๐ Key Highlights
๐ก๏ธ Medusa Rootkit (UNC3886): Introduced a new analytic story for Medusa Rootkit, a stealthy malware leveraged by UNC3886 to maintain persistence on Linux ๐ง and Windows ๐ช systems. This release adds detections for Linux GDrive Binary Activity, Linux Medusa Rootkit, Windows GDrive Binary Activity, and Windows Suspicious VMware Tools Child Process, while also mapping other existing detections to this threat actor.
๐ฆ MSIX Package Abuse: We added a new analytic story covering abuse of Microsoft MSIX application packages, leveraging telemetry from AppXDeploymentServer/Operational logs ๐. This story introduces detections for suspicious MSIX behaviors, including Windows Advanced Installer MSIX with AI_STUBS Execution, Unsigned Package Installation, PowerShell MSIX Package Installation, and interactions with Windows Apps directories ๐, providing visibility into application sideloading and potential malware delivery.
๐ฅ๏ธ Windows RDP Artifacts & Defense Evasion: A new analytic story focused on RDP activity ๐ป followed by artifact cleanup ๐งน or evasion techniques. Windows RDP usage generates forensic artifacts such as Default.rdp files ๐ and bitmap caches ๐ผ๏ธ that can reveal details about accessed systems. This release adds detections for RDP file creation, deletion, and un-hiding events, bitmap cache file activity, RDP server registry entry creation/deletion, and RDP client launched with admin session, while tagging existing detections to ensure comprehensive monitoring of both RDP usage and evasion behavior.
๐ New Analytic Stories โ [3]
โป๏ธ Updated Analytic Story โ [1]
๐ New Analytics โ [22]
- Linux Gdrive Binary Activity
- Linux Medusa Rootkit
- Windows Advanced Installer MSIX with AI_STUBS Execution
- Windows AppX Deployment Full Trust Package Installation
- Windows AppX Deployment Package Installation Success
- Windows AppX Deployment Unsigned Package Installation
- Windows Default RDP File Creation
- Windows Default Rdp File Deletion
- Windows Default Rdp File Unhidden
- Windows Developer-Signed MSIX Package Installation
- Windows Gdrive Binary Activity
- Windows MSIX Package Interaction
- Windows PowerShell MSIX Package Installation
- Windows PowerShell Script From WindowsApps Directory
- Windows RDP Bitmap Cache File Creation
- Windows RDP Cache File Deletion
- Windows RDP Client Launched with Admin Session
- Windows RDP Login Session Was Established
- Windows RDP Server Registry Deletion
- Windows RDP Server Registry Entry Created
- Windows Rdp AutomaticDestinations Deletion
- Windows Suspicious VMWare Tools Child Process
โ ๏ธ Other Updates
As previously communicated in the ESCU v5.10.0 release, several detections have been removed.
For a complete list of the detections removed in version v5.12.0, refer to the List of Removed Detections.
Additionally, a new set of detections has been deprecated.
For details on detections scheduled for removal in ESCU v5.14.0, see the List of Detections Scheduled for Removal.