Skip to content

v4.2.0
Compare
Choose a tag to compare
@github-actions github-actions released this 16 May 19:50
· 4492 commits to develop since this release
v4.2.0
d3bc844
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New Analytic Story

  • Azure Active Directory Privilege Escalation
  • PaperCut MF NG Vulnerability
  • Snake Malware
  • Windows BootKits

Updated Analytic Story

  • Data Exfiltration
  • Suspicious AWS S3 Activities

New Analytics

  • AWS AMI Attribute Modification for Exfiltration
  • AWS Disable Bucket Versioning
  • AWS EC2 Snapshot Shared Externally
  • AWS Exfiltration via Anomalous GetObject API Activity
  • AWS Exfiltration via Batch Service
  • AWS Exfiltration via Bucket Replication
  • AWS Exfiltration via DataSync Task
  • AWS Exfiltration via EC2 Snapshot
  • AWS S3 Exfiltration Behavior Identified
  • Azure AD Application Administrator Role Assigned
  • Azure AD Global Administrator Role Assigned
  • Azure AD PIM Role Assigned
  • Azure AD PIM Role Assignment Activated
  • Azure AD Privileged Authentication Administrator Role Assigned
  • Azure AD Privileged Role Assigned to Service Principal
  • Azure AD Service Principal Owner Added
  • PaperCut Remote Web Access Attempt
  • PaperCut Suspicious Behavior Debug Log
  • Windows PaperCut Spawn Shell
  • Windows Registry Bootexecute Modification
  • Windows Snake Malware File Modification Crmlog
  • Windows Snake Malware Kernel Driver Comadmin
  • Windows Snake Malware Registry Modification wav OpenWithProgIds
  • Windows Snake Malware Service Create
  • Windows Winlogon with Public Network Connection

Other Updates:

  • Updated several detection analytics to not use the join command to improve search performance.
- Active Setup Registry Autostart
- Add DefaultUser And Password In Registry
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Operation with Consent Admin
- Auto Admin Logon Registry Entry
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Registry Tool
- Disable Security Logs Using MiniNt Registry
- Disable Show Hidden Files
- Disable UAC Remote Restriction
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- Enable RDP In Other Port Number
- Enable WDigest UseLogonCredential Registry
- ETW Registry Disabled
- Hide User Account From Sign-In Screen
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Monitor Registry Keys for Print Monitors
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Time Provider Persistence Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Change Password Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Disable LogOff Button Through Registry
- Windows Disable Memory Crash Dump
- Windows Disable Notification Center
- Windows Disable Shutdown Button Through Registry
- Windows Disable Windows Group Policy Features Through Registry
- Windows Hide Notification Features Through Registry
- Windows Modify Show Compress Color And Info Tip Registry
- Windows Registry Certificate Added
- Windows Registry Modification for Safe Mode Persistence
- Windows Service Creation Using Registry Entry
  • Added improvements for BA detections and the conversion tool and added ocsf fields
Assets 7
Loading