MITRE ATT&CK Analyzer changelog

9.2.2 (07/05/25)

Yara

• Added detection for Python-based Anubis backdoor used by FIN7, a financially motivated threat group.

• Added detection for QDoor backdoor.

• Added detection for SectopRAT, aka ArechClient2.

• Added detection for Lazarus APT BeaverTail malware and its infostealer component.

• Added detection for a new variant of Stealcstealer.

• Added detection for EarthKurma APT Dunloader backdoor.

Dynamo

• Added identification of risky Windows Registry settings such as enabled RDP, enabled vulnerable SMB, usage of unencrypted WDigest protocol, and more.

9.0.1 (02/04/25)

Yara

• Updated detection of SystemBC multiplatform proxy malware.

• Updated detection of Play ransomware variant and the tools used by this threat actor.

• other small fixes and improvements.

9.0.0 (02/04/25)

Yara

• Added detection for HUI Loader that has been used since at least 2015 by China-based threat groups, including Cinnamon Tempest and menuPass, to deploy malware on compromised hosts. (S1097)

• Added detection for ShadowPad backdoor. ShadowPad is a well-known and privately sold modular backdoor, known to only be supplied to China-aligned APT groups. (S0596)

• Added detection for SodaMaster that has been used by Chinese threat actors to download and execute payloads since at least 2020. (S0627)

• Added detection for SparowDoor backdoor linked to the Chinese FamousSparrow threat actor.

• Added detection for ABYSSWORKER rootkit driver, deployed to target and silence different EDR vendors.

• Enhanced detection of samples using compromised/revoked digital signatures.

• Added detection for various tools used for credentials stealing, brute force, network discovery, and reverse proxy techniques.

• Many other smaller fixes and improvements.

Dynamo

• Enhanced identification of the latest hacker tool names found in forensic evidence that are commonly used in attacks.

8.7.0 - 8.7.1 (05/03/25)

Yara

• Added detection for Winos command and control framework, targeting users in Taiwan in latest campaign.

• Improved detection of ransomware variants targeting the ESXi platform.

• Added detection for Sosano backdoor, targeting organizations with a distinct interest in aviation and satellite communications, along with critical transportation infrastructure.

8.6.3 (03/03/25)

Yara

• Added detection for Sagerunex backdoor attributed to Lotus Blossom APT. (G0030)

8.6.2 (03/03/25)

Yara

• Added detection for Lazarus APT attributed InvisibleFerret and BeaverTail malware variants. (G0032)

• Enchanced detection of malicious samples targetting crypto related browser extensions.

8.6.1 (03/03/25)

Yara

• Improved detection of LightSpy windows variant, developed by Chinese attributed APT41. (G0096)

• Added detection for macOS variant of malware dubbed Rustdoor, possibly linked with notorious Windows ransomware groups.

8.6.0 (26/02/25)

Yara

• Added detection for Gh0stRAT, a remote access trojan that has been used to hack into some of the most sensitive computer networks on Earth. (S0032)

• Added detection for macOS capable ransomware with exfiltration capabilities, masquerading itself as LockBit. (T1486)

• Enhanced detection of vulnerable drivers used for privilege escalation and defense evasion purposes. (T1068)

Dynamo

• Enhanced identification of forensic evidence where PowerShell executed encoded content. (T1027.010)

8.5.1 (12/02/25)

Yara

• Minor fixes.

8.5.0 (11/02/25)

Yara

• Added detection for custom backdoor attributed to Lazarus APT group dubbed Deceptive Development spreading via fake job offers. (G0032)

• Added detection for hack tools used for dumping Veeam credentials stored in MSSQL databases. (T1555)

• Added detection for ValleyRAT backdoor attributed to Silver Fox cybercrime group.

• Other small fixes and improvements.

Dynamo

• Enhanced identification of hack tools found in forensic evidence.

8.4.0 (26/01/25)

Yara

• Minor fixes.

8.3.0 (26/01/25)

Yara

• Minor fixes.

8.2.4 (30/12/24)

Yara

• Added detection for malicious extensions involved in the Cyberhaven compromise and a broader campaign targeting Chrome extensions for credential-stealing purposes.

8.2.0 (26/12/24)

Yara

• FP fixes and verdict improvements.

8.1.0 (26/12/24)

Yara

• Access logs detection improvement. We now tend to show the entire line instead of matching string of interest only.

• Added detection for BrazenBamboo APT.

• FP fixes

Dynamo

• HTML smuggling improvement and FP fixes.

• Improved description of rules.

8.0.2 (04/12/24)

YARA

• Added detection for GHOSTSPIDER backdoor, attributed to the Chinese Earth Estries APT group, primarily targeting critical industries such as telecommunications and government entities

• Added detection for Pygmy Goat, which was discovered on Sophos XG firewall devices, providing backdoor access to the device.

8.0.1 (28/11/24)

YARA

• Added detection for STEALHOOK, an exfiltration tool used by OilRig (APT34) group. (G0049)

• Added detection for tools designed to exploit CVE-2024-30088, a Windows Kernel elevation of privilege vulnerability. (T1068)

8.0.0 (28/11/24)

YARA

• Enhanced identification of Vulnerable and Malicious drivers that are weaponized by threat actors for defense evasion purposes. (T1068)

• Added detection for EDRSandblast hacktool that is designed for bypassing EDR detection. (T1562)

• Enhanced detection of various tools used by threat actors for Credentials Access, Discovery, Lateral Movement, and other TTPs.

7.3.0 (28/11/24)

YARA

• Added detection for Medusa ransomware.

• Added detection for Ymir ransomware.

• Yara rules that scan Access Logs for signs of exploitation attempts are now updated to show the entire line where suspicious activity was detected.

7.3.0 (28/11/24)

YARA

• Added detection for RDP configuration files that include unusual sets of permissions such as access to audio, disks, and clipboard. (T1219)

• Added detection for various hacktools designed to extract passwords from password stores. (T1555)

7.2.0 (28/10/24)

YARA

• Added detection for BianLian ransomware. (T1486)

• Enhanced identification of credential stealers that collect browser data. (T1005)

• Enhanced detection of Cobalt Strike. (S0154)

• Enhanced detection of memory dumpers and scripts designed to extract and decrypt Kerberos tickets. (T1558)

7.1.0 (18/10/24)

YARA

• Added detection for DragonForce ransomware binaries. (T1486)

• Added detection for Angry IP Scanner. (T1018)

7.0.0 (18/10/24)

YARA

• Added detection for Clop and MedusaLocker ransomware binaries observed in September 2024. (TA0040)

• Enhanced detection of Defender Control hack tool often used to disable Microsoft Defender. (T1562.001)

• Added detection for HRSword, which threat actors use for defense evasion. (T1562)

• Multiple minor FP fixes and performance improvements.

6.3.1 (08/08/24)

YARA

• Added detection for Bugsleep backdoor attributed to Iranian MuddyWater threat actor.

6.3.0 (07/08/24)

YARA

• Added detection for Java-based STRRAT and related IOCs.

• Added detection for APT group dubbed StormBamboo/Evasive Panda that compromised an internet service provider (ISP) in order to poison DNS responses for target organizations.

6.2.0 (07/08/24)

YARA

• Andariel/Lazarus IOCs update. (G0138, G0032)

• Added detection for Maui ransomware.

YARA

• Andariel/Lazarus IOCs update. (G0138, G0032)

• Added detection for Maui ransomware.

6.1.1 (07/08/24)

YARA

• Andariel IOCs update. (G0138)

• Improved detection of Metasploit implants for Linux.

6.1.0 (07/08/24)

YARA

• Added detection for IOCs attributed to North Korean Lazarus/Andrariel groups outlined in CISA report. (G0032, G0138)

• Added detection for open-source Lilith RAT. (T1219)

6.0.0 (07/08/24)

YARA

• Improved detection of Shellcode loaders.

• Added detection for SharpSploit post exploitation tool.

• Other minor fixes and improvements.

5.7.0 (17/07/24)

YARA

• Added detection for Pirpi backoor attributed to Chinese APT3 group. (G0022)

• Added detection for IOCs used in latest attacks by APT41 group. (G0096)

• Added detection for URL Shortcuts taking advantage of CVE-2024-38112 vulnerability.

5.6.2 (17/07/24)

Sigma

• Improved detection of PowerShell processes using base64 obfuscation.

5.6.1 (17/07/24)

Dynamo

• Improved detection of CobaltStrike service installation.

5.6.0 (17/07/24)

YARA

• Added detection for known malicious VSCode extensions.

• Improved detection of successful ProxyShell exploitation found in server logs.

• Various quality of life and FP fixes.

5.5.2 (17/07/24)

YARA

• Improved detection of ASPX compiled DLL webshells.

5.5.1 (17/07/24)

YARA

• Added lsass exclusion for memory scanning. (internal only changelog)

5.5.0 (17/07/24)

YARA

• Added detection for malware known as DISGOMOJI taking advantage of emojis for C2 communication.

• Added detection for Durian backdoor attributed to Kimsyky ATP group. (G0094)

• Added detection for BadSpace backdoor.

• Various quality of live and FP fixes.

Dynamo

• Improved detection of Registry Run entries and Scheduled Tasks with base64 encoded powershell keyword.

5.4.0 (10/06/24)

YARA

• Added detection for exploitation attempt indicators of a critical argument injection vulnerability in PHP (CVE-2024-4577).

• Added detection for BitRAT backdoor.

• Added detection for OrcusRAT backdoor.

• Added detection for LightSpy malware targetting macOS.

• Improved identification of path traversal indicators in server logs that suggest exploitation attempts.

• Improved detection of .NET obfuscated/protected binaries.

5.3.1 (31/05/24)

YARA

• Updated list of path traversal attacks.

5.3.0 (31/05/24)

YARA

• Added detection for CrimsonRAT. (S0115)

• Improved detection of IcedID trojan. (S0483)

• Improved detection of ISO archives with hidden scripts and signs of DLL Side-loading technique. (T1574.002)

• Added detection for Mythic C2 framework agent.

Dynamo/osquery

• Added identification of possible ARP poisoning/spoofing.

5.2.0 (22/05/24)

YARA

• Added detection for DiceLoader trojan attributed to FIN7. (G0046)

• Added detection for Ebury botnet. (S0377)

• Added detection for Latrodectus trojan. (T1218.011, T1055, T1053.005, T1070.004, T1059.003)

• Added detection for macOS Cuckoo and Atomic stealer. (T1059.002, T1555)

• Enhanced detection for Relective Code Loading technique. (T1620)

• Enhanced detection of Powershell based loaders. (T1059.001)

• Added detection for Kinsing miner. (S0599)

• Improved identification of vulnerable and malicious drivers used for privilege escalation. (T1068)

• Various other fixes and improvements.

Dynamo

• Enhanced detection of network discovery and powershell commands in forensic evidence.

5.1.2 (17/05/24)

YARA

• Improved detection of Metasploit framework.

• Added detection of masqueraded LUA based samples. (T1036.008)

• Added detection for GooseEgg hack tool used for privilege escalation and credential access attributed to APT28. (G0007)

5.1.1 (17/05/24)

YARA

• Added detection for Rawdoor, a backdoor attributed to Chinese APT31 group. (G0128)

• Added detection for CR4T backdoor discovered in campaign targeting government entities in the Middle East.

• Improved detection of Pupy opensource, cross-platform C2 and post-exploitation framework constantly being used by various threat actors.

• Improved detection of Linux-based webshells. (T1505.003)

• Improved detection or ZIP archives with indicators of DLL sideloading technique. (T1574.002, T1566)

5.1.0 (18/04/24)

YARA

• Added detection for Kapeka backdoor attributed to Sandworm APT44 group. (G0034)

• Improved/added detection of various malware such as DarkGate, Nitrogen, FatalRAT, WikiLoader.

• Added detection for IOCs related to GlobalProtect CVE-2024-3400.

• Improved detection of Python-based loaders. (T1059.006)

• Improved detection of various shellcode implants e.g. Metasploit-based. (T1620)

• Added detection for IOCs masqueraded as certificates. (T1036.008, T1027)

• Improved detection of obfuscated Javascript-based droppers, suspicious base64 encoded IOCs, and PowerShell-based loaders. (T1620, T1059.001, T1059.007, T1027)

• And many other smaller improvements.

5.0.2 (18/04/24)

Sigma

• Powershell detection update

5.0.1 (11/04/24)

YARA

• Vidar stealer FP fix.

5.0.0 (09/04/24)

YARA

• Added detection for Linux local privilege escalation exploit for CVE-2024-1086.

• Added detection for various APT groups related IOCs including APT28, APT29, APT33, APT42. (G1006, G0007, G0016, G0064, G0059)

• Added detection for Dark Crystal a.k.a DCRat.

• Added detection for Sharpire post-exploitation agent. (S0363)

• Enhanced detection of obfuscated Golang-based binaries. (T1027)

• Enhanced detection of Nim-based binaries.

• Enhanced detection of RMM tools and software. (T1219)

• Enhanced identification of misplaced binaries often used for DLL Side-loading. (T1574.002)

• Enhanced identification of potentially misplaced script-based samples often used for masquerading purposes. (T1036.005)

• Enhanced identification of samples abusing double extension to trick users into executing malicious files. (T1036.007)

Dynamo

• Enhanced detection of various hacker commands found in areas such as Powershell commands, console, and console history.

• Vastly improved detection of RMM software commonly abused by malicious actors. (T1219)

4.3.1. (01/04/24)

YARA

• Added detection for backdoored binaries and indicators of compromise found in XZ Utils 5.6.0 and 5.6.1. (CVE-2024-3094)

4.3.0 (22/03/24)

YARA

• Added detection for Xdealer malware attributed connected to China-nexus threat actor tracked as Earth Lusca. (G1006)

• Added detection for custom malware dubbed DinodasRAT targeting government organizations. (G1006)

• Added detection for binaries signed by D2innovation certificate attributed to Kimsuky APT group. (G0094)

• Added detection for Lumma information stealer (aka LummaC2 Stealer). (T1082, T1622, T1140, T1562, T1119, T1005, T1071, T1020)

• Added detection for Meduza info stealer. (T1614, T1082, T1113, T1552, T1571)

• Added detection for indicators found in compiled ASPX Web Shell DLLs. (T1505.003)

• Enhanced detection of samples having a suspicious keyword in their PDB path (e.g. Trojan, Shellcode). (TA0005)

• Enhanced detection of Remote Access Software Tools commonly used in ransomware attacks. (T1219)

• Enhanced detection of misplaced files masqueraded as legitimate Windows binaries. (T1036.005)

• Enhanced detection of malicious samples and scripts obfuscated with XOR, AES and custom encoding. (T1027)

• Enhanced detection of samples abusing double extension in order to hide true file type. (T1036.007)

• Enhanced detection of LNK files executing suspicious PowerShell commands. (T1059.001, T1204.002)

• Enhanced detection of older exploits such as Zerologon, BlueKeep and more. ( T1021, T1068)

• Various other rules, fixes and performance improvements.

Dynamo

• Updated Hacker Tool list with new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)

• Updated detections of Remote Management Software Website domains in DNS Cache, indicating potentially unwanted usage of remote access software. (T1219)

4.2.3 (05/03/24)

YARA

• Added detection for indicators of compromise indicating exploitation attempts of two recent vulnerabilities in JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (CVE-2024-27198 and CVE-2024-27199)

• Added detection for the Linux variant of Bifrost (aka Bifrose). Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. (T1219)

• Added detection for Xeno RAT; an intricately designed malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. (T1059.003, T1053.005, T1622, T1497, T1055, T1071.00)

• Added detection for suspicious unsigned executables protected with Obsidium protector. (T1027.002)

• Added detection for FudModule rootkit exploiting CVE-2024-21338 kernel elevation of privilege vulnerability. (T1068)

• Enhanced detection of files found outside of their default location which is a very popular way of hiding malicious files under a known name of a legitimate Windows component. (T1036.005)

• Enhanced detection of CobaltStrike beacons. (S0154)

4.2.2 (27/02/24)

YARA

• Added detection for indicators of compromise indicating exploitation attempts of two recent vulnerabilities in ConnectWise ScreenConnect. (CVE-2024-1709 & CVE-2024-1708)

4.2.1 (24/02/24)

YARA

• Restored %WINDIR%\Temp to depth 2 recursion for now.

4.2.0 (23/02/24)

YARA

• Restored memory scan [INTERNAL USAGE detail]

• Added detection for latest TinyTurla IOCs (G0010)

• Improved detection of Linux Shell scripts commonly used in malicious attacks. Examples are logs removal, public DNS insertion, root SSH keys manipulation and other post exploitation commands.

• Enhanced detection of various hacktools mentioned in latest malware campaigns.

4.1.0 (20/02/24)

YARA

• Added detection for emails exploiting Microsoft Outlook CVE-2024-21413 vulnerability.

• Enhanced detection of Sliver red team framework implant. (S0633)

• Added detection for IOCs abusing Mockbin service for malicious purposes. (T1090.004, T1102)

• Added detection for IOCs designed to capture NTLMv2 hashes. (T1187)

• Enhanced detection of binaries named after legitimate Windows executables for masquerading and defence evasion purposes. (T1036.005)

• Enhanced detection of IOCs with base64 encoded keywords such as Powershell, WScript and many more. (T1027)

• Enhanced detection of ESXi ransomware variants. (TA0040)

• Enhanced detection for many other IOCs with references to suspicious locations and suspicious commands such as disable UAC, enable RDP, and more. (T1562.001, T1059.001, T1021.001, T1112)

• Various other fixes and performance improvements.

Dynamo

• Added detection for Crypto Mining Pool Address in DNS Cache and Browser History. (T1496)

• Added detection for registry run entries executing PowerShell command to read data stored in Registry. (T1547.001, T1059.001)

• Added detection for registry run entries executing suspicious PowerShell commands. (T1547.001, T1059.001)

• Updated list of Widely Abused Top-Level Domains found in DNS Cache. (T1583.001)

• Updated Hacker Tool list with over 100 new keywords for hunting in forensic artifacts such as Applications, Cronjobs, Downloads, MFT, Prefetch, Processes, Registry, Scheduled Tasks, Services, ShellBags, Shell History, and Shimcache. (T1588.002)

• Updated detections for hunting Large File Transfer Websites in DNS Cache, which can be used for uploading sensitive/confidential data. (T1567.002)

4.0.1 (05/02/24)

YARA

• Added detection for C# and dictionary-based webshells.

• Enhanced detection of JSP webshells.

• Enhanced detection of directory traversal and XSS injection indicators found in server logs.

• Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.

• Added detection of various Linux exploits.

• An updated list of vulnerable and malicious drivers from LOL Drivers project.

• Added detection for binaries using potentially compromised AnyDesk certificate.

• Other minor fixes.

Dynamo

• Minor FP fixes.

3.5.2 (22/01/24)

YARA

• Added more detection rules for IOCs observed in the exploitation of Ivanti VPN. (CVE-2023-46805 and CVE-2024-21887)

• Added detection for IOCs related to Russian threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) Reference: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

3.5.1 (22/01/24)

YARA

• Added detection for IOCs linked to Iranian and Russian APT groups such as BlueBravo and Siamesekitten. (APT29, G1001)

• Added detection for IOCs linked to Iranian OilRig APT. (G0049)

• Improved detection of Lazarus APT-related IOCs. (G0032)

• Added detection of Outlook CVE-2023-23397 vulnerability exploitation.

• Improved identification of remote access software. (T1219)

• Improved detection of PowerShell scripts loading obfuscated content directly into memory. (T1059.001, T1620)

• Added detection for archives exploiting Baracuda ESG vulnerability CVE-2023-2868.

• Added detection for implants related to Alchimist attack framework.

• Added detection of pkexec CVE-2021-4034 vulnerability exploitation.

• Improved detection of various hacktools used for port scanning, brute force, and privilege escalation.

• Improved detection of mixed casing keywords often used as a way of obfuscation. (T1027)

• Improved detection of double file extension masquerading in archives such as ZIP or RAR. (T1036.007)

• Enhanced detection of indicators of various exploitation attempts including Log4j, SQL Injection, XSS attacks, path traversal attacks, and more. (T1190)

• Added detection for IOCs found in the exploitation of Ivanti Connect Secure VPN. (CVE-2023-46805, CVE-2024-21887) and more

Dynamo

• Added detection for scheduled tasks executing Certutil. (T1053.005, S0160)

Other

• Various FP fixes and performance improvements.