What's new

Enterprise Security Content Updates v4.2.0 was released on May 16, 2023. It includes the following enhancements.

New analytic story

• Azure Active Directory Privilege Escalation
• PaperCut MF/NG Vulnerability
• Snake Malware
• Windows BootKits

Updated analytic story

• Data Exfiltration
• Suspicious AWS S3 Activities

New analytics

• AWS AMI Attribute Modification for Exfiltration
• AWS Disable Bucket Versioning
• AWS EC2 Snapshot Shared Externally
• AWS Exfiltration via Anomalous GetObject API Activity
• AWS Exfiltration via Batch Service
• AWS Exfiltration via Bucket Replication
• AWS Exfiltration via DataSync Task
• AWS Exfiltration via EC2 Snapshot
• AWS S3 Exfiltration Behavior Identified
• Azure AD Application Administrator Role Assigned
• Azure AD Global Administrator Role Assigned
• Azure AD PIM Role Assigned
• Azure AD PIM Role Assignment Activated
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Owner Added
• PaperCut Remote Web Access Attempt
• PaperCut Suspicious Behavior Debug Log
• Windows PaperCutNG Spawn Shell
• Windows Registry Bootexecute Modification
• Windows Snake Malware File Modification Crmlog
• Windows Snake Malware Kernel Driver Comadmin
• Windows Snake Malware Registry Modification wav OpenWithProgids
• Windows Snake Malware Service Create
• Windows Winlogon with Public Network Connection

Other updates

Updated the following detection analytics to not use the join command to improve search performance:

• Active Setup Registry Autostart
• Add DefaultUser And Password In Registry
• Allow Inbound Traffic By Firewall Rule Registry
• Allow Operation with Consent Admin
• Auto Admin Logon Registry Entry
• Disable AMSI Through Registry
• Disable Defender AntiVirus Registry
• Disable Defender BlockAtFirstSeen Feature
• Disable Defender MpEngine Registry
• Disable Defender Spynet Reporting
• Disable Defender Submit Samples Consent Feature
• Disable ETW Through Registry
• Disable Registry Tool
• Disable Security Logs Using MiniNt Registry
• Disable Show Hidden Files
• Disable UAC Remote Restriction
• Disable Windows App Hotkeys
• Disable Windows Behavior Monitoring
• Disable Windows SmartScreen Protection
• Disabling CMD Application
• Disabling ControlPanel
• Disabling FolderOptions Windows Feature
• Disabling NoRun Windows App
• Disabling SystemRestore In Registry
• Disabling Task Manager
• Enable RDP In Other Port Number
• Enable WDigest UseLogonCredential Registry
• ETW Registry Disabled
• Hide User Account From Sign-In Screen
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• Monitor Registry Keys for Print Monitors
• Registry Keys for Creating SHIM Databases
• Registry Keys Used For Privilege Escalation
• Time Provider Persistence Registry
• Windows Defender Exclusion Registry Entry
• Windows Disable Change Password Through Registry
• Windows Disable Lock Workstation Feature Through Registry
• Windows Disable LogOff Button Through Registry
• Windows Disable Memory Crash Dump
• Windows Disable Notification Center
• Windows Disable Shutdown Button Through Registry
• Windows Disable Windows Group Policy Features Through Registry
• Windows Hide Notification Features Through Registry
• Windows Modify Show Compress Color And Info Tip Registry
• Windows Registry Certificate Added
• Windows Registry Modification for Safe Mode Persistence
• Windows Service Creation Using Registry Entry