Links

MITRE ATT&CK Analyzer changelog

4.2.1

Yara

  • Restored %WINDIR%\Temp to depth 2 recursion for now.

4.2.0

Yara

  • Restored memory scan [INTERNAL USAGE detail]
  • Added detection for latest TinyTurla IOCs (G0010)
  • Improved detection of Linux Shell scripts commonly used in malicious attacks. Examples are logs removal, public DNS insertion, root SSH keys manipulation and other post exploitation commands.
  • Enhanced detection of various hacktools mentioned in latest malware campaigns.

4.1.0

Yara

  • Added detection for emails exploiting Microsoft Outlook CVE-2024-21413 vulnerability.
  • Enhanced detection of Sliver red team framework implant. (S0633)
  • Added detection for IOCs abusing Mockbin service for malicious purposes. (T1090.004, T1102)
  • Added detection for IOCs designed to capture NTLMv2 hashes. (T1187)
  • Enhanced detection of binaries named after legitimate Windows executables for masquerading and defence evasion purposes. (T1036.005)
  • Enhanced detection of IOCs with base64 encoded keywords such as Powershell, WScript and many more. (T1027)
  • Enhanced detection of ESXi ransomware variants. (TA0040)
  • Enhanced detection for many other IOCs with references to suspicious locations and suspicious commands such as disable UAC, enable RDP, and more. (T1562.001, T1059.001, T1021.001, T1112)
  • Various other fixes and performance improvements.

Dynamo

  • Added detection for Crypto Mining Pool Address in DNS Cache and Browser History. (T1496)
  • Added detection for registry run entries executing PowerShell command to read data stored in Registry. (T1547.001, T1059.001)
  • Added detection for registry run entries executing suspicious PowerShell commands. (T1547.001, T1059.001)
  • Updated list of Widely Abused Top-Level Domains found in DNS Cache. (T1583.001)
  • Updated Hacker Tool list with over 100 new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)
  • Updated detections for hunting Large File Transfer Websites in DNS Cache, which can be used for uploading sensitive/confidential data. (T1567.002)

4.0.1

Yara

  • Added detection for C# and dictionary-based webshells.
  • Enhanced detection of JSP webshells.
  • Enhanced detection of directory traversal and XSS injection indicators found in server logs.
  • Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.
  • Added detection of various Linux exploits.
  • An updated list of vulnerable and malicious drivers from LOL Drivers project.
  • Added detection for binaries using potentially compromised AnyDesk certificate.
  • Other minor fixes.

Dynamo

  • Minor FP fixes.

3.5.2

Yara

  • Added more detection rules for IOCs observed in the exploitation of Ivanti VPN. (CVE-2023-46805 and CVE-2024-21887)
  • Added detection for IOCs related to Russian threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) Reference: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

3.5.1

Yara

  • Added detection for IOCs linked to Iranian and Russian APT groups such as BlueBravo and Siamesekitten. (APT29, G1001)
  • Added detection for IOCs linked to Iranian OilRig APT. (G0049)
  • Improved detection of Lazarus APT-related IOCs. (G0032)
  • Added detection of Outlook CVE-2023-23397 vulnerability exploitation.
  • Improved identification of remote access software. (T1219)
  • Improved detection of PowerShell scripts loading obfuscated content directly into memory. (T1059.001, T1620)
  • Added detection for archives exploiting Baracuda ESG vulnerability CVE-2023-2868.
  • Added detection for implants related to Alchimist attack framework.
  • Added detection of pkexec CVE-2021-4034 vulnerability exploitation.
  • Improved detection of various hacktools used for port scanning, brute force, and privilege escalation.
  • Improved detection of mixed casing keywords often used as a way of obfuscation. (T1027)
  • Improved detection of double file extension masquerading in archives such as ZIP or RAR. (T1036.007)
  • Enhanced detection of indicators of various exploitation attempts including Log4j, SQL Injection, XSS attacks, path traversal attacks, and more. (T1190)
  • Added detection for IOCs found in the exploitation of Ivanti Connect Secure VPN. (CVE-2023-46805, CVE-2024-21887) and more

Dynamo

  • Added detection for scheduled tasks executing Certutil. (T1053.005, S0160)

Other

  • Various FP fixes and performance improvements.