Skip to content

v4.1.0
Compare
Choose a tag to compare
@github-actions github-actions released this 02 May 22:20
· 5131 commits to develop since this release
v4.1.0
c80c0ae
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New Analytic Story

  • Active Directory Privilege Escalation
  • RedLine Stealer

New Analytics

  • Active Directory Lateral Movement Identified
  • Impacket Lateral Movement smbexec CommandLine Parameters
  • Impacket Lateral Movement WMIExec CommandLine Parameters
  • Steal or Forge Authentication Certificates Behavior Identified
  • Windows Administrative Shares Accessed On Multiple Hosts
  • Windows Admon Default Group Policy Object Modified
  • Windows Admon Group Policy Object Created
  • Windows Credentials from Password Stores Chrome Extension Access
  • Windows Credentials from Password Stores Chrome LocalState Access
  • Windows Credentials from Password Stores Chrome Login Data Access
  • Windows Default Group Policy Object Modified
  • Windows Default Group Policy Object Modified with GPME
  • Windows DnsAdmins New Member Added
  • Windows File Share Discovery With Powerview
  • Windows Findstr GPP Discovery
  • Windows Group Policy Object Created
  • Windows Large Number of Computer Service Tickets Requested
  • Windows Local Administrator Credential Stuffing
  • Windows Modify Registry Auto Minor Updates
  • Windows Modify Registry Auto Update Notif
  • Windows Modify Registry Disable WinDefender Notifications
  • Windows Modify Registry Do Not Connect To Win Update
  • Windows Modify Registry No Auto Reboot With Logon User
  • Windows Modify Registry No Auto Update
  • Windows Modify Registry Tamper Protection
  • Windows Modify Registry UpdateServiceUrlAlternate
  • Windows Modify Registry USeWuServer
  • Windows Modify Registry WuServer
  • Windows Modify Registry wuStatusServer
  • Windows PowerSploit GPP Discovery
  • Windows PowerView AD Access Control List Enumeration
  • Windows Query Registry Browser List Application
  • Windows Query Registry UnInstall Program List
  • Windows Rapid Authentication On Multiple Hosts
  • Windows Service Stop Win Updates
  • Windows Special Privileged Logon On Multiple Hosts

Other Updates:

  • Added a new job for smoke testing experimental and deprecated detections
  • Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
  • Deprecated detection Detect Mimikatz Using Loaded Images

Contributors

TheLawsOfChaos and nterl0k
Assets 7
Loading