v5.17.0
π Key Highlights
-
𧩠Microsoft WSUS CVE-2025-59287 Remote Code Execution:
Introduced a new analytic story for the exploitation of CVE-2025-59287, a critical WSUS deserialization vulnerability enabling unauthenticated remote code execution. Added a new detection β Windows WSUS Spawning Shell β and tagged related process-based detections to enhance post-exploitation visibility. -
π‘οΈ Oracle E-Business Suite Exploitation (TALOS Collaboration):
Released new Snort-based detections developed with Cisco Talos to identify exploitation attempts against Oracle E-Business Suite. These analytics detect anomalous web requests, payload delivery, and lateral movement behaviors targeting enterprise ERP systems based on Snort alerts. -
π HTTP Request Smuggling:
Introduced a new analytic story to detect and investigate HTTP request smuggling techniques that exploit discrepancies in how web servers and proxies handle request sequences. Added detections β HTTP Suspicious Tool User Agent, HTTP Request to Reserved Name, HTTP Rapid POST with Mixed Status Codes, HTTP Possible Request Smuggling, and HTTP Duplicated Header β leveraging searches for indicators likeCL.TE,TE.TE, andCL.0to identify abuse of HTTP parsing logic and potential security control bypasses. -
π Scattered Lapsus$ Hunters and Hellcat Ransomware:
Tagged a broad set of existing TTPs and added new analytic stories covering the Scattered Lapsus$ Hunters coalition (Scattered Spider, Lapsus$, and Shiny Hunters) and the Hellcat Ransomware RaaS group. These updates enhance visibility into MFA bypass, credential theft, remote access tool abuse, PowerShell infection chains, SSH persistence, and custom ransomware payloads targeting critical infrastructure, telecom, and government sectors.
New Analytic Story - [5]
- HTTP Request Smuggling
- Hellcat Ransomware
- Microsoft WSUS CVE-2025-59287
- Oracle E-Business Suite Exploitation
- Scattered Lapsus$ Hunters
New Analytics - [18]
- Advanced IP or Port Scanner Execution
- Cisco Secure Firewall - Oracle E-Business Suite Correlation
- Cisco Secure Firewall - Oracle E-Business Suite Exploitation
- File Download or Read to Pipe Execution
- HTTP Duplicated Header
- HTTP Possible Request Smuggling
- HTTP Rapid POST with Mixed Status Codes
- HTTP Request to Reserved Name on IIS Server
- HTTP Suspicious Tool User Agent
- Windows Default RDP File Creation By Non MSTSC Process
- Windows Defender ASR or Threat Configuration Tamper
- Windows Process Execution From RDP Share
- Windows WBAdmin File Recovery From Backup
- Windows WSUS Spawning Shell
- Wmiprvse LOLBAS Execution Process Spawn(Search name update: @Shotscape)
- Windows NirSoft Tool Bundle File Created
- Windows PowerShell Process Implementing Manual Base64 Decoder
- Windows PsTools Recon Usage
Other Updates
- Added new and updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic and names. Following are the details about the breaking changes
π΄ BREAKING CHANGES :
- We have deprecated some detections that are scheduled to be removed in 5.20.0 and will be replaced with the following. It is highly recommended to following the deprecated process here to ensure that the detections continue running reliably,
a. Windows Change Default File Association For No File Ext
-> Replacement - Windows Change File Association Command To Notepad
b. Detect Rundll32 Application Control Bypass - setupapi
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
c. Detect Rundll32 Application Control Bypass - syssetup
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
d. Detect Rundll32 Application Control Bypass - advpack
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
