Releases: splunk/security_content
Releases · splunk/security_content
v4.8.0
New Analytics
- Splunk Unauthenticated Log Injection Web Service Log
v4.7.0
New Analytics
- Citrix ADC Exploitation CVE-2023-3519
- Windows Modify Registry EnableLinkedConnections
- Windows Modify Registry LongPathsEnabled
- Windows Modify Registry Risk Behavior
- Windows Post Exploitation Risk Behavior
- Windows Common Abused Cmd Shell Risk Behavior
Updated Analytics
- O365 Add App Role Assignment Grant User
- MSHTML Module Load in Office Product
- Office Document Spawned Child Process To Download
- Office Product Spawn CMD Process
- Office Product Spawning BITSAdmin
- Office Product Spawning CertUtil
- Office Product Spawning MSHTA
- Office Product Spawning Rundll32 with no DLL
- Office Product Spawning Windows Script Host
New Analytic Story
- BlackByte Ransomware
- CVE-2023-36884 Office and Windows HTML RCE Vulnerability
- Citrix Netscaler ADC CVE-2023-3519
Other Updates
- Tagged several detection analytics to
BlackByte Ransomware
- Removed unused fields from detections.json for SSE API
- Improved validation script for the csv lookup and yaml files
v4.6.0
New Analytics
- Windows PowerShell ScheduleTask
- Windows Files and Dirs Access Rights Modification Via Icacls
Updated Analytics
- ICACLS Grant Command
- Registry Keys Used For Persistence
- PowerShell 4104 Hunting
- Detect Baron Samedit CVE-2021-3156 Segfault
- Detect Baron Samedit CVE-2021-3156
- Windows System Shutdown CommandLine
- VMWare Aria Operations Exploit Attempt
New Analytic Story
- Scheduled Tasks
- Amadey
- Graceful Wipe Out Attack
- VMware Aria Operations vRealize CVE-2023-20887
Other Updates
- Improved descriptions of several detections, tagged appropriate Mitre IDs and Analytic Stories to detections
- Added filter macros to the macros.json file served via the API
- Added content_changer functionality to security content
New Playbooks
- URL Outbound Traffic Filtering Dispatch
- Panorama Outbound Traffic Filtering
- Splunk Message Identifier Activity Analysis
- G Suite for GMail Message Identifier Activity Analysis
- ZScaler Outbound Traffic Filtering
v4.5.1
Updated BA Analytics
- Logical bug fix in
Windows Powershell Connect to Internet With Hidden Window
v4.5.0
New Analytics
- ASL AWS Concurrent Sessions From Different IPs
- ASL AWS CreateAccessKey
- ASL AWS Defense Evasion Delete Cloudtrail
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- ASL AWS Defense Evasion Impair Security Services
- ASL AWS Excessive Security Scanning
- ASL AWS IAM Delete Policy
- ASL AWS Multi-Factor Authentication Disabled
- ASL AWS New MFA Method Registered For User
- ASL AWS Password Policy Changes
- Detect DNS Data Exfiltration using pretrained model in DSDL
- Detect RTLO In File Name (Thank you @nterl0k)
- Detect RTLO In Process (Thank you @nterl0k)
- Detect Webshell Exploit Behavior (Thank you @nterl0k)
- Windows MOVEit Transfer Writing ASPX
New Analytic Story
- MOVEit Transfer Critical Vulnerability
Other Updates
- Added support for Apple Silicon for detection testing
- Updated several detections which use
|outputlookup
to create KVStore instead of CSV
v4.4.1
Removed a BA detection- Windows PowerView AD Access Control List Enumeration
v4.4.0
New Analytics
- Splunk DOS Via Dump SPL Command
- Splunk Edit User Privilege Escalation
- Splunk HTTP Response Splitting Via Rest SPL Command
- Splunk Low Privilege User Can View Hashed Splunk Password
- Splunk Path Traversal in the Splunk App for Lookup File Editing
- Splunk Persistent XSS Via URL Validation Bypass W Dashboard
- Splunk RBAC Bypass On Indexing Preview REST Endpoint
Updated Analytic Story
- Splunk Vulnerabilities
v4.3.0
New Analytic Story
- Volt Typhoon
New Analytics
- Network Share Discovery Via Dir Command
- Active Directory Privilege Escalation Identified
- Windows Ldifde Directory Object Behavior
- Windows Proxy Via Netsh
- Windows Proxy Via Registry
Updated Analytics
- CHCP Command Execution
New BA Analytics
- Windows PowerSploit GPP Discovery
- Windows Findstr GPP Discovery
- Windows File Share Discovery With Powerview
- Windows Default Group Policy Object Modified with GPME
- Windows PowerView AD Access Control List Enumeration
Updated BA Analytics
- Detect Prohibited Applications Spawning cmd exe
Other Updates:
- Updated several detecetions with Atomic GUIDs
- Tagged several existing detections with
Volt Typhoon
v4.2.0
New Analytic Story
- Azure Active Directory Privilege Escalation
- PaperCut MF NG Vulnerability
- Snake Malware
- Windows BootKits
Updated Analytic Story
- Data Exfiltration
- Suspicious AWS S3 Activities
New Analytics
- AWS AMI Attribute Modification for Exfiltration
- AWS Disable Bucket Versioning
- AWS EC2 Snapshot Shared Externally
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Batch Service
- AWS Exfiltration via Bucket Replication
- AWS Exfiltration via DataSync Task
- AWS Exfiltration via EC2 Snapshot
- AWS S3 Exfiltration Behavior Identified
- Azure AD Application Administrator Role Assigned
- Azure AD Global Administrator Role Assigned
- Azure AD PIM Role Assigned
- Azure AD PIM Role Assignment Activated
- Azure AD Privileged Authentication Administrator Role Assigned
- Azure AD Privileged Role Assigned to Service Principal
- Azure AD Service Principal Owner Added
- PaperCut Remote Web Access Attempt
- PaperCut Suspicious Behavior Debug Log
- Windows PaperCut Spawn Shell
- Windows Registry Bootexecute Modification
- Windows Snake Malware File Modification Crmlog
- Windows Snake Malware Kernel Driver Comadmin
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Windows Snake Malware Service Create
- Windows Winlogon with Public Network Connection
Other Updates:
- Updated several detection analytics to not use the
join
command to improve search performance.
- Active Setup Registry Autostart
- Add DefaultUser And Password In Registry
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Operation with Consent Admin
- Auto Admin Logon Registry Entry
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Registry Tool
- Disable Security Logs Using MiniNt Registry
- Disable Show Hidden Files
- Disable UAC Remote Restriction
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- Enable RDP In Other Port Number
- Enable WDigest UseLogonCredential Registry
- ETW Registry Disabled
- Hide User Account From Sign-In Screen
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Monitor Registry Keys for Print Monitors
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Time Provider Persistence Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Change Password Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Disable LogOff Button Through Registry
- Windows Disable Memory Crash Dump
- Windows Disable Notification Center
- Windows Disable Shutdown Button Through Registry
- Windows Disable Windows Group Policy Features Through Registry
- Windows Hide Notification Features Through Registry
- Windows Modify Show Compress Color And Info Tip Registry
- Windows Registry Certificate Added
- Windows Registry Modification for Safe Mode Persistence
- Windows Service Creation Using Registry Entry
- Added improvements for BA detections and the conversion tool and added ocsf fields
v4.1.0
New Analytic Story
- Active Directory Privilege Escalation
- RedLine Stealer
New Analytics
- Active Directory Lateral Movement Identified
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec CommandLine Parameters
- Steal or Forge Authentication Certificates Behavior Identified
- Windows Administrative Shares Accessed On Multiple Hosts
- Windows Admon Default Group Policy Object Modified
- Windows Admon Group Policy Object Created
- Windows Credentials from Password Stores Chrome Extension Access
- Windows Credentials from Password Stores Chrome LocalState Access
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Default Group Policy Object Modified
- Windows Default Group Policy Object Modified with GPME
- Windows DnsAdmins New Member Added
- Windows File Share Discovery With Powerview
- Windows Findstr GPP Discovery
- Windows Group Policy Object Created
- Windows Large Number of Computer Service Tickets Requested
- Windows Local Administrator Credential Stuffing
- Windows Modify Registry Auto Minor Updates
- Windows Modify Registry Auto Update Notif
- Windows Modify Registry Disable WinDefender Notifications
- Windows Modify Registry Do Not Connect To Win Update
- Windows Modify Registry No Auto Reboot With Logon User
- Windows Modify Registry No Auto Update
- Windows Modify Registry Tamper Protection
- Windows Modify Registry UpdateServiceUrlAlternate
- Windows Modify Registry USeWuServer
- Windows Modify Registry WuServer
- Windows Modify Registry wuStatusServer
- Windows PowerSploit GPP Discovery
- Windows PowerView AD Access Control List Enumeration
- Windows Query Registry Browser List Application
- Windows Query Registry UnInstall Program List
- Windows Rapid Authentication On Multiple Hosts
- Windows Service Stop Win Updates
- Windows Special Privileged Logon On Multiple Hosts
Other Updates:
- Added a new job for smoke testing experimental and deprecated detections
- Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
- Deprecated detection
Detect Mimikatz Using Loaded Images