Skip to content

Releases: splunk/security_content

v4.8.0

31 Jul 16:35
2b4e96f
Compare
Choose a tag to compare

New Analytics

  • Splunk Unauthenticated Log Injection Web Service Log

v4.7.0

25 Jul 20:40
b133cf8
Compare
Choose a tag to compare

New Analytics

  • Citrix ADC Exploitation CVE-2023-3519
  • Windows Modify Registry EnableLinkedConnections
  • Windows Modify Registry LongPathsEnabled
  • Windows Modify Registry Risk Behavior
  • Windows Post Exploitation Risk Behavior
  • Windows Common Abused Cmd Shell Risk Behavior

Updated Analytics

  • O365 Add App Role Assignment Grant User
  • MSHTML Module Load in Office Product
  • Office Document Spawned Child Process To Download
  • Office Product Spawn CMD Process
  • Office Product Spawning BITSAdmin
  • Office Product Spawning CertUtil
  • Office Product Spawning MSHTA
  • Office Product Spawning Rundll32 with no DLL
  • Office Product Spawning Windows Script Host

New Analytic Story

Other Updates

  • Tagged several detection analytics to BlackByte Ransomware
  • Removed unused fields from detections.json for SSE API
  • Improved validation script for the csv lookup and yaml files

v4.6.0

27 Jun 23:32
febc045
Compare
Choose a tag to compare

New Analytics

  • Windows PowerShell ScheduleTask
  • Windows Files and Dirs Access Rights Modification Via Icacls

Updated Analytics

  • ICACLS Grant Command
  • Registry Keys Used For Persistence
  • PowerShell 4104 Hunting
  • Detect Baron Samedit CVE-2021-3156 Segfault
  • Detect Baron Samedit CVE-2021-3156
  • Windows System Shutdown CommandLine
  • VMWare Aria Operations Exploit Attempt

New Analytic Story

  • Scheduled Tasks
  • Amadey
  • Graceful Wipe Out Attack
  • VMware Aria Operations vRealize CVE-2023-20887

Other Updates

  • Improved descriptions of several detections, tagged appropriate Mitre IDs and Analytic Stories to detections
  • Added filter macros to the macros.json file served via the API
  • Added content_changer functionality to security content

New Playbooks

  • URL Outbound Traffic Filtering Dispatch
  • Panorama Outbound Traffic Filtering
  • Splunk Message Identifier Activity Analysis
  • G Suite for GMail Message Identifier Activity Analysis
  • ZScaler Outbound Traffic Filtering

v4.5.1

22 Jun 18:59
f55a8b4
Compare
Choose a tag to compare

Updated BA Analytics

  • Logical bug fix in Windows Powershell Connect to Internet With Hidden Window

v4.5.0

13 Jun 18:48
0451c2d
Compare
Choose a tag to compare

New Analytics

  • ASL AWS Concurrent Sessions From Different IPs
  • ASL AWS CreateAccessKey
  • ASL AWS Defense Evasion Delete Cloudtrail
  • ASL AWS Defense Evasion Delete CloudWatch Log Group
  • ASL AWS Defense Evasion Impair Security Services
  • ASL AWS Excessive Security Scanning
  • ASL AWS IAM Delete Policy
  • ASL AWS Multi-Factor Authentication Disabled
  • ASL AWS New MFA Method Registered For User
  • ASL AWS Password Policy Changes
  • Detect DNS Data Exfiltration using pretrained model in DSDL
  • Detect RTLO In File Name (Thank you @nterl0k)
  • Detect RTLO In Process (Thank you @nterl0k)
  • Detect Webshell Exploit Behavior (Thank you @nterl0k)
  • Windows MOVEit Transfer Writing ASPX

New Analytic Story

  • MOVEit Transfer Critical Vulnerability

Other Updates

  • Added support for Apple Silicon for detection testing
  • Updated several detections which use |outputlookup to create KVStore instead of CSV

v4.4.1

01 Jun 23:53
ff21af7
Compare
Choose a tag to compare

Removed a BA detection- Windows PowerView AD Access Control List Enumeration

v4.4.0

01 Jun 18:43
859b1e8
Compare
Choose a tag to compare

New Analytics

  • Splunk DOS Via Dump SPL Command
  • Splunk Edit User Privilege Escalation
  • Splunk HTTP Response Splitting Via Rest SPL Command
  • Splunk Low Privilege User Can View Hashed Splunk Password
  • Splunk Path Traversal in the Splunk App for Lookup File Editing
  • Splunk Persistent XSS Via URL Validation Bypass W Dashboard
  • Splunk RBAC Bypass On Indexing Preview REST Endpoint

Updated Analytic Story

  • Splunk Vulnerabilities

v4.3.0

30 May 18:15
00d0915
Compare
Choose a tag to compare

New Analytic Story

  • Volt Typhoon

New Analytics

  • Network Share Discovery Via Dir Command
  • Active Directory Privilege Escalation Identified
  • Windows Ldifde Directory Object Behavior
  • Windows Proxy Via Netsh
  • Windows Proxy Via Registry

Updated Analytics

  • CHCP Command Execution

New BA Analytics

  • Windows PowerSploit GPP Discovery
  • Windows Findstr GPP Discovery
  • Windows File Share Discovery With Powerview
  • Windows Default Group Policy Object Modified with GPME
  • Windows PowerView AD Access Control List Enumeration

Updated BA Analytics

  • Detect Prohibited Applications Spawning cmd exe

Other Updates:

  • Updated several detecetions with Atomic GUIDs
  • Tagged several existing detections with Volt Typhoon

v4.2.0

16 May 19:50
d3bc844
Compare
Choose a tag to compare

New Analytic Story

  • Azure Active Directory Privilege Escalation
  • PaperCut MF NG Vulnerability
  • Snake Malware
  • Windows BootKits

Updated Analytic Story

  • Data Exfiltration
  • Suspicious AWS S3 Activities

New Analytics

  • AWS AMI Attribute Modification for Exfiltration
  • AWS Disable Bucket Versioning
  • AWS EC2 Snapshot Shared Externally
  • AWS Exfiltration via Anomalous GetObject API Activity
  • AWS Exfiltration via Batch Service
  • AWS Exfiltration via Bucket Replication
  • AWS Exfiltration via DataSync Task
  • AWS Exfiltration via EC2 Snapshot
  • AWS S3 Exfiltration Behavior Identified
  • Azure AD Application Administrator Role Assigned
  • Azure AD Global Administrator Role Assigned
  • Azure AD PIM Role Assigned
  • Azure AD PIM Role Assignment Activated
  • Azure AD Privileged Authentication Administrator Role Assigned
  • Azure AD Privileged Role Assigned to Service Principal
  • Azure AD Service Principal Owner Added
  • PaperCut Remote Web Access Attempt
  • PaperCut Suspicious Behavior Debug Log
  • Windows PaperCut Spawn Shell
  • Windows Registry Bootexecute Modification
  • Windows Snake Malware File Modification Crmlog
  • Windows Snake Malware Kernel Driver Comadmin
  • Windows Snake Malware Registry Modification wav OpenWithProgIds
  • Windows Snake Malware Service Create
  • Windows Winlogon with Public Network Connection

Other Updates:

  • Updated several detection analytics to not use the join command to improve search performance.
- Active Setup Registry Autostart
- Add DefaultUser And Password In Registry
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Operation with Consent Admin
- Auto Admin Logon Registry Entry
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Registry Tool
- Disable Security Logs Using MiniNt Registry
- Disable Show Hidden Files
- Disable UAC Remote Restriction
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- Enable RDP In Other Port Number
- Enable WDigest UseLogonCredential Registry
- ETW Registry Disabled
- Hide User Account From Sign-In Screen
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Monitor Registry Keys for Print Monitors
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Time Provider Persistence Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Change Password Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Disable LogOff Button Through Registry
- Windows Disable Memory Crash Dump
- Windows Disable Notification Center
- Windows Disable Shutdown Button Through Registry
- Windows Disable Windows Group Policy Features Through Registry
- Windows Hide Notification Features Through Registry
- Windows Modify Show Compress Color And Info Tip Registry
- Windows Registry Certificate Added
- Windows Registry Modification for Safe Mode Persistence
- Windows Service Creation Using Registry Entry
  • Added improvements for BA detections and the conversion tool and added ocsf fields

v4.1.0

02 May 22:20
c80c0ae
Compare
Choose a tag to compare

New Analytic Story

  • Active Directory Privilege Escalation
  • RedLine Stealer

New Analytics

  • Active Directory Lateral Movement Identified
  • Impacket Lateral Movement smbexec CommandLine Parameters
  • Impacket Lateral Movement WMIExec CommandLine Parameters
  • Steal or Forge Authentication Certificates Behavior Identified
  • Windows Administrative Shares Accessed On Multiple Hosts
  • Windows Admon Default Group Policy Object Modified
  • Windows Admon Group Policy Object Created
  • Windows Credentials from Password Stores Chrome Extension Access
  • Windows Credentials from Password Stores Chrome LocalState Access
  • Windows Credentials from Password Stores Chrome Login Data Access
  • Windows Default Group Policy Object Modified
  • Windows Default Group Policy Object Modified with GPME
  • Windows DnsAdmins New Member Added
  • Windows File Share Discovery With Powerview
  • Windows Findstr GPP Discovery
  • Windows Group Policy Object Created
  • Windows Large Number of Computer Service Tickets Requested
  • Windows Local Administrator Credential Stuffing
  • Windows Modify Registry Auto Minor Updates
  • Windows Modify Registry Auto Update Notif
  • Windows Modify Registry Disable WinDefender Notifications
  • Windows Modify Registry Do Not Connect To Win Update
  • Windows Modify Registry No Auto Reboot With Logon User
  • Windows Modify Registry No Auto Update
  • Windows Modify Registry Tamper Protection
  • Windows Modify Registry UpdateServiceUrlAlternate
  • Windows Modify Registry USeWuServer
  • Windows Modify Registry WuServer
  • Windows Modify Registry wuStatusServer
  • Windows PowerSploit GPP Discovery
  • Windows PowerView AD Access Control List Enumeration
  • Windows Query Registry Browser List Application
  • Windows Query Registry UnInstall Program List
  • Windows Rapid Authentication On Multiple Hosts
  • Windows Service Stop Win Updates
  • Windows Special Privileged Logon On Multiple Hosts

Other Updates:

  • Added a new job for smoke testing experimental and deprecated detections
  • Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
  • Deprecated detection Detect Mimikatz Using Loaded Images