Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live. For retired content, you must manually remove those items.
TLS_lua Options – Optional parameters to alter the behavior of the TLS_lua parser.
"Overwrite Service": default value false
Default behavior is that if another parser has identified a session with service other than SSL, then this parser will not overwrite the service meta.
If this option is enabled, the parser identifies all sessions containing SSL as SSL even if a session has been identified by another parser as another service.
"Ports Only": default value false
Default behavior is port-agnostic: that is, the parser looks for all SSL/TLS sessions regardless of which ports a session uses. This allows identification of encrypted sessions on unexpected and non-standard ports.
If this option is enabled, the parser only searches for SSL/TLS sessions using the configured ports. Ports on other sessions will not be identified as SSL/TLS. This may improve performance, at a cost of possibly decreased visibility.
Note that a session on a configured port that is not SSL/TLS will still not be identified as SSL/TLS. In other words, the parser does not assume that all sessions on configured ports are SSL/TLS.
Creates Run Key – New application rule is added to detect creation of new run keys. Creating new run key can be an indication of someone trying to use startup configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots.
Execute DLL Through Rundll32 – New application rule is introduced to detect DLL execution using Rundll32 program. Rundll32 program can be called to execute an arbitrary binary. Attackers may take advantage of this for proxy execution of code to avoid triggering security tools.
Runs DNS Lookup Tool for TXT Record – New application rule is added to detect possible covert command and control channels. Running nslookup.exe to query TXT records can be used to establish a covert Command & Control channel to exchange commands and other malicious information. These malicious commands can be later executed on the target system.
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.