v3.9.0

New Detections

• Ryuk Test Files Detected
• Windows connhost exe started forcefully
• Windows DisableAntiSpyware Registry
• Windows Security Account Manager Stopped

Updates

• Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass detection
• Detect Deleting of Shadow Copies
• Detect Excessive Account Lockouts From Endpoint
• Detect mshta exe running scripts in command-line arguments
• Detect newly created accounts that have been elevated
• Detect Windows event log cleared
• Detect Attempt To Add Certificate To Untrusted Store
• Detect Attempted credentials dump from registry via reg exe
• Detect Attempted creation_of_shadow_copy_with_wmic_and_powershell.yml
• Detect Path Interception By Creation Of program exe
• Detect malicious powershell process encoded_command
• Common Ransomware Extensions (The search looks for file modifications with extensions commonly used)
• Common Ransomware Notes (The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.)

Other

• Circle CI Config updates
• Increase in testing coverage

NOTE we updated how we version our releases hence the jump from 3.0.8 to 3.8.1 and then 3.9.0 see this wiki page for details

v3.8.1

Bug Fixes for SSA only. This patch contains no ESCU changes.

v3.0.8

New Detections

• GCP Detect accounts with high risk roles by project
• GCP Detect gcploit framework
• GCP Detect high risk permissions by resource and account
• System Information Discovery Detection

Updates

• Attempted Credential Dump From Registry via Reg exe
• Detect Activity Related to Pass the Hash Attacks
• Windows Event Log Cleared
• Kerberoasting spn request with RC4 encryption

Other

• Automated detection testing framework
• Improved and extended response phases/tasks

v3.0.7

New Stories

• Detect Zerologon Attack
• GCP Cross Account Activity

New Detections

• GCP Detect OAuth Token Abuse
• Detect Computer Changed with Anonymous Account
• Detect Zerologon via Zeek

Updates

• fixed bug with detection "AWS Detect STS Assume Role Abuse"
• fixed bug with detection "AWS Detect Role Creation"
• tagged new Zerologon on detection "Detect Mimikatz Using Loaded Images"
• tagged new Zerologon on detection "Detect Credential Dumping through LSASS access"

Others

• Add the ability to tag detections with RBA. See wiki for details.

v3.0.6

New Stories

• Suspicious GCP Storage Activities
• AWS Security Hub Alerts

New Detections

• Detect Spike in AWS Security Hub Alerts for EC2 Instance
• Detect Spike in Security Hub Alerts for User
• Detect GCP Storage access from a new IP
• Detect New Open GCP Storage Buckets

Updates

• Detect Rogue DHCP Server

Others

• Changes include updates to the CI Pipeline.

v3.0.5

New Detections

• Added new detection for detect_windows_dns_sigred_via_splunk_stream.yml
• Added new detection for detect_windows_dns_sigred_via_zeek.yml
• Added new detection for f5_tmui_rce_cve_2020_5902.yml
• Added new detection for aws_detect_attach_to_role_policy.yml
• Added new detection for aws_detect_permanent_key_creation.yml
• Added new detection for aws_detect_role_creation.yml
• Added new detection for aws_detect_sts_assume_role_abuse.yml
• Added new detection for detections/aws_detect_sts_get_session_token_abuse.yml

Updates

• Updated malicious_powershell_process___encoded_command.yml
• Updated smb_traffic_spike.yml

Fixed Issues

N/A

Other

• Added automated testing capabilities via CI under the tests folder.

v3.0.4

New Detections

• Added new detection for kubernetes_gcp_detect_most_active_service_accounts_by_pod.yml
• Added new detection for kubernetes_gcp_detect_RBAC_authorizations_by_account.yml
• Added new detection for kubernetes_gcp_detect_sensitive_object_access.yml
• Added new detection for kubernetes_gcp_detect_sensitive_role_access.yml
• Added new detection for kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml
• Added new detection for kubernetes_gcp_detect_suspicious_kubectl_calls.yml

Updates

• Updated the search processes_created_by_netsh.yml to exclude a process known to create false positives. Thank you Murali from Xilinx.

Fixed Issues

• Fixed bug with detection Previously Seen Running Windows Services.
• Fixed bug with API for upper case detections. Thank you Nick Roy for reporting.
• Fixed bug with spectre_and_meltdown_vulnerable_systems.yml detection data model.
• Fixed bug with processes_launching_netsh.yml detection. Thank you Josef Kuepker.

Other

• Added automated testing capabilities via CI under the tests folder.
• Added MITRE tagging for cloud detections.

v3.0.3

Updated the detection searches AWS related stories with AWS Mitre Mappings where applicable:

• Suspicious AWS EC2 Activities
• AWS Suspicious Provisioning Activities
• AWS Cross Account Activity
• Cloud Cryptomining
• AWS User Monitoring
• Suspicious Cloud Authentication Activities
• Suspicious AWS Login Activities
• Suspicious AWS S3 Activities
• Unusual AWS EC2 Modifications
• Container Implantation Monitoring and Investigation

Updated analytic stories with new detection searches:

• Kubernetes Sensitive Role Activity
• Kubernetes Sensitive Object Access Activity

New response tasks - "AWS Investigate Security Hub alerts by dest" that leverages Security Hub alerts for investigation/response

Fixed Issues:

• Updated Creation of Shadow Copy with wmic and powershell to use Endpoint Datamodel

Full documentation: https://docs.splunk.com/Documentation/ESSOC/3.0.3

v3.0.2

New Analytic Story:

• Suspicious Cloud Auth Activities (uses updated Authentication Data Model on ES 6.2)

New Detection:

• Kerberoasting spn request with RC4 encryption
• Detect new user AWS Console Login - DM

Fixed Issues:

• Set the Macro for summariesonly to false by default
• Updated First Time Seen Running Windows Service Detection
• Updated Previously Seen Running Windows Services
• Updated Reg exe Manipulating Windows Services Registry Keys
• Updated Sc exe Manipulated Windows Services
• AWS Cross Account Activity From Previously Unseen Account

Full documentation: https://docs.splunk.com/Documentation/ESSOC/3.0.2

v3.0.1

NOTE - This release contains new content that leverages SPEC 3.0.

Enterprise Security Content Updates v3.0.1 was released on June 4, 2020. It includes the following enhancements:

New UI Enhancements:

• Adds workbench panel investigations

New Analytic Story:

• Kubernetes Sensitive Object Access Activity
• Kubernetes Sensitive Role Activity
• Suspicious Zoom Child Processes

Updated Analytic Story:

• Kubernetes Scanning Activity

Full documentation: https://docs.splunk.com/Documentation/ESSOC/3.0.1