Expanded support for processes injection analytics, to dramatically increase the accuracy of detecting malicious vs benign intent for applications.
This became especially important due to a small number (<0.02%) of machines in Cyber Crucible telemetry alerting on aggressive process injection behaviors of system processes.
Increased monitoring capability of unsigned system processes.
This was partially in response to attackers focusing heavily on involving those processes during lateral movement operations (on a system, and between systems).
Changed a file modification behavior to decrease false positives by no longer triggering on certain benign actions, through additional kernel-level context to a process' file-access behaviors.
service.exe = 0bab8404900c6a16ac3ad0293c45de5c
assistant.exe = 98f013fd4fdb7325f903d07c87b999ac
CCRRSecMon.sys (Windows10) = 452719399d9bb98dc6b14fb8787d8415
CCRRSecMon.sys (Windows8) = a974c7cc46db3759a2da34f37caaa72e
CCRRSecMon.sys (Windows7) = 6a0f2e55d6a7b66bd9bbe318d5dbbebf