v4.7.0

New Analytics

• Citrix ADC Exploitation CVE-2023-3519
• Windows Modify Registry EnableLinkedConnections
• Windows Modify Registry LongPathsEnabled
• Windows Modify Registry Risk Behavior
• Windows Post Exploitation Risk Behavior
• Windows Common Abused Cmd Shell Risk Behavior

Updated Analytics

• O365 Add App Role Assignment Grant User
• MSHTML Module Load in Office Product
• Office Document Spawned Child Process To Download
• Office Product Spawn CMD Process
• Office Product Spawning BITSAdmin
• Office Product Spawning CertUtil
• Office Product Spawning MSHTA
• Office Product Spawning Rundll32 with no DLL
• Office Product Spawning Windows Script Host

New Analytic Story

• BlackByte Ransomware
• CVE-2023-36884 Office and Windows HTML RCE Vulnerability
• Citrix Netscaler ADC CVE-2023-3519

Other Updates

• Tagged several detection analytics to BlackByte Ransomware
• Removed unused fields from detections.json for SSE API
• Improved validation script for the csv lookup and yaml files

v4.6.0

New Analytics

• Windows PowerShell ScheduleTask
• Windows Files and Dirs Access Rights Modification Via Icacls

Updated Analytics

• ICACLS Grant Command
• Registry Keys Used For Persistence
• PowerShell 4104 Hunting
• Detect Baron Samedit CVE-2021-3156 Segfault
• Detect Baron Samedit CVE-2021-3156
• Windows System Shutdown CommandLine
• VMWare Aria Operations Exploit Attempt

New Analytic Story

• Scheduled Tasks
• Amadey
• Graceful Wipe Out Attack
• VMware Aria Operations vRealize CVE-2023-20887

Other Updates

• Improved descriptions of several detections, tagged appropriate Mitre IDs and Analytic Stories to detections
• Added filter macros to the macros.json file served via the API
• Added content_changer functionality to security content

New Playbooks

• URL Outbound Traffic Filtering Dispatch
• Panorama Outbound Traffic Filtering
• Splunk Message Identifier Activity Analysis
• G Suite for GMail Message Identifier Activity Analysis
• ZScaler Outbound Traffic Filtering

v4.5.1

Updated BA Analytics

• Logical bug fix in Windows Powershell Connect to Internet With Hidden Window

v4.5.0

New Analytics

• ASL AWS Concurrent Sessions From Different IPs
• ASL AWS CreateAccessKey
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Impair Security Services
• ASL AWS Excessive Security Scanning
• ASL AWS IAM Delete Policy
• ASL AWS Multi-Factor Authentication Disabled
• ASL AWS New MFA Method Registered For User
• ASL AWS Password Policy Changes
• Detect DNS Data Exfiltration using pretrained model in DSDL
• Detect RTLO In File Name (Thank you @nterl0k)
• Detect RTLO In Process (Thank you @nterl0k)
• Detect Webshell Exploit Behavior (Thank you @nterl0k)
• Windows MOVEit Transfer Writing ASPX

New Analytic Story

• MOVEit Transfer Critical Vulnerability

Other Updates

• Added support for Apple Silicon for detection testing
• Updated several detections which use |outputlookup to create KVStore instead of CSV

v4.4.1

Removed a BA detection- Windows PowerView AD Access Control List Enumeration

v4.4.0

New Analytics

• Splunk DOS Via Dump SPL Command
• Splunk Edit User Privilege Escalation
• Splunk HTTP Response Splitting Via Rest SPL Command
• Splunk Low Privilege User Can View Hashed Splunk Password
• Splunk Path Traversal in the Splunk App for Lookup File Editing
• Splunk Persistent XSS Via URL Validation Bypass W Dashboard
• Splunk RBAC Bypass On Indexing Preview REST Endpoint

Updated Analytic Story

• Splunk Vulnerabilities

v4.3.0

New Analytic Story

• Volt Typhoon

New Analytics

• Network Share Discovery Via Dir Command
• Active Directory Privilege Escalation Identified
• Windows Ldifde Directory Object Behavior
• Windows Proxy Via Netsh
• Windows Proxy Via Registry

Updated Analytics

• CHCP Command Execution

New BA Analytics

• Windows PowerSploit GPP Discovery
• Windows Findstr GPP Discovery
• Windows File Share Discovery With Powerview
• Windows Default Group Policy Object Modified with GPME
• Windows PowerView AD Access Control List Enumeration

Updated BA Analytics

• Detect Prohibited Applications Spawning cmd exe

Other Updates:

• Updated several detecetions with Atomic GUIDs
• Tagged several existing detections with Volt Typhoon

v4.2.0

New Analytic Story

• Azure Active Directory Privilege Escalation
• PaperCut MF NG Vulnerability
• Snake Malware
• Windows BootKits

Updated Analytic Story

• Data Exfiltration
• Suspicious AWS S3 Activities

New Analytics

• AWS AMI Attribute Modification for Exfiltration
• AWS Disable Bucket Versioning
• AWS EC2 Snapshot Shared Externally
• AWS Exfiltration via Anomalous GetObject API Activity
• AWS Exfiltration via Batch Service
• AWS Exfiltration via Bucket Replication
• AWS Exfiltration via DataSync Task
• AWS Exfiltration via EC2 Snapshot
• AWS S3 Exfiltration Behavior Identified
• Azure AD Application Administrator Role Assigned
• Azure AD Global Administrator Role Assigned
• Azure AD PIM Role Assigned
• Azure AD PIM Role Assignment Activated
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Owner Added
• PaperCut Remote Web Access Attempt
• PaperCut Suspicious Behavior Debug Log
• Windows PaperCut Spawn Shell
• Windows Registry Bootexecute Modification
• Windows Snake Malware File Modification Crmlog
• Windows Snake Malware Kernel Driver Comadmin
• Windows Snake Malware Registry Modification wav OpenWithProgIds
• Windows Snake Malware Service Create
• Windows Winlogon with Public Network Connection

Other Updates:

• Updated several detection analytics to not use the join command to improve search performance.

- Active Setup Registry Autostart
- Add DefaultUser And Password In Registry
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Operation with Consent Admin
- Auto Admin Logon Registry Entry
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Registry Tool
- Disable Security Logs Using MiniNt Registry
- Disable Show Hidden Files
- Disable UAC Remote Restriction
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- Enable RDP In Other Port Number
- Enable WDigest UseLogonCredential Registry
- ETW Registry Disabled
- Hide User Account From Sign-In Screen
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Monitor Registry Keys for Print Monitors
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Time Provider Persistence Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Change Password Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Disable LogOff Button Through Registry
- Windows Disable Memory Crash Dump
- Windows Disable Notification Center
- Windows Disable Shutdown Button Through Registry
- Windows Disable Windows Group Policy Features Through Registry
- Windows Hide Notification Features Through Registry
- Windows Modify Show Compress Color And Info Tip Registry
- Windows Registry Certificate Added
- Windows Registry Modification for Safe Mode Persistence
- Windows Service Creation Using Registry Entry

• Added improvements for BA detections and the conversion tool and added ocsf fields

v4.1.0

New Analytic Story

• Active Directory Privilege Escalation
• RedLine Stealer

New Analytics

• Active Directory Lateral Movement Identified
• Impacket Lateral Movement smbexec CommandLine Parameters
• Impacket Lateral Movement WMIExec CommandLine Parameters
• Steal or Forge Authentication Certificates Behavior Identified
• Windows Administrative Shares Accessed On Multiple Hosts
• Windows Admon Default Group Policy Object Modified
• Windows Admon Group Policy Object Created
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Default Group Policy Object Modified
• Windows Default Group Policy Object Modified with GPME
• Windows DnsAdmins New Member Added
• Windows File Share Discovery With Powerview
• Windows Findstr GPP Discovery
• Windows Group Policy Object Created
• Windows Large Number of Computer Service Tickets Requested
• Windows Local Administrator Credential Stuffing
• Windows Modify Registry Auto Minor Updates
• Windows Modify Registry Auto Update Notif
• Windows Modify Registry Disable WinDefender Notifications
• Windows Modify Registry Do Not Connect To Win Update
• Windows Modify Registry No Auto Reboot With Logon User
• Windows Modify Registry No Auto Update
• Windows Modify Registry Tamper Protection
• Windows Modify Registry UpdateServiceUrlAlternate
• Windows Modify Registry USeWuServer
• Windows Modify Registry WuServer
• Windows Modify Registry wuStatusServer
• Windows PowerSploit GPP Discovery
• Windows PowerView AD Access Control List Enumeration
• Windows Query Registry Browser List Application
• Windows Query Registry UnInstall Program List
• Windows Rapid Authentication On Multiple Hosts
• Windows Service Stop Win Updates
• Windows Special Privileged Logon On Multiple Hosts

Other Updates:

• Added a new job for smoke testing experimental and deprecated detections
• Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
• Deprecated detection Detect Mimikatz Using Loaded Images

v4.0.1

This is not a full release of ESCU. This is a patch release addressing one issue in the SSA_Content-v4.0.0.tar.gz and previous SSA_Content packages. The rest of this release is identical to v4.0.0