v4.5.1

Updated BA Analytics

• Logical bug fix in Windows Powershell Connect to Internet With Hidden Window

v4.5.0

New Analytics

• ASL AWS Concurrent Sessions From Different IPs
• ASL AWS CreateAccessKey
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Impair Security Services
• ASL AWS Excessive Security Scanning
• ASL AWS IAM Delete Policy
• ASL AWS Multi-Factor Authentication Disabled
• ASL AWS New MFA Method Registered For User
• ASL AWS Password Policy Changes
• Detect DNS Data Exfiltration using pretrained model in DSDL
• Detect RTLO In File Name (Thank you @nterl0k)
• Detect RTLO In Process (Thank you @nterl0k)
• Detect Webshell Exploit Behavior (Thank you @nterl0k)
• Windows MOVEit Transfer Writing ASPX

New Analytic Story

• MOVEit Transfer Critical Vulnerability

Other Updates

• Added support for Apple Silicon for detection testing
• Updated several detections which use |outputlookup to create KVStore instead of CSV

v4.4.1

Removed a BA detection- Windows PowerView AD Access Control List Enumeration

v4.4.0

New Analytics

• Splunk DOS Via Dump SPL Command
• Splunk Edit User Privilege Escalation
• Splunk HTTP Response Splitting Via Rest SPL Command
• Splunk Low Privilege User Can View Hashed Splunk Password
• Splunk Path Traversal in the Splunk App for Lookup File Editing
• Splunk Persistent XSS Via URL Validation Bypass W Dashboard
• Splunk RBAC Bypass On Indexing Preview REST Endpoint

Updated Analytic Story

• Splunk Vulnerabilities

v4.3.0

New Analytic Story

• Volt Typhoon

New Analytics

• Network Share Discovery Via Dir Command
• Active Directory Privilege Escalation Identified
• Windows Ldifde Directory Object Behavior
• Windows Proxy Via Netsh
• Windows Proxy Via Registry

Updated Analytics

• CHCP Command Execution

New BA Analytics

• Windows PowerSploit GPP Discovery
• Windows Findstr GPP Discovery
• Windows File Share Discovery With Powerview
• Windows Default Group Policy Object Modified with GPME
• Windows PowerView AD Access Control List Enumeration

Updated BA Analytics

• Detect Prohibited Applications Spawning cmd exe

Other Updates:

• Updated several detecetions with Atomic GUIDs
• Tagged several existing detections with Volt Typhoon

v4.2.0

New Analytic Story

• Azure Active Directory Privilege Escalation
• PaperCut MF NG Vulnerability
• Snake Malware
• Windows BootKits

Updated Analytic Story

• Data Exfiltration
• Suspicious AWS S3 Activities

New Analytics

• AWS AMI Attribute Modification for Exfiltration
• AWS Disable Bucket Versioning
• AWS EC2 Snapshot Shared Externally
• AWS Exfiltration via Anomalous GetObject API Activity
• AWS Exfiltration via Batch Service
• AWS Exfiltration via Bucket Replication
• AWS Exfiltration via DataSync Task
• AWS Exfiltration via EC2 Snapshot
• AWS S3 Exfiltration Behavior Identified
• Azure AD Application Administrator Role Assigned
• Azure AD Global Administrator Role Assigned
• Azure AD PIM Role Assigned
• Azure AD PIM Role Assignment Activated
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Owner Added
• PaperCut Remote Web Access Attempt
• PaperCut Suspicious Behavior Debug Log
• Windows PaperCut Spawn Shell
• Windows Registry Bootexecute Modification
• Windows Snake Malware File Modification Crmlog
• Windows Snake Malware Kernel Driver Comadmin
• Windows Snake Malware Registry Modification wav OpenWithProgIds
• Windows Snake Malware Service Create
• Windows Winlogon with Public Network Connection

Other Updates:

• Updated several detection analytics to not use the join command to improve search performance.

- Active Setup Registry Autostart
- Add DefaultUser And Password In Registry
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Operation with Consent Admin
- Auto Admin Logon Registry Entry
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Registry Tool
- Disable Security Logs Using MiniNt Registry
- Disable Show Hidden Files
- Disable UAC Remote Restriction
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- Enable RDP In Other Port Number
- Enable WDigest UseLogonCredential Registry
- ETW Registry Disabled
- Hide User Account From Sign-In Screen
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Monitor Registry Keys for Print Monitors
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Time Provider Persistence Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Change Password Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Disable LogOff Button Through Registry
- Windows Disable Memory Crash Dump
- Windows Disable Notification Center
- Windows Disable Shutdown Button Through Registry
- Windows Disable Windows Group Policy Features Through Registry
- Windows Hide Notification Features Through Registry
- Windows Modify Show Compress Color And Info Tip Registry
- Windows Registry Certificate Added
- Windows Registry Modification for Safe Mode Persistence
- Windows Service Creation Using Registry Entry

• Added improvements for BA detections and the conversion tool and added ocsf fields

v4.1.0

New Analytic Story

• Active Directory Privilege Escalation
• RedLine Stealer

New Analytics

• Active Directory Lateral Movement Identified
• Impacket Lateral Movement smbexec CommandLine Parameters
• Impacket Lateral Movement WMIExec CommandLine Parameters
• Steal or Forge Authentication Certificates Behavior Identified
• Windows Administrative Shares Accessed On Multiple Hosts
• Windows Admon Default Group Policy Object Modified
• Windows Admon Group Policy Object Created
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Default Group Policy Object Modified
• Windows Default Group Policy Object Modified with GPME
• Windows DnsAdmins New Member Added
• Windows File Share Discovery With Powerview
• Windows Findstr GPP Discovery
• Windows Group Policy Object Created
• Windows Large Number of Computer Service Tickets Requested
• Windows Local Administrator Credential Stuffing
• Windows Modify Registry Auto Minor Updates
• Windows Modify Registry Auto Update Notif
• Windows Modify Registry Disable WinDefender Notifications
• Windows Modify Registry Do Not Connect To Win Update
• Windows Modify Registry No Auto Reboot With Logon User
• Windows Modify Registry No Auto Update
• Windows Modify Registry Tamper Protection
• Windows Modify Registry UpdateServiceUrlAlternate
• Windows Modify Registry USeWuServer
• Windows Modify Registry WuServer
• Windows Modify Registry wuStatusServer
• Windows PowerSploit GPP Discovery
• Windows PowerView AD Access Control List Enumeration
• Windows Query Registry Browser List Application
• Windows Query Registry UnInstall Program List
• Windows Rapid Authentication On Multiple Hosts
• Windows Service Stop Win Updates
• Windows Special Privileged Logon On Multiple Hosts

Other Updates:

• Added a new job for smoke testing experimental and deprecated detections
• Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
• Deprecated detection Detect Mimikatz Using Loaded Images

v4.0.1

This is not a full release of ESCU. This is a patch release addressing one issue in the SSA_Content-v4.0.0.tar.gz and previous SSA_Content packages. The rest of this release is identical to v4.0.0

v4.0.0

ESCU v4.0.0

This major version change to 4.0 includes improvements to Sigma to Search Processing Language (SPL) converter, including backend changes testing and content generation.

NOTE: There is no impact to the ESCU application, our behind the scene tooling just got an upgrade!

New Analytic Story

• Winter Vivern
• Sandworm Tools
• BlackLotus Campaign

New Analytics

• Windows Exfiltration Over C2 Via Invoke RestMethod
• Windows Exfiltration Over C2 Via Powershell UploadString
• Windows Scheduled Task Created Via XML
• Windows Screen Capture Via Powershell
• Windows DNS Gather Network Info
• Windows Impair Defenses Disable HVCI
• Windows BootLoader Inventory
• Windows RDP Connection Successful

Other Updates

• Tagged several detections with Data Destruction
• Fixed number of deprecated and experimental searches had some runtime syntactic/parsing/execution errors.

v3.64.0

Updated Analytic Story

• 3CX Supply Chain Attack

New Analytics

• PowerShell Invoke-WmiExec Usage
• PowerShell Invoke CIMMethod CIMSession
• PowerShell Enable PowerShell Remoting
• PowerShell Start or Stop Service
• Windows PowerShell Get-CIMInstance Remote Computer
• Windows Enable Win32_ScheduledJob via Registry
• Windows PowerShell WMI Win32_ScheduledJob
• Windows Service Create with Tscon
• Windows Lateral Tool Transfer RemCom
• Windows Service Create RemComSvc

Other Updates

• Updated 3CX related analytics with the CVE ID(CVE-2023-29059)
• Updated git actions with appropriate permissions