What's new

Enterprise Security Content Updates v3.36.0 was released on March 16, 2022. It includes the following enhancements.

New analytic story

• Hermetic Wiper
• Living Off The Land
• Data Destruction
• Network Discovery
• Active Directory Kerberos Attacks

New analytics

• Windows Modify Show Compress Color And Info Tip Registry
• AWS Lambda UpdateFunctionCode
• Windows Disable Memory Crash Dump
• Windows File Without Extension In Critical Folder
• Windows Raw Access To Disk Volume Partition
• Windows Event For Service Disabled
• Windows Excessive Disabled Services Event
• Windows Process With NamedPipe CommandLine
• Windows Raw Access To Master Boot Record Drive
• Windows Service Creation Using Registry Entry
• Windows WMI Process Call Create
• Windows Diskshadow Proxy Execution
• Linux DD File Overwrite
• Linux System Network Discovery
• Kerberoasting spn request with RC4 encryption
• Mimikatz PassTheTicket CommandLine Parameters
• Rubeus Command Line Parameters
• Rubeus Kerberos Ticket Exports Through Winlogon Access
• Unusual Number of Kerberos Service Tickets Requested
• Disabled Kerberos Pre-Authentication Discovery With PowerView
• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl
• Kerberos Pre-Authentication Flag Disabled with PowerShell

Updated analytics

• Excessive number of distinct processes created in Windows Temp folder
• O365 Excessive Authentication Failures Alert (thanks to @schwedenmut)
• Excessive number of distinct processes created in Windows Temp folder (Issue #1526)
• Scheduled Task Deleted Or Created via
• Windows High File Deletion Frequency
• Linux At Application Execution

Other updates

• Updated lookups/ransomware_extensions.csv
• Updated functions in several playbooks and added a new type field in the ymls
• Updated detection testing CI job to report failure when the testing fails
• Updated the Application Baseline that we use for CI/CD in Github Actions for detection-testing