This page contains information about new content released in the last month, and improvements and bug fixes to existing content.
This information, and information about all existing content, can also be found in the Knowledge Center in the Hunters portal.

New Content

Category

Name

Description

Prerequisites

Where it can be found

Detector

Suspicious Registry Run Key Was Written

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

EDR

Hunters Portal

Scoring Model

Suspicious Run Keys model

Completes the runkeys leads by building a more dedicated score by analysing flags that are found in the lead.

EDR

Hunters Portal

 

Improvements and Bugfixes

  • Added hostname travel_by based on hostname_to_agent_id DrillDown. We won’t travel_by hostname if we see many different EDR agents on this IP (like VDI or Citrix XenApp).

  • Added domain_categories field which classifies a domain into category, to the detectors:

    • DNS Server Data Exfiltration

    • Cobalt Strike DNS Beacon Detected

  • Tuned the scoring model of vulnerability management findings.