help URL in Command Line
• Detect HTML Help Using InfoTech Storage Handlers
• Detect MSHTA Url in Command Line
• Detect Password Spray Attempts
• Detect Regasm Spawning a Process
• Detect Regsvcs Spawning a Process
• Detect Regsvr32 Application Control Bypass
• Detect Rundll32 Application Control Bypass - advpack
• Detect Rundll32 Application Control Bypass - setupapi
• Detect Rundll32 Application Control Bypass - syssetup
• Detect Webshell Exploit Behavior
• Detect mshta inline hta execution
• Disable AMSI Through Registry
• Disable Defender AntiVirus Registry
• Disable Defender BlockAtFirstSeen Feature
• Disable Defender Enhanced Notification
• Disable Defender MpEngine Registry
• Disable Defender Spynet Reporting
• Disable Defender Submit Samples Consent Feature
• Disable ETW Through Registry
• Disable Logs Using WevtUtil
• Disable Registry Tool
• Disable Security Logs Using MiniNt Registry
• Disable Show Hidden Files
• Disable UAC Remote Restriction
• Disable Windows App Hotkeys
• Disable Windows Behavior Monitoring
• Disable Windows SmartScreen Protection
• Disabling CMD Application
• Disabling ControlPanel
• Disabling Defender Services
• Disabling FolderOptions Windows Feature
• Disabling NoRun Windows App
• Disabling SystemRestore In Registry
• Disabling Task Manager
• Domain Controller Discovery with Nltest
• Domain Group Discovery With Net
• Domain Group Discovery With Wmic
• Dump LSASS via comsvcs DLL
• Dump LSASS via procdump
• ETW Registry Disabled
• Elevated Group Discovery With Net
• Enable RDP In Other Port Number
• Enable WDigest UseLogonCredential Registry
• Enumerate Users Local Group Using Telegram
• Excel Spawning PowerShell
• Excel Spawning Windows Script Host
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• FodHelper UAC Bypass
• GPUpdate with no Command Line Arguments with Network
• Hide User Account From Sign-In Screen
• Hiding Files And Directories With Attrib exe
• Icacls Deny Command
• Impacket Lateral Movement Commandline Parameters
• Impacket Lateral Movement WMIExec Commandline Parameters
• Impacket Lateral Movement smbexec CommandLine Parameters
• Kerberoasting spn request with RC4 encryption
• Known Services Killed by Ransomware
• Linux Auditd File Permission Modification Via Chmod
• Malicious PowerShell Process - Encoded Command
• Malicious Powershell Executed As A Service
• Monitor Registry Keys for Print Monitors
• Net Localgroup Discovery
• Network Connection Discovery With Net
• Office Application Drop Executable
• Office Application Spawn Regsvr32 process
• Office Application Spawn rundll32 process
• Office Product Spawning BITSAdmin
• Office Product Spawning CertUtil
• Office Product Spawning MSHTA
• Office Product Spawning Rundll32 with no DLL
• Office Product Spawning Windows Script Host
• Office Product Spawning Wmic
• Office Product Writing cab or inf
• Office Spawning Control
• Okta Mismatch Between Source and Response for Verify Push Request
• Password Policy Discovery with Net
• Ping Sleep Batch Command
• PowerShell 4104 Hunting
• Powershell Disable Security Monitoring
• Powershell Processing Stream Of Data
• Registry Keys Used For Privilege Escalation
• Registry Keys for Creating SHIM Databases
• Remote Process Instantiation via DCOM and PowerShell
• Remote Process Instantiation via WMI and PowerShell
• Remote System Discovery with Net
• Resize ShadowStorage volume
• Rundll32 Control RunDLL World Writable Directory
• Rundll32 Shimcache Flush
• Rundll32 with no Command Line Arguments with Network
• Ryuk Wake on LAN Command
• SLUI RunAs Elevated
• SLUI Spawning a Process
• Schedule Task with HTTP Command Arguments
• Schedule Task with Rundll32 Command Trigger
• Schtasks scheduling job on remote system
• SearchProtocolHost with no Command Line with Network
• SecretDumps Offline NTDS Dumping Tool
• ServicePrincipalNames Discovery with SetSPN
• Services Escalate Exe
• Shim Database Installation With Suspicious Parameters
• Short Lived Scheduled Task
• Short Lived Windows Accounts
• Single Letter Process On Endpoint
• Splunk Unauthenticated Log Injection Web Service Log
• Spoolsv Spawning Rundll32
• Spoolsv Writing a DLL
• Suspicious Computer Account Name Change
• Suspicious Copy on System32
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process File Path
• Suspicious Process With Discord DNS Query
• Suspicious mshta child process
• Time Provider Persistence Registry
• WBAdmin Delete System Backups
• WMIC XSL Execution via URL
• Wget Download and Bash Execution
• WinEvent Scheduled Task Created Within Public Path
• WinEvent Scheduled Task Created to Spawn Shell
• WinRAR Spawning Shell Application
• Windows AD Cross Domain SID History Addition
• Windows AD Domain Controller Promotion
• Windows AD Domain Replication ACL Addition
• Windows AD Privileged Account SID History Addition
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows AD Same Domain SID History Addition
• Windows AD Short Lived Domain Controller SPN Attribute
• Windows AD Short Lived Server Object
• Windows Access Token Manipulation SeDebugPrivilege
• Windows Alternate DataStream - Process Execution
• Windows COM Hijacking InprocServer32 Modification
• Windows Change Default File Association For No File Ext
• Windows Command Shell DCRat ForkBomb Payload
• Windows Command and Scripting Interpreter Path Traversal Exec
• Windows Computer Account With SPN
• Windows ConHost with Headless Argument
• Windows Credential Access From Browser Password Store
• Windows Credential Dumping LSASS Memory Createdump
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Credentials from Password Stores Creation
• Windows Credentials from Password Stores Deletion
• Windows Curl Download to Suspicious Path
• Windows Curl Upload to Remote Destination
• Windows DISM Remove Defender
• Windows DLL Search Order Hijacking with iscsicpl
• Windows Defender Exclusion Registry Entry
• Windows Disable Change Password Through Registry
• Windows Disable Lock Workstation Feature Through Registry
• Windows Disable LogOff Button Through Registry
• Windows Disable Notification Center
• Windows Disable Shutdown Button Through Registry
• Windows Disable Windows Event Logging Disable HTTP Logging
• Windows Disable or Modify Tools Via Taskkill
• Windows Domain Admin Impersonation Indicator
• Windows ESX Admins Group Creation via Net
• Windows Event Log Cleared
• Windows Excessive Disabled Services Event
• Windows Execute Arbitrary Commands with MSDT
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Hidden Schedule Task Settings
• Windows Hide Notification Features Through Registry
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Override SmartScreen Prompt
• Windows InstallUtil Remote Network Connection
• Windows InstallUtil URL in Command Line
• Windows InstallUtil Uninstall Option with Network
• Windows InstallUtil Uninstall Option
• Windows Kerberos Local Successful Logon
• Windows KrbRelayUp Service Creation
• Windows LSA Secrets NoLMhash Registry
• Windows MOF Event Triggered Execution via WMI
• Windows MSIExec Spawn Discovery Command
• Windows MSIExec Spawn WinDBG
• Windows Masquerading Explorer As Child Process
• Windows Masquerading Msdtc Process
• Windows Mimikatz Binary Execution
• Windows Modify Registry Disable Restricted Admin
• Windows Modify Registry EnableLinkedConnections
• Windows Modify Registry LongPathsEnabled
• Windows Modify Registry NoChangingWallPaper
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Modify Show Compress Color And Info Tip Registry
• Windows Modify System Firewall with Notable Process Path
• Windows Network Share Interaction With Net
• Windows Non Discord App Access Discord LevelDB
• Windows Office Product Spawning MSDT
• Windows PaperCut NG Spawn Shell
• Windows Parent PID Spoofing with Explorer
• Windows Privilege Escalation User Process Spawn System Process
• Windows Query Registry UnInstall Program List
• Windows Raccine Scheduled Task Deletion
• Windows Rasautou DLL Execution
• Windows Registry BootExecute Modification
• Windows Registry Certificate Added
• Windows Registry Delete Task SD
• Windows Registry Modification for Safe Mode Persistence
• Windows Regsvr32 Renamed Binary
• Windows Remote Assistance Spawning Process
• Windows Remote Service Rdpwinst Tool Execution
• Windows SOAPHound Binary Execution
• Windows Scheduled Task with Highest Privileges
• Windows Security Account Manager Stopped
• Windows Service Create SliverC2
• Windows Service Create with Tscon
• Windows Service Creation Using Registry Entry
• Windows Snake Malware Service Create
• Windows Spearphishing Attachment Onenote Spawn Mshta
• Windows Special Privileged Logon On Multiple Hosts
• Windows Steal Authentication Certificates - ESC1 Authentication
• Windows System Binary Proxy Execution Compiled HTML File Decompile
• Windows UAC Bypass Suspicious Escalation Behavior
• Windows Unsecured Outlook Credentials Access In Registry
• Windows Valid Account With Never Expires Password
• Windows WinDBG Spawning AutoIt3
• Winhlp32 Spawning a Process
• Winword Spawning Cmd
• Winword Spawning PowerShell
• Winword Spawning Windows Script Host
• Wscript Or Cscript Suspicious Child Process

Macros Added - [3]

• ms365_defender_incident_alerts
• ms_defender_atp_alerts
• wineventlog_rdp

Macros Updated - [82]

• admon
• amazon_security_lake
• aws_cloudwatchlogs_eks
• aws_config
• aws_description
• aws_s3_accesslogs
• aws_securityhub_finding
• aws_securityhub_firehose
• azure_audit
• azure_monitor_aad
• azuread
• bootloader_inventory
• capi2_operational
• certificateservices_lifecycle
• circleci
• cisco_networks
• cloudtrail
• cloudwatch_eks
• cloudwatch_vpc
• cloudwatchlogs_vpcflow
• crowdstrike_identities
• crowdstrike_stream
• crushftp
• driverinventory
• exchange
• f5_bigip_rogue
• github
• google_gcp_pubnet_message
• google_gcp_pubsub_message
• gsuite_calendar
• gsuite_drive
• gsuite_gmail
• gws_login_mfa_methods
• gws_reports_admin
• gws_reports_login
• iis_get_webglobalmodule
• iis_operational_logs
• ivanti_vtm_audit
• kube_audit
• kube_container_falco
• kube_objects_events
• kubernetes_azure
• kubernetes_container_controller
• kubernetes_metrics
• linux_auditd
• linux_auditd_normalized_execve_process
• linux_auditd_normalized_proctitle_process
• linux_hosts
• linux_shells
• moveit_sftp_logs
• ms_defender
• msexchange_management
• netbackup
• ntlm_audit
• o365_graph
• o365_management_activity
• okta
• osquery_macro
• osquery_process
• papercutng
• pingid
• powershell
• printservice
• remoteconnectionmanager
• risk_index
• s3_accesslogs
• stream_dns
• stream_http
• stream_tcp
• subjectinterfacepackage
• suricata
• sysmon
• windows_shells
• wineventlog_application
• wineventlog_security
• wineventlog_system
• wineventlog_task_scheduler
• wmi
• zeek_rpc
• zeek_ssl
• zeek_x509
• zscaler_proxy

Big Thanks to the following members for their contributions!

• @bpluta-splunk made their first contribution in #3185
• @ronan182 made their first contribution in #3223