What's new

Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.

Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors. This update enhances visibility into attacker tradecraft involving bcdedit manipulation, recursive file deletion, remote process execution via WMI, and suspicious process/file activity, improving detection of pre-impact and impact-stage techniques commonly used in disruptive campaigns targeting enterprise environments.

Detection & Content Improvements: Introduced new data source support, migrated Palo Alto integrations, enhanced detections with MITRE mappings, fixed regex and logic issues, reduced false positives, improved accuracy and performance, updated metadata based on telemetry insights, and refactored multiple analytics and SPL queries for better readability, consistency, and reliability