Key Highlights
-
⚙️ Detection Output Standardization: Additionally, we’ve updated the majority of our detections to include a standardized set of output fields within each detection analytic and enhanced our tooling to consistently enforce this structure—improving usability, correlation, and integration across security workflows.
-
🚨 Apache Tomcat Session Deserialization Attacks: CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat’s partial PUT feature disclosed on March 10, 2025. We introduced a new analytic story targeting potential exploitation of Apache Tomcat servers. This story includes detections for suspicious session deserialization attempts and file uploads—techniques commonly used by attackers to gain remote access or execute arbitrary code.
-
🪟 Windows Shortcut Exploit Abuse: Released a new analytic story to detect emerging exploitation patterns involving Windows LNK files. This includes detections for abuse of SSH ProxyCommand, LNK files with abnormal padding, and Windows Explorer spawning suspicious processes like PowerShell or CMD. These analytics are designed to surface stealthy initial access and execution techniques leveraged in recent zero-day attacks. More details can be found here - (ZDI-CAN-25373)
-
💥 New Ransomware Campaigns: We’ve expanded our ransomware mapping to include detection coverage for emerging threats such as Medusa Ransomware, Termite, Van Helsing, Salt Typhoon, and Sea Shell Blizzard. These mappings help contextualize detections within current threat actor TTPs and provide better visibility into campaign-specific behaviors.
-
🔥 Windows Firewall Rule Monitoring: We also introduced new detections to monitor firewall-related security events on Windows systems, including: Windows Firewall Rule Added, Windows Firewall Rule Deletion, and Windows Firewall Rule Modification—helping security teams track unauthorized or suspicious changes to host-based firewall configurations.
New Analytic Stories - [8]
- Apache Tomcat Session Deserialization Attacks
- Medusa Ransomware
- PHP-CGI RCE Attack on Japanese Organizations
- Salt Typhoon
- Seashell Blizzard
- Termite Ransomware
- VanHelsing Ransomware
- ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day (Contributor: @ajkingio , @hunter-3)
New Analytics - [15]
- Detect Large ICMP Traffic
- Tomcat Session Deserialization Attempt
- Tomcat Session File Upload Attempt
- Windows AD Self DACL Assignment
- Windows ConsoleHost History File Deletion
- Windows Explorer LNK Exploit Process Launch With Padding (Contributor: @ajkingio, @hunter-3)
- Windows Explorer.exe Spawning PowerShell or Cmd (Contributor: @ajkingio, @hunter-3)
- Windows Firewall Rule Added
- Windows Firewall Rule Deletion
- Windows Firewall Rule Modification
- Windows MSTSC RDP Commandline
- Windows Powershell History File Deletion
- Windows Process Injection into Commonly Abused Processes (Contributor: @0xC0FFEEEE)
- Windows Remote Host Computer Management Access
- Windows SSH Proxy Command(Contributor: @ajkingio, @hunter-3)
Other Updates
- Updated
ransomware_extensionsandremote_access_softwarelookup with new values. (Contributor @sventec) - Updated a majority of detections to output improved field names, which should enhance how they appear in Enterprise Security. We also added output_fields to the data source objects to enforce output validation for detection analytics
- Fixed a minor bug that prevented the deprecated and removed content warning banner from displaying correctly on the landing page