v3.25.0

New Analytic Story

• PrintNightmare CVE-2021-1675

New Analytics

• Print Spooler Adding A Printer Driver
• Print Spooler Failed to Load a Plug-in
• Spoolsv Spawning Rundll32
• Spoolsv Suspicious Loaded Modules
• Spoolsv Suspicious Process Access
• Spoolsv Writing a DLL
• Spoolsv Writing a DLL - Sysmon

v3.24.0

Updated Analytic Story

• Malicious PowerShell
• Data Exfiltration
• Ransomware
• Meterpreter

New Analytics

• Detect Empire with PowerShell Script Block Logging
• Detect Mimikatz With PowerShell Script Block Logging
• Powershell Fileless Process Injection via GetProcAddress
• Powershell Fileless Script Contains Base64 Encoded Content
• Unloading AMSI via Reflection
• PowerShell Domain Enumeration
• PowerShell Loading DotNET into Memory via System Reflection Assembly
• Detect WMI Event Subscription Persistence
• Suspicious Event Log Service Behavior
• Powershell Creating Thread Mutex
• Powershell Processing Stream Of Data
• Powershell Using memory As Backing Store
• Recon AVProduct Through Pwh or WMI
• Recon Using WMI Class
• WMI Recon Running Process Or Services
• Start Up During Safe Mode Boot
• Prevent Automatic Repair Mode using Bcdedit
• Permission Modification using Takeown App
• Disable Logs Using WevtUtil
• Clear Unallocated Sector Using Cipher App
• Allow Operation with Consent Admin
• Excessive number of distinct processes created in Windows Temp folder
• Excessive number of taskhost processes

Updated Analytics

• Remote WMI Command Attempt
• Process Execution via WMI
• WMI Permanent Event Subscription - Sysmon
• Office Document Spawned Child Process To Download(Thank you @mschilt for reporting)
• Suspicious MSBuild Rename(Thank you @mschilt for reporting)

NOTE:

We have made some changes to deprecated detections.

• doc_gen.py will not longer include deprecated detections on Splunk Docs.
• The correlation search label is updated to ESCU - Deprecated -<search_name> - Rule
• The following note is added to the beginning of the description of the deprecated detection:

 WARNING, this detection has been marked deprecated by the Splunk Threat Research team, this means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com.*

v3.23.0

New Analytic Story

• Meterpreter
• Revil Ransomware

New Detections

• Excessive number of taskhost processes
• Revil Registry Entry
• Revil Common Exec Parameter
• Modification Of Wallpaper
• Wbemprox COM Object Execution
• Known Services Killed by Ransomware
• Delete ShadowCopy With PowerShell
• Conti Common Exec parameter
• Revil Ransomware
• Excessive Usage of NSLOOKUP App
• CMD Echo Pipe - Escalation
• Detect AzureHound File Modifications
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Detect Renamed Psexec
• Detect Renamed 7-Zip
• Detect Renamed WinRAR
• Detect AzureHound Command-Line Arguments

Updated Analytic Stories

• Ransomware
• Windows Discovery Techniques

Updated Lookups

(Thank you Vatsal Jagani)

• ransomware_extensions_lookup
• ransomware_notes_lookup

v3.22.0

New Analytic Story

• XMRig

New Detections

• Services Escalate Exe
• WinRM Spawning a Process (Thank you Drew Church)
• Deleting Of Net Users
• Disable Windows App Hotkeys
• Disabling Net User Account
• Download Files Using Telegram
• Enumerate Users Local Group Using Telegram
• Excessive Attempt To Disable Services
• Excessive Service Stop Attempt
• Excessive Usage Of Cacls App
• Excessive Usage Of Net App
• Excessive Usage Of Taskkill
• Executables Or Script Creation In Suspicious Path
• Hide User Account From Sign-In Screen
• Icacls Deny Command
• ICACLS Grant Command
• Modify ACL permission To Files Or Folder
• Process Kill Base On File Path
• Schtasks Run Task On Demand
• Suspicious Driver Loaded Path
• Suspicious Process File Path
• XMRIG Driver Loaded

Updated Analytic Stories

• Data Exfiltration

NOTE:

This ESCU release has an updated version of the "Content Library" dashboard, you can explore the Analytic Stories via ES Use Case Library or Splunk Security Essentials.

• Removes all Javascript code from the app
• Updated UI elements to not use JS libs and eliminates the Analytic story details view
• Hot link users to the ES Use Case Library for drill down.

v3.21.0

New Analytic Stories

• DarkSide Ransomware
• Active Directory Password Spraying

New Detections

• Extract SAM from Registry
• SLUI RunAs Elevated
• SLUI Spawning a Process
• Detect Renamed RClone
• Detect RClone Command-Line Usage
• CMLUA Or CMSTPLUA UAC Bypass
• Multiple Disabled Users Failing To Authenticate From Host Using Kerberos
• Multiple Invalid Users Failing To Authenticate From Host Using Kerberos
• Multiple Invalid Users Failing To Authenticate From Host Using NTLM
• Multiple Users Attempting To Authenticate Using Explicit Credentials
• Multiple Users Failing To Authenticate From Host Using Kerberos
• Multiple Users Failing To Authenticate From Host Using NTLM
• Multiple Users Failing To Authenticate From Process
• Multiple Users Remotely Failing To Authenticate From Host
• Delete ShadowCopy With PowerShell (Experimental)

Updated Detections

• Ransomware Notes bulk creation
• Cobalt Strike Named Pipes

v3.20.0

New Analytic Stories

• Masquerading - Rename System Utilities
• Command and Control
• Trickbot

New Detections

• Winword Spawning Windows Script Host
• Office Product Spawning Rundll32 with no DLL
• Office Application Spawn rundll32 process
• Office Document Creating Schedule Task
• Anomalous Usage of 7z
• Office Product Spawning MSHTA
• Office Product Spawning Wmic
• Office Product Spawning BITSAdmin
• Office Product Spawning CertUtil
• Office Document Executing Macro Code
• Office Document Spawned Child Process To Download
• Schedule Task with HTTP Command Arguments
• Winword Spawning Cmd
• WinEvent Scheduled Task Created Within Public Path
• WinEvent Scheduled Task Created to Spawn Shell
• Winword Spawning PowerShell
• Excel Spawning Windows Script Host
• Excel Spawning PowerShell
• DNS Exfiltration Using Nslookup App
• Excessive Usage of NSLOOKUP App
• Multiple Archive Files Http Post Traffic
• Plain HTTP POST Exfiltrated Data
• Anomalous Usage of 7z
• AWS IAM AccessDenied Discovery Events
• AWS IAM Assume Role Policy Brute Force
• AWS IAM Delete Policy
• AWS IAM Failure Group Deletion
• AWS IAM Successful Group Deletion
• Rundll32 with no Command Line Arguments with Network
• GPUpdate with no Command Line Arguments with Network
• DLLHost with no Command Line Arguments with Network
• SearchProtocolHost with no Command Line with Network
• DNS Exfiltration Using Nslookup App
• Excessive Usage of NSLOOKUP App
• Multiple Archive Files Http Post Traffic
• Plain HTTP POST Exfiltrated Data

Updated Analytic Stories

• Changed "Phishing Payloads" to "Spearphishing Attachments"

Updated Detections

• Malicious Powershell Executed As A Service
• Detect Outlook exe writing a zip file (Changed Analytic Story, updated Detection name (misspell and format))
• Process Creating LNK file in Suspicious Location (Changed Analytic Story)
• Updated all detections with "Phishing Payloads" to "Spearphishing Attachments"
• System Processes Run From Unexpected Locations

Upcoming changes to Enterprise Security Content Updates (ESCU) App

As we move towards a more unified content experience across a plethora of our products (ESCU, SSE, ES Use Case Library, Splunk Docs, and GitHub), the ESCU App will be changing its user interface, effective on version 3.22. Specifically removing the analytic details page and heavily modifying the ESCU summaries page to provide general metrics of content and point the user to SSE and or ES use case library for security content management (scheduling and metadata analysis). We recently removed the killchain phase graphics and replaced it with the most commonly used MITRE techniques bar chart.

v3.19.0

New Analytic Stories

• Bits Jobs
• Domain Trust Discovery

New Detections

• BITSAdmin Download File
• BITS Job Persistence
• PowerShell Start-BitsTransfer
• DSQuery Domain Discovery
• Disable Registry Tool
• Disable Show Hidden Files
• Disable Windows Behavior Monitoring
• Disable Windows SmartScreen Protection
• Disabling CMD Application
• Disabling ControlPanel
• Disabling Firewall with Netsh
• Disabling FolderOptions Windows Feature
• Disabling NoRun Windows App
• Disabling SystemRestore In Registry
• Disabling Task Manager
• AWS Excessive Security Scanning
• Malicious Powershell Executed As A Service (Thank you Ryan Becwar for contributing)

Updates:

• Clop Common Exec Parameter detection updated

Upcoming changes to Enterprise Security Content Updates (ESCU) App

As we move towards a more unified content experience across a plethora of our products (ESCU, SSE, ES Use Case Library, Splunk Docs, and GitHub), the ESCU App will be changing its user interface, effective on version 3.22. Specifically removing the analytic details page and heavily modifying the ESCU summaries page to provide general metrics of content and point the user to SSE and or ES use case library for security content management (scheduling and metadata analysis). We recently removed the killchain phase graphics and replaced it with the most commonly used MITRE techniques bar chart.

v3.18.0

New Analytic Stories

• Ingress Tool Transfer
• Deobfuscate/Decode Files or Information
• AWS IAM Privilege Escalation
• Clop Ransomware

New Detections

• CertUtil Download With URLCache and Split Arguments
• CertUtil Download With VerifyCtl and Split Arguments
• CertUtil with Decode Flag
• AWS Create Policy Version to allow all resources
• AWS SetDefaultPolicyVersion
• AWS CreateAccessKey
• AWS CreateLoginProfile
• AWS UpdateLoginProfile
• Clop Common Exec Parameter
• Clop Ransomware Known Service Name
• Create Service In Suspicious File Path
• High File Deletion Frequency
• High Process Termination Frequency
• Process Deleting Its Process File Path
• Ransomware Notes bulk creation
• Resize ShadowStorage volume

Updates:

• Detect Exchange Web Shell
• Added product and risk tag to all cloud searches

Bug Fixes:

• Updated Mitre IDs in Create Service In Suspicious File Path. Thank you Drew Chruch for fixing
• Updated CI to fail, if AppInspect had any "Failures"

Notes

• doc_gen.py now generates markdown and wiki documentation for stories and detections. It also is used to produce product documentation.

v3.17.0

New Analytic Stories

• Windows Discovery Techniques

New Detections

• Detect Exchange Webshell

Updated Analytic Stories

• Sunburst Malware ( now called NOBELIUM Group)

Updated Detections

• Ryuk Wake On Lan Command
• Any Powershell DownloadFile
• Cobalt Strike Named Pipes
• Suspicious Curl Network Connection
• Detect Mimikatz Using Loaded Images
• W3wp Spawning Shell

v3.16.0

New Analytic Stories

• Silver Sparrow
• HAFNIUM Group

New Detections

• Cobalt Strike Named Pipes
• Suspicious DLLHost no Command Line Arguments
• Suspicious GPUpdate no Command Line Arguments
• Suspicious SearchProtocolHost no Command Line Arguments
• Suspicious PlistBuddy Usage
• Suspicious SQLite3 LSAQuarantine Behavior
• Suspicious Curl Network Connection
• Ryuk Wake on LAN Command
• Suspicious Scheduled Task from Public Directory
• Fodhelper UAC Bypass
• Eventvwr UAC Bypass
• Any PowerShell DownloadString
• Any PowerShell DownloadFile
• Unified Messaging Service Spawning a Process
• Suspicious Unified Messaging Service File Writes
• Nishang PowershellTCPOneLine
• W3WP Spawning Shells

Updated Analytic Stories

• Cobalt Strike
• Suspicious MSHTA Activity

Updated Detections

• NTdsutil Export NTDS
• Suspicious MSBuild Path
• Suspicious MSBuild Rename
• Suspicious Microsoft Workflow Compiler Rename
• Detect Regsvr32 Application Control Bypass
• Windows DisableAntiSpyware Registry