v5.16.0

🚀 Key Highlights

🦙 Suspicious Ollama Activities : Introduced a new analytic story focused on monitoring misuse and abuse of locally hosted LLMs through Ollama. This story includes detections such as Abnormal Network Connectivity, Service Crash or Availability Attack, Excessive API Requests, API Endpoint Scan Reconnaissance, Memory Exhaustion Resource Abuse, Model Exfiltration or Data Leakage, RCE via Model Loading, and Suspicious Prompt Injection or Jailbreak. A dedicated TA-Ollama is developed to parse Ollama server logs, enabling precise detection of adversarial prompt engineering, local model abuse, and AI-powered lateral movement scenarios.

✈️ Suspicious Microsoft 365 Copilot Activities : Added a new analytic story targeting emerging risks in GenAI integration with Microsoft 365 Copilot. Detections include M365 Copilot Application Usage Pattern Anomalies, Failed Authentication Patterns, Non-Compliant Devices Accessing Copilot, and Session Origin Anomalies. These analytics help security teams identify compromised identities, unauthorized device access, and abnormal usage trends associated with enterprise AI assistants.

🔒LokiBot and PromptLock Malware: Expanded coverage for LokiBot, a pervasive credential-stealing Trojan distributed via phishing and malicious attachments. A new detection (Windows Visual Basic Command-Line Compiler DNS Query) was added alongside enhanced tagging across related analytics to better identify suspicious DNS communications and data exfiltration attempts.

In addition, we introduced coverage for PromptLock, the first known GenAI-driven ransomware proof-of-concept discovered by ESET in 2025. PromptLock leverages a local AI model (gpt-oss:20b) via the Ollama API to dynamically generate Lua scripts for multi-platform encryption and exfiltration. These detections focus on anomalous AI invocation patterns, file encryption activity, and use of local LLM APIs for malicious automation.

👻 APT37 (Rustonotto & FadeStealer) and GhostRedirector: Expanded coverage for APT37, adding a new detection for suspicious Windows Cabinet file extraction activity linked to their Rustonotto and FadeStealer toolsets. This update enhances visibility into phishing-based infections, persistence mechanisms, and data exfiltration behavior.
Also introduced a new GhostRedirector and Rungan analytic story to track server compromises involving malicious IIS modules, SQL injection abuse, and stealthy PowerShell activity used to maintain access and manipulate web traffic.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

New Analytic Story - [6]

• APT37 Rustonotto and FadeStealer
• GhostRedirector IIS Module and Rungan Backdoor
• Lokibot
• PromptLock
• Suspicious Microsoft 365 Copilot Activities
• Suspicious Ollama Activities

New Analytics - [19]

• M365 Copilot Application Usage Pattern Anomalies
• M365 Copilot Failed Authentication Patterns
• M365 Copilot Non Compliant Devices Accessing M365 Copilot
• M365 Copilot Session Origin Anomalies
• Web or Application Server Spawning a Shell
• Windows Application Whitelisting Bypass Attempt via Rundll32
• Windows Cabinet File Extraction Via Expand
• Windows Change File Association Command To Notepad
• Windows Set Network Profile Category to Private via Registry
• Windows Symlink Evaluation Change via Fsutil
• Windows Visual Basic Commandline Compiler DNSQuery
• Ollama Abnormal Network Connectivity
• Ollama Abnormal Service Crash Availability Attack
• Ollama Excessive API Requests
• Ollama Possible API Endpoint Scan Reconnaissance
• Ollama Possible Memory Exhaustion Resource Abuse
• Ollama Possible Model Exfiltration Data Leakage
• Ollama Possible RCE via Model Loading
• Ollama Suspicious Prompt Injection Jailbreak

Other Updates

• Updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic

🔴 BREAKING CHANGES :

• Remove the notable alert actions: meaning these will no longer create notable/findings and will continue create risk events aka intermediate findings
  a. Attempt To Add Certificate To Untrusted Store
  b. Windows Archived Collected Data In TEMP Folder
  c. Windows Rundll32 Apply User Settings Changes
  d. Windows Scheduled Task Created Via XML

• Add the notable alert actions: meaning these will now create notable/findings and will continue create risk events aka intermediate findings
  a. Windows Certutil Root Certificate Addition

• As previously communicated in the ESCU v5.14.0 release, several detections have been removed. For a complete list of the detections removed in version v5.16.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.18.0, see the List of Detections Scheduled for Removal