v5.8.0

Key Highlights

• 🥸Remote Employment Fraud Detections
  Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents which are used to hide the true identity and/or location of an employee. This release includes a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.
• 📦Inno Setup Abuse
  Inno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. Recently, it has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. This story demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.
• 🕸️Web Browser Abuse
  Locally installed malware may use Web Browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. This release supplies a number of analytics which recognize these suspicious flags.

New Analytic Story - [2]

• Malicious Inno Setup Loader
• Remote Employment Fraud

New Analytics - [4]

• Windows Chromium Browser No Security Sandbox Process
• Windows Chromium Browser with Custom User Data Directory
• Windows DNS Query Request To TinyUrl
• Windows Disable Internet Explorer Addons

Updated Analytics - [63]

• A number of analytics have been updated with improved formatting and tagged with new analytic stories.
• Several analytics had their logic tuned, improved and updated.
  Cobalt Strike Named Pipes
  Detect Renamed WinRAR
  Excessive Usage Of Cacls App
  Icacls Deny Command
  ICACLS Grant Command
  Modify ACL permission To Files Or Folder
  Network Traffic to Active Directory Web Services Protocol
  Suspicious Copy on System32
  Windows Files and Dirs Access Rights Modification Via Icacls

Other Updates

• Added Macro - “zoom_index”
• Updated Macro “gsuite_drive”
• As previously communicated in the ESCU v5.6.0 release, several detections have been removed. For a complete list of the detections removed in version v5.8.0, refer to the List of Removed Detections in v5.8.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.10.0, see the List of Detections Scheduled for Removal in ESCU v5.10.0.