MITRE ATT&CK Analyzer changelog

This page tracks the updates/changes to AIR's MITRE ATT&CK Analyzer

5.4.0 (10/06/24)

Yara

  • Added detection for exploitation attempt indicators of a critical argument injection vulnerability in PHP (CVE-2024-4577).

  • Added detection for BitRAT backdoor.

  • Added detection for OrcusRAT backdoor.

  • Added detection for LightSpy malware targetting macOS.

  • Improved identification of path traversal indicators in server logs that suggest exploitation attempts.

  • Improved detection of .NET obfuscated/protected binaries.

5.3.1 (31/05/24)

Yara

  • Updated list of path traversal attacks.

5.3.0 (31/05/24)

Yara

  • Added detection for CrimsonRAT. (S0115)

  • Improved detection of IcedID trojan. (S0483)

  • Improved detection of ISO archives with hidden scripts and signs of DLL Side-loading technique. (T1574.002)

  • Added detection for Mythic C2 framework agent.

Dynamo/osquery

  • Added identification of possible ARP poisoning/spoofing.

5.2.0 (22/05/24)

Yara

  • Added detection for DiceLoader trojan attributed to FIN7. (G0046)

  • Added detection for Ebury botnet. (S0377)

  • Added detection for Latrodectus trojan. (T1218.011, T1055, T1053.005, T1070.004, T1059.003)

  • Added detection for macOS Cuckoo and Atomic stealer. (T1059.002, T1555)

  • Enhanced detection for Relective Code Loading technique. (T1620)

  • Enhanced detection of Powershell based loaders. (T1059.001)

  • Added detection for Kinsing miner. (S0599)

  • Improved identification of vulnerable and malicious drivers used for privilege escalation. (T1068)

  • Various other fixes and improvements.

Dynamo

  • Enhanced detection of network discovery and powershell commands in forensic evidence.

5.1.2 (17/05/24)

Yara

  • Improved detection of Metasploit framework.

  • Added detection of masqueraded LUA based samples. (T1036.008)

  • Added detection for GooseEgg hack tool used for privilege escalation and credential access attributed to APT28. (G0007)

5.1.1 (17/05/24)

Yara

  • Added detection for Rawdoor, a backdoor attributed to Chinese APT31 group. (G0128)

  • Added detection for CR4T backdoor discovered in campaign targeting government entities in the Middle East.

  • Improved detection of Pupy opensource, cross-platform C2 and post-exploitation framework constantly being used by various threat actors.

  • Improved detection of Linux-based webshells. (T1505.003)

  • Improved detection or ZIP archives with indicators of DLL sideloading technique. (T1574.002, T1566)

5.1.0 (18/04/24)

YARA

  • Added detection for Kapeka backdoor attributed to Sandworm APT44 group. (G0034)

  • Improved/added detection of various malware such as DarkGate, Nitrogen, FatalRAT, WikiLoader.

  • Added detection for IOCs related to GlobalProtect CVE-2024-3400.

  • Improved detection of Python-based loaders. (T1059.006)

  • Improved detection of various shellcode implants e.g. Metasploit-based. (T1620)

  • Added detection for IOCs masqueraded as certificates. (T1036.008, T1027)

  • Improved detection of obfuscated Javascript-based droppers, suspicious base64 encoded IOCs, and PowerShell-based loaders. (T1620, T1059.001, T1059.007, T1027)

  • And many other smaller improvements.

5.0.2 (18/04/24)

Sigma

  • Powershell detection update

5.0.1 (11/04/24)

YARA

  • Vidar stealer FP fix.

5.0.0 (09/04/24)

YARA

  • Added detection for Linux local privilege escalation exploit for CVE-2024-1086.

  • Added detection for various APT groups related IOCs including APT28, APT29, APT33, APT42. (G1006, G0007, G0016, G0064, G0059)

  • Added detection for Dark Crystal a.k.a DCRat.

  • Added detection for Sharpire post-exploitation agent. (S0363)

  • Enhanced detection of obfuscated Golang-based binaries. (T1027)

  • Enhanced detection of Nim-based binaries.

  • Enhanced detection of RMM tools and software. (T1219)

  • Enhanced identification of misplaced binaries often used for DLL Side-loading. (T1574.002)

  • Enhanced identification of potentially misplaced script-based samples often used for masquerading purposes. (T1036.005)

  • Enhanced identification of samples abusing double extension to trick users into executing malicious files. (T1036.007)

Dynamo

  • Enhanced detection of various hacker commands found in areas such as Powershell commands, console, and console history.

  • Vastly improved detection of RMM software commonly abused by malicious actors. (T1219)

4.3.1. (01/04/24)

YARA

  • Added detection for backdoored binaries and indicators of compromise found in XZ Utils 5.6.0 and 5.6.1. (CVE-2024-3094)

4.3.0 (22/03/24)

YARA

  • Added detection for Xdealer malware attributed connected to China-nexus threat actor tracked as Earth Lusca. (G1006)

  • Added detection for custom malware dubbed DinodasRAT targeting government organizations. (G1006)

  • Added detection for binaries signed by D2innovation certificate attributed to Kimsuky APT group. (G0094)

  • Added detection for Lumma information stealer (aka LummaC2 Stealer). (T1082, T1622, T1140, T1562, T1119, T1005, T1071, T1020)

  • Added detection for Meduza info stealer. (T1614, T1082, T1113, T1552, T1571)

  • Added detection for indicators found in compiled ASPX Web Shell DLLs. (T1505.003)

  • Enhanced detection of samples having a suspicious keyword in their PDB path (e.g. Trojan, Shellcode). (TA0005)

  • Enhanced detection of Remote Access Software Tools commonly used in ransomware attacks. (T1219)

  • Enhanced detection of misplaced files masqueraded as legitimate Windows binaries. (T1036.005)

  • Enhanced detection of malicious samples and scripts obfuscated with XOR, AES and custom encoding. (T1027)

  • Enhanced detection of samples abusing double extension in order to hide true file type. (T1036.007)

  • Enhanced detection of LNK files executing suspicious PowerShell commands. (T1059.001, T1204.002)

  • Enhanced detection of older exploits such as Zerologon, BlueKeep and more. ( T1021, T1068)

  • Various other rules, fixes and performance improvements.

Dynamo

  • Updated Hacker Tool list with new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)

  • Updated detections of Remote Management Software Website domains in DNS Cache, indicating potentially unwanted usage of remote access software. (T1219)

4.2.3 (05/03/24)

YARA

  • Added detection for indicators of compromise indicating exploitation attempts of two recent vulnerabilities in JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (CVE-2024-27198 and CVE-2024-27199)

  • Added detection for the Linux variant of Bifrost (aka Bifrose). Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. (T1219)

  • Added detection for Xeno RAT; an intricately designed malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. (T1059.003, T1053.005, T1622, T1497, T1055, T1071.00)

  • Added detection for suspicious unsigned executables protected with Obsidium protector. (T1027.002)

  • Added detection for FudModule rootkit exploiting CVE-2024-21338 kernel elevation of privilege vulnerability. (T1068)

  • Enhanced detection of files found outside of their default location which is a very popular way of hiding malicious files under a known name of a legitimate Windows component. (T1036.005)

  • Enhanced detection of CobaltStrike beacons. (S0154)

4.2.2 (27/02/24)

YARA

  • Added detection for indicators of compromise indicating exploitation attempts of two recent vulnerabilities in ConnectWise ScreenConnect. (CVE-2024-1709 & CVE-2024-1708)

4.2.1 (24/02/24)

YARA

  • Restored %WINDIR%\Temp to depth 2 recursion for now.

4.2.0 (23/02/24)

YARA

  • Restored memory scan [INTERNAL USAGE detail]

  • Added detection for latest TinyTurla IOCs (G0010)

  • Improved detection of Linux Shell scripts commonly used in malicious attacks. Examples are logs removal, public DNS insertion, root SSH keys manipulation and other post exploitation commands.

  • Enhanced detection of various hacktools mentioned in latest malware campaigns.

4.1.0 (20/02/24)

YARA

  • Added detection for emails exploiting Microsoft Outlook CVE-2024-21413 vulnerability.

  • Enhanced detection of Sliver red team framework implant. (S0633)

  • Added detection for IOCs abusing Mockbin service for malicious purposes. (T1090.004, T1102)

  • Added detection for IOCs designed to capture NTLMv2 hashes. (T1187)

  • Enhanced detection of binaries named after legitimate Windows executables for masquerading and defence evasion purposes. (T1036.005)

  • Enhanced detection of IOCs with base64 encoded keywords such as Powershell, WScript and many more. (T1027)

  • Enhanced detection of ESXi ransomware variants. (TA0040)

  • Enhanced detection for many other IOCs with references to suspicious locations and suspicious commands such as disable UAC, enable RDP, and more. (T1562.001, T1059.001, T1021.001, T1112)

  • Various other fixes and performance improvements.

Dynamo

  • Added detection for Crypto Mining Pool Address in DNS Cache and Browser History. (T1496)

  • Added detection for registry run entries executing PowerShell command to read data stored in Registry. (T1547.001, T1059.001)

  • Added detection for registry run entries executing suspicious PowerShell commands. (T1547.001, T1059.001)

  • Updated list of Widely Abused Top-Level Domains found in DNS Cache. (T1583.001)

  • Updated Hacker Tool list with over 100 new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)

  • Updated detections for hunting Large File Transfer Websites in DNS Cache, which can be used for uploading sensitive/confidential data. (T1567.002)

4.0.1 (05/02/24)

YARA

  • Added detection for C# and dictionary-based webshells.

  • Enhanced detection of JSP webshells.

  • Enhanced detection of directory traversal and XSS injection indicators found in server logs.

  • Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.

  • Added detection of various Linux exploits.

  • An updated list of vulnerable and malicious drivers from LOL Drivers project.

  • Added detection for binaries using potentially compromised AnyDesk certificate.

  • Other minor fixes.

Dynamo

  • Minor FP fixes.

3.5.2 (22/01/24)

YARA

  • Added more detection rules for IOCs observed in the exploitation of Ivanti VPN. (CVE-2023-46805 and CVE-2024-21887)

  • Added detection for IOCs related to Russian threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) Reference: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

3.5.1 (22/01/24)

YARA

  • Added detection for IOCs linked to Iranian and Russian APT groups such as BlueBravo and Siamesekitten. (APT29, G1001)

  • Added detection for IOCs linked to Iranian OilRig APT. (G0049)

  • Improved detection of Lazarus APT-related IOCs. (G0032)

  • Added detection of Outlook CVE-2023-23397 vulnerability exploitation.

  • Improved identification of remote access software. (T1219)

  • Improved detection of PowerShell scripts loading obfuscated content directly into memory. (T1059.001, T1620)

  • Added detection for archives exploiting Baracuda ESG vulnerability CVE-2023-2868.

  • Added detection for implants related to Alchimist attack framework.

  • Added detection of pkexec CVE-2021-4034 vulnerability exploitation.

  • Improved detection of various hacktools used for port scanning, brute force, and privilege escalation.

  • Improved detection of mixed casing keywords often used as a way of obfuscation. (T1027)

  • Improved detection of double file extension masquerading in archives such as ZIP or RAR. (T1036.007)

  • Enhanced detection of indicators of various exploitation attempts including Log4j, SQL Injection, XSS attacks, path traversal attacks, and more. (T1190)

  • Added detection for IOCs found in the exploitation of Ivanti Connect Secure VPN. (CVE-2023-46805, CVE-2024-21887) and more

Dynamo

  • Added detection for scheduled tasks executing Certutil. (T1053.005, S0160)

Other

  • Various FP fixes and performance improvements.

Last updated