This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

Suspicious Command Execution Using msdt.exe

Detects command executions using Microsoft's Diagnostic Troubleshooting Wizard (msdt.exe)
This behavior can indicate exploitation of the CVE-2022-30190 ("Follina") vulnerability.

  • EDR logs

Leads page - Enterprise Network leads

Improvements and Bugfixes

  • IOC lookup detectors' base confidence reduced from Likely to Unlikely

  • Improved scoring model of all Microsoft 365 Defender alerts to utilize the tactics, techniques and severity level provided by the vendor

  • Fixed display issue with hostname attribute in SentinelOne Threats detector

  • Improved scoring of the detector “IP IOC Found in Network Traffic Events” by extracting the traffic direction and the firewall action, and modifying the MITRE tactics and severity of leads accordingly.

  • Fixed a bug in scoring of the detector “Sharing of EBS Snapshot“ to support rare cases where target account ID field is empty.

  • Decrease FP rate of the detector “Sharing of EBS Snapshot“ by excluding activities done by common 3rd party products, and fine tune the scoring model.

  • Improved scoring of the detector “Netcat Execution” by mapping the use of each feature of Netcat to its respective MITRE ATT&CK Technique, and detecting suspicious children running under Netcat.

  • Decrease FP rate of the detector “Suspected C2 Communication Using Common App” by excluding communications conducted by windows services or third party products. Also, fine tuning the scoring.