Skip to content

v4.37.0

Compare
Choose a tag to compare
@patel-bhavin patel-bhavin released this 31 Jul 18:30
· 1022 commits to develop since this release
891ebbe

Key Highlights

Enterprise Security Content Updates version 4.37.0 introduces new detections focused on emerging threats like AcidPour, Gozi Malware, and ShrinkLocker. These analytics identify sophisticated techniques used by these malware families to compromise Windows environments, primarily through registry modifications. The update includes detections for attempts to configure BitLocker, delete firewall rules, disable Remote Desktop Protocol (RDP), alter Smart Card Group Policy, modify firewall rules, and change Outlook WebView settings. By monitoring these critical registry changes, security teams can more effectively identify potential compromises and swiftly mitigate risks associated with these advanced malware variants.We have also published a detailed blog on Acid Pour Wiper Malware and the various TTPs used by this wiper malware.

This release also contains detections for identifying exploitation of the following vulnerabilities:

  • CVE-2024-5806, published by Progress Software, describes an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass.
  • CVE-2024-29824, published by ZDI and Ivanti, concerns an enterprise endpoint management solution and describes a SQL injection resulting in remote code execution with a CVSS score of 9.8.
  • CVE-2024-37085, published by Broadcom, impacts VMware ESXi hypervisors. Successful exploitation of this flaw allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host configured to use AD for user management by re-creating the default 'ESXi Admins' group after it has been deleted from Active Directory.

New Analytic Story - [6]

New Analytics - [16]

Updated Analytics - [11]

Macros Added - [2]

  • moveit_sftp_logs
  • remote_access_software_usage_exceptions

Lookups Added - [1]

  • remote_access_software_exceptions

Lookups Updated - [4]

  • lolbas_file_path
  • privileged_azure_ad_roles
  • remote_access_software
  • splunk_risky_command

Other Updates

  • Remove usage_searches.conf from the ESCU app
  • Update the yaml file structure for data_sources objects
  • Remove dev/ directory from Github repo as we do not actively maintain Sigma supported detections in this directory
  • Removed ransomware_extensions.csv from the repo and replaced it with an updated lookup - ransomware_extensions_20231219.csv
  • Removed ransomware_notes.csv from the repo and replaced it with an updated lookup - ransomware_notes_20231219.csv
  • Removed privileged_azure_ad_roles.csv from the repo and replaced it with an updated lookup - privileged_azure_ad_roles20240729.csv
  • Removed remote_access_software.csv from the repo and replaced it with an updated lookup - remote_access_software20240726.csv