🚀 Key Highlights
- Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
- Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors. This update enhances visibility into attacker tradecraft involving bcdedit manipulation, recursive file deletion, remote process execution via WMI, and suspicious process/file activity, improving detection of pre-impact and impact-stage techniques commonly used in disruptive campaigns targeting enterprise environments.
- Detection & Content Improvements: Introduced new data source support, migrated Palo Alto integrations, enhanced detections with MITRE mappings, fixed regex and logic issues, reduced false positives, improved accuracy and performance, updated metadata based on telemetry insights, and refactored multiple analytics and SPL queries for better readability, consistency, and reliability
New Analytic Story - [2]
New Analytics - [2]
- Windows Routing and Remote Access Service Registry Key Change
- Windows Rundll32 with Non-Standard File Extension
Updated Analytics
Based on various other telemetry sources, we have updated a list of detections missing Mitre IDs, updated data sources and detections with the following changes:
- Malicious PowerShell Process - Encoded Command - Updated the broken regex with a more robust one that aims to detect most variation of the EncodedCommand flag [BUG] Malicious PowerShell Process - Encoded Command - regex doesn't make sense #3939)
- Outbound Network Connection from Java Using Default Ports - Remove duplicate entry for javaw.exe and other updates to the SPL structure so that it is more readable.
- Suspicious Rundll32 no Command Line Arguments - Remove the unnecessary usage of regex and moved the filter logic earlier for better performance
- Suspicious SearchProtocolHost no Command Line Arguments - Remove the unnecessary usage of regex and moved the filter logic earlier for better performance
- Windows New Deny Permission Set On Service SD Via Sc.EXE - Updated metadata info, including the FP section based on Athena telemetry.
- Windows New Service Security Descriptor Set Via Sc.EXE - Updated metadata info, including the FP section based on Athena telemetry.
- Detect Large ICMP Traffic / Detect Outbound LDAP Traffic - Update the logic to these by adding a more broad filter for local IPs.
- Detect Computer Changed with Anonymous Account - Updated the logic to be more accurate. (See explanation in [BUG] Logic Problem in Detect Computer Changed with Anonymous Account #3961)
- Windows Privileged Group Modification - Update logic to include EventID 4756 (Fix Add Event ID 4756 to windows_privileged_group_modification detection #3969)
- Windows Scheduled Task Service Spawned Shell - Update and beautify the SPL as well as other metadata and RBA related config.
- Possible Lateral Movement PowerShell Spawn - Fixed FP by adding exclusion for svchost with the schedule service
- Detect Use of cmd exe to Launch Script Interpreters - Fixed FP by adding exclusion for standard execution files paths.
- Scheduled Task Deleted Or Created via CMD - Fixed FP by adding exclusion for standard execution files paths.
- Beautified the SPL of multiple analytics that were leveraging the Palo Alto TA.