v3.22.0
New Analytic Story
- XMRig
New Detections
- Services Escalate Exe
- WinRM Spawning a Process (Thank you Drew Church)
- Deleting Of Net Users
- Disable Windows App Hotkeys
- Disabling Net User Account
- Download Files Using Telegram
- Enumerate Users Local Group Using Telegram
- Excessive Attempt To Disable Services
- Excessive Service Stop Attempt
- Excessive Usage Of Cacls App
- Excessive Usage Of Net App
- Excessive Usage Of Taskkill
- Executables Or Script Creation In Suspicious Path
- Hide User Account From Sign-In Screen
- Icacls Deny Command
- ICACLS Grant Command
- Modify ACL permission To Files Or Folder
- Process Kill Base On File Path
- Schtasks Run Task On Demand
- Suspicious Driver Loaded Path
- Suspicious Process File Path
- XMRIG Driver Loaded
Updated Analytic Stories
- Data Exfiltration
NOTE:
This ESCU release has an updated version of the "Content Library" dashboard, you can explore the Analytic Stories via ES Use Case Library or Splunk Security Essentials.
- Removes all Javascript code from the app
- Updated UI elements to not use JS libs and eliminates the Analytic story details view
- Hot link users to the ES Use Case Library for drill down.