Releases: splunk/security_content
Releases · splunk/security_content
v3.64.0
Updated Analytic Story
- 3CX Supply Chain Attack
New Analytics
- PowerShell Invoke-WmiExec Usage
- PowerShell Invoke CIMMethod CIMSession
- PowerShell Enable PowerShell Remoting
- PowerShell Start or Stop Service
- Windows PowerShell Get-CIMInstance Remote Computer
- Windows Enable Win32_ScheduledJob via Registry
- Windows PowerShell WMI Win32_ScheduledJob
- Windows Service Create with Tscon
- Windows Lateral Tool Transfer RemCom
- Windows Service Create RemComSvc
Other Updates
- Updated 3CX related analytics with the CVE ID(CVE-2023-29059)
- Updated git actions with appropriate permissions
v3.63.0
New Analytic Story
- 3CX Supply Chain Attack
New Analytics
- Hunting 3CXDesktopApp Software
- Windows Vulnerable 3CX Software
- 3CX Supply Chain Attack Network Indicators
Updated Analytics
- Splunk Improperly Formatted Parameter Crashes splunkd
v3.62.0
New Analytic Story
- CVE-2023-21716 Word RTF Heap Corruption
- CVE-2023-23397 Outlook Elevation of Privilege
New Analytics
- Okta Mismatch Between Source and Response for Okta Verify Push Request
- Okta Multiple Failed Requests to Access Applications
- Okta Suspicious Use of a Session Cookie
- Okta Phishing Detection with FastPass Origin Check
- Okta ThreatInsight Login Failure with High Unknown users
- Okta ThreatInsight Suspected PasswordSpray Attack
- Windows Rundll32 WebDAV Request
- Windows Rundll32 WebDav With Network Connection
Other Updates
- Updated
ransomware_notes.csv
andransomware_extensions.csv
files and transforms definition (thanks to @VatsalJagani ) - Updated playbook name to
CrowdStrike OAuth API Device Attribute Lookup
- Updated several analytics to integrate better with Enterprise Security
v3.61.0
New Analytic Story
- Sneaky Active Directory Persistence Tricks (Huge thanks and shoutout to Dean Luxton, Steven Dick for contributing detections)
- BishopFox Sliver Adversary Emulation Framework
New Analytics
- Notepad with no Command Line Arguments
- Windows Process Injection into Notepad
- Windows AD Same Domain SID History Addition
- Windows AD Cross Domain SID History Addition
- Windows AD Replication Request Initiated by User Account
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows AD Domain Replication ACL Addition
- Windows AD DSRM Account Changes
- Windows AD DSRM Password Reset
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD Short Lived Server Object
- Windows AD SID History Attribute Modified
- Windows AD AdminSDHolder ACL Modified
- Windows AD ServicePrincipalName Added To Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows AD Rogue Domain Controller Network Activity
- Windows AD Account SID History Addition
- Windows AD Replication Service Traffic
- Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
- Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
Updated Analytics
- Impacket Lateral Movement Commandline Parameters (Thank you Chris Chantrey)
- Suspicious Regsvr32 Register Suspicious Path (Thank you DipsyTipsy)
- Suspcious Reg.exe Process (Thank you DipsyTipsy)
- Linux SSH Remote Services Script Execute (Thank you DipsyTipsy)
New Playbooks
-
Automated Enrichment (Parent Playbook)
- Dynamic Attribute Lookup
- Dynamic Identifier Reputation Analysis
- Dynamic Related Tickets Search
-
ServiceNow Related Tickets Search
-
Splunk Notable Related Tickets Search
-
AD LDAP Entity Attributes Lookup
-
Azure AD Graph User Attributes Lookup
-
Crowdstrike OAuth API Device Attribute
Other Updates
- Removed Experiemental/Deprecated BA detections removed from develop and research.splunk.com
- Migrating Password Spraying to XML
- Updates all of the splunkbase apps that are used for our automated testing framework
v3.60.0
New Analytics Story
- AwfulShred
- Fortinet FortiNAC CVE-2022-39952
New Analytics
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
- Linux Data Destruction Command
- Linux Hardware Addition SwapOff
- Linux Impair Defenses Process Kill
- Linux Indicator Removal Clear Cache
- Linux Indicator Removal Service File Deletion
- Linux System Reboot Via System Request Key
- Linux Unix Shell Enable All SysRq Functions
- Windows Steal Authentication Certificates CryptoAPI
- Windows Mimikatz Crypto Export File Extensions
Updated Analytics
- Linux Deletion Of Services
- Linux Disable Services
- Linux Shred Overwrite Command
- Linux Service Restarted
- Linux Stop Services
- Linux Deleting Critical Directory Using RM Command
- Wbemprox COM Object Execution
Other Updates:
- Added
Lateral Movement
story to deprecated with a note to refer toActive Directory Lateral Movement
analytic story. - Removed
observables
fromaction.escu.annotations
insavedsearches.conf
. - Added
MSAccess.exe
to all the Microsoft Office analytics - Updated
Detect Outlook exe writing a zip file
and removedexplorer.exe
as it was generating the bulk of noise.
v3.59.0
New Analytics
- Splunk csrf in the ssg kvstore client endpoint
- Splunk Improperly Formatted Parameter Crashes splunkd
- Persistent XSS in RapidDiag through User Interface Views
- Splunk risky Command Abuse disclosed february 2023
- Splunk unnecessary file extensions allowed by lookup table uploads
- Splunk XSS via View
- Splunk list all nonstandard admin accounts
Updated Analytic Story
- Splunk Vulnerabilities
v3.58.0
New Analytic Story
- AsyncRAT
- Compromised User Account
- Swift Slicer
- Windows Certificate Services
New Analytics
- AWS AD New MFA Method Registered For User
- AWS Concurrent Sessions From Different Ips
- AWS High Number Of Failed Authentications For User
- AWS High Number Of Failed Authentications From Ip
- AWS Password Policy Changes
- AWS Successful Console Authentication From Multiple IPs
- Azure AD Concurrent Sessions From Different Ips
- Azure AD High Number Of Failed Authentications For User
- Azure AD High Number Of Failed Authentications From Ip
- Azure AD New MFA Method Registered For User
- Azure AD Successful Authentication From Different Ips
- Detect suspicious processnames using a pretrained model in DSDL
- Driver Inventory
- LOLBAS With Network Traffic (Thanks to @nterl0k)
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Export Certificate
- Windows PowerShell Export Certificate
- Windows PowerShell Export PfxCertificate
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Windows Steal Authentication Certificates Certificate Issued
- Windows Steal Authentication Certificates Certificate Request
- Windows Steal Authentication Certificates CertUtil Backup
- Windows Steal Authentication Certificates CS Backup
- Windows Steal Authentication Certificates Export Certificate
- Windows Steal Authentication Certificates Export PfxCertificate
- Windows Powershell Cryptography Namespace
- Windows Scheduled Task with Highest Privileges
- Windows Spearphishing Attachment Connect To None MS Office Domain
Updated Analytics
- AWS Multiple Users Failing To Authenticate From Ip
- Exploit Public Facing Application via Apache Commons Text
- Office Application Drop Executable (Thanks to @TheLawsOfChaos )
- Office Product Spawning MSHTA
- Rundll32 with no Command Line Arguments with Network (Thanks to @nterl0k)
- Windows Java Spawning Shells
Other Updates
- Moved 12 failing detections to experimental
- Fixed a number of detections that use an incorrect sourcetype in their macro.
- Several Endpoint detections updated to from proc_guid to process_guid (Thanks to @nterl0k)
v3.57.0
New Analytic Story
- Chaos Ransomware
- LockBit Ransomware
New Analytics
- Detect suspicious DNS TXT records using pretrained model in DSDL
- Windows Boot or Logon Autostart Execution In Startup Folder
- Windows Modify Registry Default Icon Setting
- Windows Phishing PDF File Executes URL Link
- Windows Replication Through Removable Media
- Windows User Execution Malicious URL Shortcut File
- Windows Vulnerable Driver Loaded
- Linux Ngrok Reverse Proxy Usage
- Windows Server Software Component GACUtil Install to GAC
- Windows PowerShell Add Module to Global Assembly Cache
- Windows Credential Dumping LSASS Memory Createdump
Updated Analytics
- Known Services Killed by Ransomware
- Windows DLL Search Order Hijacking Hunt
- Windows DLL Search Order Hijacking Hunt Sysmon
- ProxyShell ProxyNotShell Behavior Detected (correlation)
Other Updates
- Added 3 new playbook files:
Dynamic Identifier Reputation Analysis, PhishTank URL Reputation Analysis, VirusTotal v3 Identifier Reputation Analysis
from phantomcyber/playbooks to security_content - Added
onenote.exe
to several detection analytics related to Office Products
v3.56.0
New Analytic Story
- IIS Components
New Analytics
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows IIS Components Add New Module
- Windows IIS Components Get-WebGlobalModule Module Query
- Windows IIS Components Module Failed to Load
- Windows IIS Components New Module Added
- Windows PowerShell Disable Windows Event Logging Disable HTTP Logging
- Windows PowerShell IIS Components WebGlobalModule Usage
Updated Analytics
- Account Discovery With Net App (Thanks to @TheLawsOfChaos)
- Msmpeng Application DLL Side Loading(Thanks to @sanjay900)
- Remcos RAT File Creation in Remcos Folder(Thanks to @sanjay900)
- Excessive DNS Failures (Thanks to @bowesmana)
- Batch File Write to System32 (Thanks to @nterl0k)
- Disable Defender AntiVirus Registry (Thanks to @nterl0k)
- Sc exe manipulating windows services
- Windows remote access software hunt
Other Updates
- Update to the CI workflow to Uploads the summary results to the s3 reporting bucket after a test completes.
- Added
risk_index
macro which expands toindex=risk
in security_content.
v3.55.0
New Analytic Story
- Prestige Ransomware
- Windows Post-Exploitation
New Analytics
- Windows Modify Registry Reg Restore
- Windows Query Registry Reg Save
- Windows System User Discovery Via Quser
- Windows WMI Process And Service List
- Windows Cached Domain Credentials Reg Query
- Windows ClipBoard Data via Get-ClipBoard
- Windows Credentials from Password Stores Query
- Windows Credentials in Registry Reg Query
- Windows Indirect Command Execution Via Series Of Forfiles
- Windows Information Discovery Fsutil
- Windows Password Managers Discovery
- Windows Private Keys Discovery
- Windows Security Support Provider Reg Query
- Windows Steal or Forge Kerberos Tickets Klist
- Windows System Network Config Discovery Display DNS
- Windows System Network Connections Discovery Netsh
- Windows Change Default File Association For No File Ext
- Windows Service Stop Via Net and SC Application
Other Updates
- Added new Mitre MAP Coverage map json files to show the CISA 2021 Top Malware TTP coverage in docs/mitre-map.
- Fixed a bug in
contentctl
to appropriate scheduling configuration in savedsearches.conf