v4.35.0

Key Highlights

• Enterprise Security Content Updates version 4.35.0 contains 11 new analytics and 6 updated analytics that are specifically crafted to detect the Splunk Security Advisories that were published on July 1st, 2024 for Splunk Enterprise 9.2.2, 9.1.5, 9.0.10 and Splunk Cloud. These Splunk Enterprise updates address several critical vulnerabilities, including multiple instances of persistent cross-site scripting (XSS) in various endpoints, remote code execution (RCE) exploits, and denial of service (DoS) vulnerabilities. Additionally, in this ESCU build we have updated the analytics for detecting information disclosure of user names, path traversal, insecure file uploads, and risky command safeguards bypasses, ensuring a more secure environment for Splunk Enterprise users. Please refer to https://advisory.splunk.com/ for specific details about the vulnerabilities.

Total New and Updated Content: [19]

New Analytic Story - [0]

Updated Analytic Story - [0]

New Analytics - [11]

• Splunk DoS via POST Request Datamodel Endpoint
• Splunk Information Disclosure on Account Login
• Splunk RCE PDFgen Render
• Splunk RCE via External Lookup Copybuckets
• Splunk Stored XSS conf-web Settings on Premises
• Splunk Stored XSS via Specially Crafted Bulletin Message
• Splunk Unauthenticated DoS via Null Pointer References
• Splunk Unauthenticated Path Traversal Modules Messaging
• Splunk Unauthorized Experimental Items Creation
• Splunk XSS Privilege Escalation via Custom Urls in Dashboard
• Splunk XSS Via External Urls in Dashboards SSRF

Updated Analytics - [6]

• Splunk CSRF in the SSG kvstore Client Endpoint
• Splunk Enterprise Windows Deserialization File Partition
• Splunk Stored XSS via Data Model objectName Field
• Splunk XSS in Highlighted JSON Events
• Splunk XSS in Save table dialog header in search page
• Splunk risky Command Abuse disclosed february 2023

Macros Added - [1]

• splunkd_webs

Macros Updated - [0]

Lookups Added - [0]

Lookups Updated - [1]

• splunk_risky_command

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [0]

Other Updates

• Updated the ESCU Summary Dashboard to link directly to the Enterprise Security Use Case Library.

Full Changelog: v4.34.0...v4.35.0

v4.34.0

Release notes for ESCU release_v4.34.0

Total New and Updated Content: [1256]

New Analytic Story - [1]

• Gomir

Updated Analytic Story - [0]

New Analytics - [2]

• Windows Debugger Tool Execution
• Windows Unsigned DLL Side-Loading In Same Process Path

Updated Analytics - [1238]

Over 1200+ descriptions updated.

Macros Added - [3]

• fillnull_config
• oldsummaries_config
• summariesonly_config

Macros Updated - [2]

• prohibited_softwares
• security_content_summariesonly

Updated the security_content_summariesonly macro to use macros for each of the configuration settings that were previously hardcoded. There's no change in the values of those macros and the previous configuration of the security_content_summariesonly macro

Lookups Added - [0]

Lookups Updated - [0]

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [10]

• Clients Connecting to Multiple DNS Servers
• DNS Query Requests Resolved by Unauthorized DNS Servers
• First time seen command line argument
• GCP Kubernetes cluster scan detection
• Multiple Okta Users With Invalid Credentials From The Same IP
• Okta Failed SSO Attempts
• Prohibited Software On Endpoint
• Suspicious Changes to File Associations
• Uncommon Processes On Endpoint
• Unsigned Image Loaded by LSASS

Other Updates

• Updated descriptions and _filter macro for several analytics to have a consistent standard and formatting.
• Updated distsearch.conf to remove bias language.
• Updated testing to run against the official Splunk Sysmon for Linux Add-on.

Full Changelog: v4.33.0...v4.34.0

v4.33.0

Key highlights

Enterprise Security Content Updates version 4.33.0 adds a new detection, CrushFTP Server Side Template Injection. This detection highlights any attempts to exploit CVE-2024-4040, a critical vulnerability that allows unauthenticated remote attackers to run arbitrary code and bypass authentication in CrushFTP versions before 10.7.1 and 11.1.0.

Additionally, this release includes updates to the detection logic of some analytics that use lookups. This includes changing the order of operations in the SPL so that the lookup command is run after the stats command. Thus, in a distributed environment, lookups don't need to be replicated and the search performance improves slightly in all environments because it involves looking up values for fewer events.

New Analytic Story - [1]

• CrushFTP Vulnerabilities

New Analytics - [1]

• CrushFTP Server Side Template Injection

Updated Analytics - [12]

• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Kubernetes Nginx Ingress LFI
• Windows AppLocker Block Events
• Windows Credential Access From Browser Password Store
• Windows Defender ASR Audit Events
• Windows Defender ASR Block Events
• Windows Defender ASR Registry Modification
• Windows Defender ASR Rule Disabled
• Windows Defender ASR Rules Stacking
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows Domain Admin Impersonation Indicator

Other Updates

• Updated descriptions for 80+ analytics to have a consistent standard and formatting.

v4.32.0

What's new

Enterprise Security Content Updates v4.32.0 was released on May 22, 2024. It includes the following enhancements:

Key highlights

Splunk Threat Research team has added 6 new detections and updated 6 existing detection analytics focused on AWS, leveraging the Open Cybersecurity Schema Framework (OCSF) to support the recent GA release of Amazon Security Lake (ASL) and the Splunk Add-On for Amazon Web Services. Additionally, Enterprise Security Content Updates v4.32.0 updated 6 analytics based on testing on real-world data to enhance accuracy and effectiveness in identifying suspicious activities and potential threats.

Enterprise Security Content Updates v4.32.0 detects critical security events such as attempts to disable or modify CloudTrail logging, unauthorized container uploads to Amazon ECR, and suspicious IAM group deletions, ensuring comprehensive monitoring and rapid response to potential threats.

This release also introduced a new object called data_sources for each detection to improve mapping by associating detections with their corresponding Splunkbase TAs, sample events. In addition, this release lists fields extracted in the raw data.

New analytics

• ASL AWS Defense Evasion Stop Logging Cloudtrail
• ASL AWS Defense Evasion Update Cloudtrail
• ASL AWS ECR Container Upload Outside Business Hours
• ASL AWS ECR Container Upload Unknown User
• ASL AWS IAM Failure Group Deletion
• ASL AWS IAM Successful Group Deletion

Updated Analytics

• ASL AWS Concurrent Sessions From Different Ips
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Impair Security Services
• ASL AWS IAM Delete Policy
• ASL AWS Multi-Factor Authentication Disabled
• Detect Regasm Spawning a Process
• Possible Lateral Movement PowerShell Spawn
• Process Creating LNK file in Suspicious Location
• Process Execution via WMI
• Windows InstallUtil Uninstall Option
• Windows MOF Event Triggered Execution via WMI

Macros added

aws_ecr_users_asl

Macros updated

amazon_security_lake

Deprecated detection

Windows DLL Search Order Hijacking Hunt

Other updates

• Updates to several reference links that were no longer working.
• Added dist/ files to .gitignore and added them back in the release.yml CI job to keep generated dist/ files up to date.
• Added a new yml object called data_sources with information of each data source leveraged by the detection search.

v4.31.1

Release notes

• Splunk btool throws errors on es_investigations.conf and a few stanzas in savedsearches.conf due to spacing issues. Contentctl v4.0.2 fixes this issue. We have updated the tooling to remove these whitespaces that were introduced with contentctl 4.0 in previous release ESCU 4.31.0

Contentctl Fix : splunk/contentctl#143

v4.31.0

New Analytic Story

Updated Analytic Story

New Analytics

• Windows Process Writing File to World Writable Path

Updated Analytics

• AWS Create Policy Version to allow all resources
• Detect Outbound SMB Traffic
• Detect Rare Executables
• Prohibited Network Traffic Allowed
• Remote Desktop Network Traffic
• Windows Masquerading Explorer As Child Process
• Recon AVProduct Through Pwh or WMI
• Detect Outbound SMB Traffic
• MSHTML Module Load in Office Product
• Office Document Creating Schedule Task
• Office Document Executing Macro Code
• Windows InstallUtil Credential Theft

Deprecated Analytics

• Windows DLL Search Order Hijacking Hunt with Sysmon

Other Updates

• Updated risk and threat related configurations for several detections
• Added Victims to missing detections to create correct risk_objects
• Converted the following Windows detections to leverage the XML log format:
  • kerberos_user_enumeration.yml
  • known_services_killed_by_ransomware.yml
  • malicious_powershell_executed_as_a_service.yml
  • non_chrome_process_accessing_chrome_default_dir.yml
  • non_firefox_process_access_firefox_profile_dir.yml
  • print_processor_registry_autostart.yml
  • suspicious_computer_account_name_change.yml
  • suspicious_event_log_service_behavior.yml
  • suspicious_kerberos_service_ticket_request.yml
  • suspicious_ticket_granting_ticket_request.yml
  • svchost_lolbas_execution_process_spawn.yml
  • windows_computer_account_requesting_kerberos_ticket.yml
  • windows_event_for_service_disabled.yml
  • windows_excessive_disabled_services_event.yml
  • windows_get_adcomputer_unconstrained_delegation_discovery.yml
  • windows_kerberos_local_successful_logon.yml
  • windows_krbrelayup_service_creation.yml
  • windows_powerview_constrained_delegation_discovery.yml
  • windows_powerview_unconstrained_delegation_discovery.yml
  • windows_rdp_connection_successful.yml
  • windows_service_created_with_suspicious_service_path.yml
  • windows_service_created_within_public_path.yml
  • winevent_scheduled_task_created_to_spawn_shell.yml
  • winevent_scheduled_task_created_within_public_path.yml
  • winevent_windows_task_scheduler_event_action_started.yml

Upcoming Changes

IMPORTANT NOTE : In the upcoming v4.34.0 release, changes will be made to the security_content_summariesonly macro. Its current definition will change to wrap the existing values into another set of macros. This will allow each environment to customize each setting without changing the base macro. If this macro has already been modified in your environment, it will not be affected.

v4.30.0

Release notes

New Analytics Story

• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats

Updated Analytics Story

• Azure Active Directory Account Takeover
• Compromised User Account
• GCP Account Takeover

New Analytics

• Okta Authentication Failed During MFA Challenge
• Okta IDP Lifecycle Modifications
• Okta Multi-Factor Authentication Disabled
• Okta Multiple Accounts Locked Out
• Okta Multiple Failed MFA Requests For User
• Okta Multiple Users Failing To Authenticate From Ip
• Okta Successful Single Factor Authentication
• Okta Unauthorized Access to Application
• O365 Compliance Content Search Exported
• O365 Compliance Content Search Started
• O365 Elevated Mailbox Permission Assigned
• O365 Mailbox Email Forwarding Enabled
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 New Email Forwarding Rule Created
• O365 New Email Forwarding Rule Enabled
• O365 New Forwarding Mailflow Rule Created
• O365 Security And Compliance Alert Triggered
• Okta User Logins From Multiple Cities
• Windows AppLocker Block Events
• Windows AppLocker Execution from Uncommon Locations
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows AppLocker Rare Application Launch Detection
• Windows Unsigned MS DLL Side-Loading
• Zscaler Adware Activities Threat Blocked
• Zscaler Behavior Analysis Threat Blocked
• Zscaler CryptoMiner Downloaded Threat Blocked
• Zscaler Employment Search Web Activity
• Zscaler Exploit Threat Blocked
• Zscaler Legal Liability Threat Blocked
• Zscaler Malware Activity Threat Blocked
• Zscaler Phishing Activity Threat Blocked
• Zscaler Potentially Abused File Download
• Zscaler Privacy Risk Destinations Threat Blocked
• Zscaler Scam Destinations Threat Blocked
• Zscaler Virus Download threat blocked

Updated Analytics

• Email Attachments With Lots Of Spaces
• Okta MFA Exhaustion Hunt
• Okta Mismatch Between Source and Response for Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Phishing Detection with FastPass Origin Check
• Okta Risk Threshold Exceeded
• Okta Suspicious Activity Reported
• Okta Suspicious Use of a Session Cookie
• Okta ThreatInsight Threat Detected
• Suspicious Email Attachment Extensions
• O365 Admin Consent Bypassed by Service Principal
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 PST export alert
• Prohibited Software On Endpoint
• Detect Use of cmd exe to Launch Script Interpreters
• Detection of tools built by NirSoft
• Excessive File Deletion In WinDefender Folder(External Contributor : @nterl0k )
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion of SSL Certificate
• Malicious Powershell Executed As A Service
• Registry Keys Used For Persistence
• SchCache Change By App Connect And Create ADSI Object
• Suspicious Regsvr32 Register Suspicious Path
• Windows Data Destruction Recursive Exec Files Deletion (External Contributor : @nterl0k )
• Windows High File Deletion Frequency External Contributor : @nterl0k )
• Windows MSHTA Writing to World Writable Path
• Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
• SMB Traffic Spike
• SMB Traffic Spike - MLTK
• Web Remote ShellServlet Access

Macros Added

• applocker
• zscaler_proxy

Macros Updated

• okta

Lookups Added

• applockereventcodes

Other Updates

• Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)

v4.29.0

Release notes

New Analytics Story

• APT29 Diplomatic Deceptions with WINELOADER
• Outlook RCE CVE-2024-21378

Updated Analytics Story

New Analytics

• Windows InProcServer32 New Outlook Form
• Windows MSHTA Writing to World Writable Path
• Windows New InProcServer32 Added
• Windows Phishing Outlook Drop Dll In FORM Dir
• Windows SqlWriter SQLDumper DLL Sideload

Updated Analytics

• CertUtil With Decode Argument

v4.28.0

New Analytics

• Splunk Authentication Token Exposure in Debug Log

Updated Analytics

• Splunk Command and Scripting Interpreter Risky Commands
• ASL AWS Concurrent Sessions From Different Ips
• Gsuite Outbound Email With Attachment To External Domain
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Short Lived Windows Accounts
• Windows Create Local Account

Playbooks Updated

• Active Directory Enable Account Dispatch

v4.27.0

Updated Analytics Story

• Cyclops Blink
• Sneaky Active Directory Persistence Tricks

New Analytics

• Windows Credential Access From Browser Password Store
• Windows Known Abused DLL Created (External Contributor : @nterl0k )

Updated Analytics

• Okta User Logins From Multiple Cities
• Path traversal SPL injection
• Splunk User Enumeration Attempt
• AWS Concurrent Sessions From Different Ips
• AWS Credential Access RDS Password reset
• Kubernetes Nginx Ingress LFI
• Kubernetes Nginx Ingress RFI
• Kubernetes Previously Unseen Process
• O365 Multiple Users Failing To Authenticate From Ip
• Detect AzureHound Command-Line Arguments
• Detect AzureHound File Modifications
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Disabling Windows Local Security Authority Defences via Registry
• Linux Iptables Firewall Modification
• Linux Kworker Process In Writable Process Path
• Linux Stdout Redirection To Dev Null File
• Network Traffic to Active Directory Web Services Protocol
• System Information Discovery Detection
• Windows SOAPHound Binary Execution

Lookups Added

• browser_app_list
• hijacklibs_loaded (External Contributor : @nterl0k )

Playbooks Updated

• All playbook yamls updated to use a list of D3FEND IDs