What's new

Enterprise Security Content Updates version 5.12.0 was released on August 20th, 2025 and includes the following enhancements:

Key highlights

Following is a summary of the latest updates:

  • Medusa Rootkit (UNC3886): Introduced a new analytic story for Medusa Rootkit, a stealthy malware leveraged by UNC3886 to maintain persistence on Linux and Windows systems. This release adds detections for Linux GDrive Binary Activity, Linux Medusa Rootkit, Windows GDrive Binary Activity, and Windows Suspicious VMware Tools Child Process, while also mapping other existing detections to this threat actor.

  • MSIX Package Abuse: We added a new analytic story covering abuse of Microsoft MSIX application packages, leveraging telemetry from AppXDeploymentServer/Operational logs. This story introduces detections for suspicious MSIX behaviors, including Windows Advanced Installer MSIX with AI_STUBS Execution, Unsigned Package Installation, PowerShell MSIX Package Installation, and interactions with Windows Apps directories, providing visibility into application sideloading and potential malware delivery.

  • Windows RDP Artifacts Defense Evasion: A new analytic story focused on RDP activity followed by artifact cleanup or evasion techniques. Windows RDP usage generates forensic artifacts such as Default.rdp files and bitmap caches that can reveal details about accessed systems. This release adds detections for RDP file creation, deletion, and un-hiding events, bitmap cache file activity, RDP server registry entry creation/deletion, and RDP client launched with admin session, while tagging existing detections to ensure comprehensive monitoring of both RDP usage and evasion behavior.

New analytics

  1. Linux Gdrive Binary Activity
  2. Linux Medusa Rootkit
  3. Windows Advanced Installer MSIX with AI_STUBS Execution
  4. Windows AppX Deployment Full Trust Package Installation
  5. Windows AppX Deployment Package Installation Success
  6. Windows AppX Deployment Unsigned Package Installation
  7. Windows Default RDP File Creation
  8. Windows Default Rdp File Deletion
  9. Windows Default Rdp File Unhidden
  10. Windows Developer-Signed MSIX Package Installation
  11. Windows Gdrive Binary Activity
  12. Windows MSIX Package Interaction
  13. Windows PowerShell MSIX Package Installation
  14. Windows PowerShell Script From WindowsApps Directory
  15. Windows RDP Bitmap Cache File Creation
  16. Windows RDP Cache File Deletion
  17. Windows RDP Client Launched with Admin Session
  18. Windows RDP Login Session Was Established
  19. Windows RDP Server Registry Deletion
  20. Windows RDP Server Registry Entry Created
  21. Windows Rdp AutomaticDestinations Deletion
  22. Windows Suspicious VMWare Tools Child Process

Other updates

As previously communicated in the ESCU v5.10.0 release, several detections have been removed. For a complete list of the detections removed in version v5.12.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.14.0, see the List of Detections Scheduled for Removal