What's New

Enterprise Security Content Updates v3.28.0 was released on September 9, 2021. It includes the following enhancements.

New analytic stories include the following:

• BlackMatter Ransomware
• Active Directory Discovery
• ProxyShell
• PetitPotam NTLM Relay on Active Directory Certificate Services
• Microsoft MSHTML Remote Code Execution CVE-2021-40444

Updated analytic stories include the following:

• Dev Sec Ops

New analytics include the following:

• Add DefaultUser And Password In Registry
• Auto Admin Logon Registry Entry
• Bcdedit Command Back To Normal Mode Boot
• Change To Safe Mode With Network Config
• SchCache Change By App Connect And Create ADSI Object
• Circle CI Disable Security Job
• Circle CI Disable Security Step
• Github Commit In Develop
• GitHub Dependabot Alert
• GitHub Pull Request from Unknown User
• Get ADDefaultDomainPasswordPolicy with Powershell
• Get ADDefaultDomainPasswordPolicy with Powershell Script Block
• Get ADUserResultantPasswordPolicy with Powershell
• Get ADUserResultantPasswordPolicy with Powershell Script Block
• Get DomainPolicy with Powershell
• Get DomainPolicy with Powershell Script Block
• Password Policy Discovery with Net
• AdsiSearcher Account Discovery
• Domain Account Discovery with Dsquery
• Domain Account Discovery With Net App
• Domain Account Discovery with Wmic
• Get ADUser with PowerShell
• Get ADUser with PowerShell Script Block
• Get DomainUser with PowerShell
• Get DomainUser with PowerShell Script Block
• GetWmiObject DS User with PowerShell
• GetWmiObject DS User with PowerShell Script Block
• GetLocalUser with PowerShell
• GetLocalUser with PowerShell Script Block
• GetWmiObject User Account with PowerShell
• GetWmiObject User Account with PowerShell Script Block
• Local Account Discovery with Net
• Local Account Discovery With Wmic
• Exchange PowerShell Module Usage (Experimental)
• Exchange PowerShell Abuse via SSRF (Experimental)
• PetitPotam Network Share Access Request
• Windows Kerberos Auth Ticket Request
• Kubernetes Scanner Image Pulling
• Gsuite Email Suspicious Subject With Attachment
• Gsuite Email With Known Abuse Web Service Link
• Gsuite Suspicious Shared File Name
• AWS ECR Container Upload Outside Business Hours
• AWS ECR Container Upload Unknown User
• Github Commit Changes In Master
• Esentutl SAM Copy
• PowerShell 4104 Hunting
• Gsuite Drive Share In External Email
• GSuite Email Suspicious Attachment
• Gsuite Outbound Email With Attachment To External Domain
• Rundll32 Control_RunDLL World Writable Directory
• Rundll32 Control_Rundll Hunt
• Office Spawning Control
• Control Loading from World Writable Directory
• MSHTML Module Load in Office Product

Updated analytics include the following:

• Create local admin accounts using net exe (Thank you for reporting this, @mschilt)
• Create or delete windows shares using net exe (Thank you for reporting this, @thejanit0r)
• Extraction of Registry Hives (Thank you for reporting this, @thejanit0r)
• System Information Discovery Detection (Thank you for reporting this, @mschilt)
• Registry Keys Used For Persistence (Thank you for reporting this, @mschilt)
• Process Creating LNK file in Suspicious Location (Thank you for reporting this, @mschilt)

Other updates include the following:

• Minor Readme updates
• Added Missing risk scores
• Update links to spec files

CI updates include the following:

• Migrate CI from CircleCI to GitHub Actions
• Reduce External Tool Dependencies
• Increase Transparency and Portability of CI Pipeline
• Prepare for future CI changes