Releases: splunk/security_content
Releases · splunk/security_content
v4.24.0
Release notes for ESCUv4.24.0
New Analytics Story
Updated Analytics Story
New Analytics
- Azure AD Admin Consent Bypassed by Service Principal
- Azure AD FullAccessAsApp Permission Assigned
- Azure AD Multiple Service Principals Created by SP
- Azure AD Multiple Service Principals Created by User
- Azure AD Privileged Graph API Permission Assigned
- Azure AD Service Principal Authentication
- O365 Admin Consent Bypassed by Service Principal
- O365 FullAccessAsApp Permission Assigned
- O365 Multiple Mailboxes Accessed via API
- O365 Multiple Service Principals Created by SP
- O365 Multiple Service Principals Created by User
- O365 OAuth App Mailbox Access via EWS
- O365 OAuth App Mailbox Access via Graph API
- O365 Privileged Graph API Permission Assigned
- Network Traffic to Active Directory Web Services Protocol
- Windows Privilege Escalation Suspicious Process Elevation (External Contributor : @nterl0k )
- Windows Privilege Escalation System Process Without System Parent(External Contributor : @nterl0k )
- Windows Privilege Escalation User Process Spawn System Process(External Contributor : @nterl0k )
- Windows SOAPHound Binary Execution
- Ivanti Connect Secure SSRF in SAML Component
Updated Analytics
- Splunk unnecessary file extensions allowed by lookup table uploads
- Azure AD High Number Of Failed Authentications From Ip
- Azure AD Multi-Source Failed Authentications Spike
- Azure AD Privileged Role Assigned
- Azure AD Privileged Role Assigned to Service Principal
- Azure AD Service Principal Created
- Azure AD Service Principal New Client Credentials
- Azure AD Service Principal Owner Added
- Azure AD Tenant Wide Admin Consent Granted
- O365 Added Service Principal
- O365 Application Registration Owner Added
- O365 ApplicationImpersonation Role Assigned
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Mailbox Read Access Granted to Application
- O365 Multi-Source Failed Authentications Spike
- O365 Multiple Users Failing To Authenticate From Ip
- O365 Service Principal New Client Credentials
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- O365 Tenant Wide Admin Consent Granted
- Correlation by Repository and Risk
- Correlation by User and Risk
- Any Powershell DownloadFile
- Any Powershell DownloadString
- Attacker Tools On Endpoint
- Create local admin accounts using net exe
- Create Remote Thread In Shell Application
- Creation of Shadow Copy
- Detect Certify Command Line Arguments
- Detect Certify With PowerShell Script Block Logging
- Detect Excessive Account Lockouts From Endpoint
- Detect New Local Admin account
- Detect Regasm with Network Connection
- Detect Regsvcs with Network Connection
- Detect Use of cmd exe to Launch Script Interpreters
- Disable Show Hidden Files
- Disable Windows SmartScreen Protection
- Disabling ControlPanel
- Disabling SystemRestore In Registry
- Download Files Using Telegram
- Elevated Group Discovery with PowerView
- Executable File Written in Administrative SMB Share
- Executables Or Script Creation In Suspicious Path
- Execute Javascript With Jscript COM CLSID
- Execution of File with Multiple Extensions
- Extraction of Registry Hives
- Hiding Files And Directories With Attrib exe
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- MacOS LOLbin
- MacOS plutil
- Network Discovery Using Route Windows App
- [Non Chrome Process Accessing Chrome Default Dir](https://research.splunk.com/endpo...
v4.23.0
Release notes for ESCU v4.23.0
New Analytics Story
Updated Analytics Story
New Analytics
- Splunk Information Disclosure in Splunk Add-on Builder
- Kubernetes Anomalous Inbound Network Activity from Process
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Traffic on Network Edge
- Kubernetes Create or Update Privileged Pod
- Kubernetes Cron Job Creation
- Kubernetes DaemonSet Deployed
- Kubernetes Falco Shell Spawned
- Kubernetes newly seen TCP edge
- Kubernetes newly seen UDP edge
- Kubernetes Node Port Creation
- Kubernetes Pod Created in Default Namespace
- Kubernetes Pod With Host Network Attachment
- Kubernetes Scanning by Unauthenticated IP Address
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Configure App Install Control
- Windows Impair Defense Define Win Defender Threat Action
- Windows Impair Defense Disable Controlled Folder Access
- Windows Impair Defense Disable Defender Firewall And Network
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Impair Defense Disable PUA Protection
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Impair Defense Disable Web Evaluation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Windows MsiExec HideWindow Rundll32 Execution
- Windows Process Injection In Non-Service SearchIndexer
- Jenkins Arbitrary File Read CVE-2024-23897
Updated Analytics
- Kubernetes Access Scanning
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes AWS detect suspicious kubectl calls
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Previously Unseen Process
- Kubernetes Process Running From New Path
- Kubernetes Process with Anomalous Resource Utilisation
- Kubernetes Process with Resource Ratio Anomalies
- Kubernetes Shell Running on Worker Node
- Kubernetes Shell Running on Worker Node with CPU Activity
- Disable Windows SmartScreen Protection
- Linux Service Started Or Enabled
- Unknown Process Using The Kerberos Protocol
- Windows Excessive Disabled Services Event
Other Updates
- Added a new input macro
sourcetype="kube:container:falco"
Playbook Updates
- Splunk Attack Analyzer Dynamic Analysis
- Splunk Automated Email Investigation
- Splunk Identifier Activity Analysis
- Splunk Message Identifier Activity Analysis
v4.22.0
New Analytics Story
New Analytics
Updated Analytics
v4.21.0
Release notes for ESCUv4.21.0
New Analytics Story
Updated Analytics Story
New Analytics
- Splunk Enterprise KV Store Incorrect Authorization
- Splunk Enterprise Windows Deserialization File Partition
Updated Analytics
Other Updates
- Updated splunk_risky_command lookup with a new
splunk_risky_command_20240122.csv
file
v4.20.0
v4.19.0
Release Branch for ESCU 4.19.0
New Analytic Story
- CISA AA23-347A
- Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Updated Analytic Story
- Office 365 Account Takeover
- Office 365 Persistence Mechanisms
- Splunk Vulnerabilities
New Analytics
- Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor : Matthew Moore )
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor : Matthew Moore )
- Kubernetes Previously Unseen Container Image Name (Internal Contributor : Matthew Moore )
- Kubernetes Previously Unseen Process (Internal Contributor : Matthew Moore )
- Kubernetes Process Running From New Path (Internal Contributor : Matthew Moore )
- Kubernetes Process with Anomalous Resource Utilisation (Internal Contributor : Matthew Moore )
- Kubernetes Process with Resource Ratio Anomalies (Internal Contributor : Matthew Moore )
- Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor : Matthew Moore )
- Kubernetes Shell Running on Worker Node (Internal Contributor : Matthew Moore )
- Windows Account Discovery For None Disable User Account
- Windows Lsa Secrets Nolmhash Registry
- Windows Modify Registry Disable Restricted Admin
- Windows Account Discovery For Sam Account Name
- Windows Account Discovery With Netuser Preauthnotrequire
- Windows Archive Collected Data Via Powershell
- Windows Domain Account Discovery Via Get Netcomputer
- Windows Known Graphicalproton Loaded Modules
- Windows Process Commandline Discovery
- Windows System User Privilege Discovery
- Windows Modify Registry Nochangingwallpaper
- Windows Rundll32 Apply User Settings Changes
- Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k )
- Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k )
- Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k )
- Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k )
- Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k )
- O365 Concurrent Sessions From Different Ips
- Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor : Chase Franklin )
- Splunk ES DoS Through Investigation Attachments (Internal Contributor : Chase Franklin )
Updated Analytics
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Successful Single-Factor Authentication
- Windows Steal Authentication Certificates - ESC1 Abuse
- Allow Network Discovery In Firewall
- Msmpeng Application DLL Side Loading
Other Updates
- Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
- Updated ALL Azure AD analytics to use
sourcetype = azure:monitor:aad
for better CIM Compliance.
v4.18.0
ESCU 4.18.0 Release branch
New Analytic Story
- Rhysida Ransomware
- Kubernetes Security
Updated Analytic Story
- NjRAT
- RedLine Stealer
- Amadey
New Analytics
- PingID Mismatch Auth Source and Verification Response (External Contributor : @nterl0k )
- PingID Multiple Failed MFA Requests For User (External Contributor : @nterl0k )
- PingID New MFA Method After Credential Reset (External Contributor : @nterl0k )
- PingID New MFA Method Registered For User (External Contributor : @nterl0k )
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Abuse of Secret by Unusual User Agent
- Windows Modify System Firewall with Notable Process Path
- Kubernetes Abuse of Secret by Unusual User Group
- Kubernetes Abuse of Secret by Unusual User Name
- Kubernetes Access Scanning
- Kubernetes Suspicious Image Pulling
- Kubernetes Unauthorized Access
- Windows Modify System Firewall with Notable Process Path
Updated Analytics
- Allow File And Printing Sharing In Firewall
- Azure AD PIM Role Assigned
- CMD Carry Out String Command Parameter
- Detect Use of cmd exe to Launch Script Interpreters
- Modification Of Wallpaper
Other Updates
- Added two new lookup files
ransomware_extensions_20231219.csv
andransomware_notes_20231219.csv
and updated the existing transforms definitions ofransomware_extensions_lookup
andransomware_notes_lookup
to use the latest csv files.
v4.17.0
ESCU 4.17.0 Release branch
New Analytic Story
- Office 365 Account Takeover
- Office 365 Persistence Mechanisms
- Windows Attack Surface Reduction
Updated Analytic Story
- DarkGate Malware
New Analytics
- O365 Service Principal New Client Credentials
- O365 Mailbox Read Access Granted to Application
- O365 Tenant Wide Admin Consent Granted
- O365 Application Registration Owner Added
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Advanced Audit Disabled
- O365 High Number Of Failed Authentications for User
- O365 Multiple Users Failing To Authenticate From Ip
- O365 User Consent Blocked for Risky Application
- O365 User Consent Denied for OAuth Application
- O365 Mail Permissioned Application Consent Granted by User
- O365 ApplicationImpersonation Role Assigned
- O365 File Permissioned Application Consent Granted by User
- O365 Multiple Failed MFA Requests For User
- O365 High Privilege Role Granted
- O365 New MFA Method Registered
- O365 Multiple AppIDs and UserAgents Authentication Spike
- O365 Block User Consent For Risky Apps Disabled
- O365 Multi-Source Failed Authentications Spike
- Powershell Remote Services Add TrustedHost
- Windows Modify Registry AuthenticationLevelOverride
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Modify Registry DisableSecuritySettings
- Windows Modify Registry DontShowUI
- Windows Modify Registry ProxyEnable
- Windows Modify Registry ProxyServer
- Windows Archive Collected Data via Rar
- Windows Indicator Removal Via Rmdir
- Windows Credentials from Password Stores Creation
- Windows Credentials from Password Stores Deletion
- Windows Defender ASR Rules Stacking
- Windows Defender ASR Rule Disabled
- Windows Defender ASR Registry Modification
- Windows Defender ASR Block Events
- Windows Defender ASR Audit Events
- Windows Masquerading Msdtc Process
- Windows Parent PID Spoofing with Explorer
- Web Remote ShellServlet Access
- Splunk RCE via User XSLT
Updated Analytics
- High Number of Login Failures from a single source
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive SSO logon errors
- O365 New Federated Domain Added
- O365 PST export alert
- O365 Suspicious Admin Email Forwarding*
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Splunk App for Lookup File Editing RCE via User XSLT
Other Updates
- Added
Experiemental
toaction.correlationsearch.label
name for Content Management - Updated the
splunk_risky_command
lookup - Updated several detections to output accurate risk/threat objects
v4.16.0
New Analytic Story
- DarkGate Malware
- SysAid On-Prem Software CVE-2023-47246 Vulnerability
Updated Analytic Story
- Azure Active Directory Account Takeover
- Splunk Vulnerabilities
New Analytics
- Azure AD Device Code Authentication
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- Azure AD Block User Consent For Risky Apps Disabled
- Azure AD User Consent Blocked for Risky Application
- Azure AD OAuth Application Consent Granted By User
- Azure AD User Consent Denied for OAuth Application
- Azure AD New MFA Method Registered
- Azure AD Multiple Denied MFA Requests For User
- Azure AD Multi-Source Failed Authentications Spike
- Risk Rule for Dev Sec Ops by Repository
- Windows ConHost with Headless Argument
- Windows CAB File on Disk
- Windows WinDBG Spawning AutoIt3
- Windows MSIExec Spawn WinDBG
- Windows Modify Registry Default Icon Setting
- Windows AutoIt3 Execution
- Splunk App for Lookup File Editing RCE via User XSLT
- Splunk XSS in Highlighted JSON Events
Updated Analytics
- AWS ECR Container Scanning Findings High
- AWS ECR Container Scanning Findings Medium
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS ECR Container Upload Outside Business Hours
Deprecated Analytics
- Correlation by Repository and Risk
- Correlation by User and Risk
Other Updates
- CI updates to release.yml
- Added downstream trigger to
security_content_automation
repo to facilitate automated integration testing - Updated Github CI workflow to use contentctl
v4.15.0
New Analytic Story
- Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
- PlugX
New Analytics
- Citrix ADC and Gateway Unauthorized Data Disclosure
Updated Analytics
- Windows Admin Permission Discovery
- Confluence CVE-2023-22515 Trigger Vulnerability
- Confluence Data Center and Server Privilege Escalation
Other Updates
- Updated Gitlab CI pipelines to leverage code contentctl for validating, building, inspecting and releasing the ESCU app