Skip to content

v3.45.0
Compare
Choose a tag to compare
@github-actions github-actions released this 19 Jul 21:32
· 6792 commits to develop since this release
v3.45.0
1e3d207
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New Analytic Story

  • Azorult
  • Windows System Binary Proxy Execution MSIExec

New Analytics

  • Detect Risky SPL using Pretrained ML Model
  • Living Off The Land (New Search type: RBA)
  • Windows Application Layer Protocol RMS Radmin Tool Namedpipe
  • Windows Binary Proxy Execution Mavinject DLL Injection
  • Windows Gather Victim Network Info Through Ip Check Web Services
  • Windows Identify Protocol Handlers
  • Windows Impair Defense Add Xml Applocker Rules
  • Windows Impair Defense Deny Security Software With Applocker
  • Windows Modify Registry Disable Toast Notifications
  • Windows Modify Registry Disable Win Defender Raw Write Notif
  • Windows Modify Registry Disable Windows Security Center Notif
  • Windows Modify Registry Disabling WER Settings
  • Windows Modify Registry DisAllow Windows App
  • Windows Modify Registry Regedit Silent Reg Import
  • Windows Modify Registry Suppress Win Defender Notif
  • Windows MOF Event Triggered Execution via WMI
  • Windows Odbcconf Hunting
  • Windows Odbcconf Load DLL
  • Windows Odbcconf Load Response File
  • Windows Powershell Import Applocker Policy
  • Windows Remote Access Software RMS Registry
  • Windows Remote Service Rdpwinst Tool Execution
  • Windows Remote Services Allow Rdp In Firewall
  • Windows Remote Services Allow Remote Assistance
  • Windows Remote Services Rdp Enable
  • Windows Service Stop By Deletion
  • Windows Valid Account With Never Expires Password

Updated Analytics

  • Allow Inbound Traffic By Firewall Rule Registry
  • Cobalt Strike Named Pipes
  • Office Product Writing cab or inf
  • Powershell Disable Security Monitoring
  • Suspicious Image Creation In Appdata Folder

New BA Analytics

  • Windows Defender Tools in Non Standard Path

BA Updates

  • Windows LOLBin Binary in Non Standard Path (Notes: Removed mpcmdrun.exe as the required path filters are too broad to include in this detection)

Other Updates

  • Updated all 4104 Analytics and corresponding attack datasets to use the XML log format
  • Adding providing technologies to populate Recommended Data Sources in Usecase Library in Enterprise Security
  • Updated lookup typo: security_services.csv
  • Several updates to the contentctl_project and docker_detection_testing backend tooling
  • Updated Splunk app baseline to test against the latest TAs
  • Deprecated: GCP GCR container uploaded and New container uploaded to AWS ECR
Assets 6