🚀 Key Highlights
🧠 LAMEHUG: Introduced new detections for the LAMEHUG malware, which leverages outbound requests to Hugging Face APIs (e.g., Qwen 2.5-Coder-32B-Instruct) to generate AI-driven Windows command chains. Common behaviors include execution of systeminfo, net start, tasklist, dsquery, and recursive file copy operations into %ProgramData%\info\. Initial delivery vectors often involve phishing ZIPs with .pif binaries disguised as PDF or image viewers.
🕵️ ObjectivyStealer: Tagged relevant existing content to cover behaviors associated with ObjectivyStealer, a stealthy information-stealing malware targeting web browsers, messaging apps, cryptocurrency wallets, and local system files. It evades detection by operating from user profile or temp directories and maintains persistence using registry run keys or scheduled tasks. This mapping enhances detection of credential theft, session hijacking, and encrypted exfiltration to remote C2 infrastructure.
🛡️ Secret Blizzard: Added detections for suspicious use of certutil.exe to install root certificates from temp directories using the -addstore root command. This tactic, seen in post-exploitation scenarios, may be used to intercept HTTPS traffic, impersonate trusted services, or bypass endpoint defenses. These analytics detect certificate installation from .tmp files, use of the -f (force) and -Enterprise flags, and other high-risk trust modifications that can lead to persistent compromise.
📨 NotDoor Malware: Introduced a new analytic story focused on detecting NotDoor, a malicious Outlook macro backdoor linked to APT28 (Fancy Bear). This story adds detections for suspicious Outlook macro creation, persistence via LoadMacroProviderOnBoot, and disabling of security dialogs — all techniques leveraged by NotDoor to exfiltrate data, upload files, and execute remote commands via email-based triggers.
New Analytic Story - [5]
New Analytics - [19]
- Linux Magic SysRq Key Abuse(External Contributor: @CheraghiMilad)
- Windows AI Platform DNS Query
- Windows Certutil Root Certificate Addition
- Windows DLL Module Loaded in Temp Dir
- Windows Excel ActiveMicrosoftApp Child Process
- Windows File Collection Via Copy Utilities
- Windows Net System Service Discovery
- Windows Outlook Dialogs Disabled from Unusual Process
- Windows Outlook LoadMacroProviderOnBoot Persistence
- Windows Outlook Macro Created by Suspicious Process
- Windows Outlook Macro Security Modified
- Windows Set Private Network Profile via Registry
- Windows SpeechRuntime COM Hijacking DLL Load
- Windows SpeechRuntime Suspicious Child Process
- Windows Wmic CPU Discovery
- Windows Wmic DiskDrive Discovery
- Windows Wmic Memory Chip Discovery
- Windows Wmic Network Discovery
- Windows Wmic Systeminfo Discovery
Other Updates
- As previously communicated in the ESCU v5.12.0 release, several detections have been removed. For a complete list of the detections removed in version v5.14.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.16.0, see the List of Detections Scheduled for Removal