Releases: splunk/security_content
Releases · splunk/security_content
v4.5.1
Updated BA Analytics
- Logical bug fix in
Windows Powershell Connect to Internet With Hidden Window
v4.5.0
New Analytics
- ASL AWS Concurrent Sessions From Different IPs
- ASL AWS CreateAccessKey
- ASL AWS Defense Evasion Delete Cloudtrail
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- ASL AWS Defense Evasion Impair Security Services
- ASL AWS Excessive Security Scanning
- ASL AWS IAM Delete Policy
- ASL AWS Multi-Factor Authentication Disabled
- ASL AWS New MFA Method Registered For User
- ASL AWS Password Policy Changes
- Detect DNS Data Exfiltration using pretrained model in DSDL
- Detect RTLO In File Name (Thank you @nterl0k)
- Detect RTLO In Process (Thank you @nterl0k)
- Detect Webshell Exploit Behavior (Thank you @nterl0k)
- Windows MOVEit Transfer Writing ASPX
New Analytic Story
- MOVEit Transfer Critical Vulnerability
Other Updates
- Added support for Apple Silicon for detection testing
- Updated several detections which use
|outputlookup
to create KVStore instead of CSV
v4.4.1
Removed a BA detection- Windows PowerView AD Access Control List Enumeration
v4.4.0
New Analytics
- Splunk DOS Via Dump SPL Command
- Splunk Edit User Privilege Escalation
- Splunk HTTP Response Splitting Via Rest SPL Command
- Splunk Low Privilege User Can View Hashed Splunk Password
- Splunk Path Traversal in the Splunk App for Lookup File Editing
- Splunk Persistent XSS Via URL Validation Bypass W Dashboard
- Splunk RBAC Bypass On Indexing Preview REST Endpoint
Updated Analytic Story
- Splunk Vulnerabilities
v4.3.0
New Analytic Story
- Volt Typhoon
New Analytics
- Network Share Discovery Via Dir Command
- Active Directory Privilege Escalation Identified
- Windows Ldifde Directory Object Behavior
- Windows Proxy Via Netsh
- Windows Proxy Via Registry
Updated Analytics
- CHCP Command Execution
New BA Analytics
- Windows PowerSploit GPP Discovery
- Windows Findstr GPP Discovery
- Windows File Share Discovery With Powerview
- Windows Default Group Policy Object Modified with GPME
- Windows PowerView AD Access Control List Enumeration
Updated BA Analytics
- Detect Prohibited Applications Spawning cmd exe
Other Updates:
- Updated several detecetions with Atomic GUIDs
- Tagged several existing detections with
Volt Typhoon
v4.2.0
New Analytic Story
- Azure Active Directory Privilege Escalation
- PaperCut MF NG Vulnerability
- Snake Malware
- Windows BootKits
Updated Analytic Story
- Data Exfiltration
- Suspicious AWS S3 Activities
New Analytics
- AWS AMI Attribute Modification for Exfiltration
- AWS Disable Bucket Versioning
- AWS EC2 Snapshot Shared Externally
- AWS Exfiltration via Anomalous GetObject API Activity
- AWS Exfiltration via Batch Service
- AWS Exfiltration via Bucket Replication
- AWS Exfiltration via DataSync Task
- AWS Exfiltration via EC2 Snapshot
- AWS S3 Exfiltration Behavior Identified
- Azure AD Application Administrator Role Assigned
- Azure AD Global Administrator Role Assigned
- Azure AD PIM Role Assigned
- Azure AD PIM Role Assignment Activated
- Azure AD Privileged Authentication Administrator Role Assigned
- Azure AD Privileged Role Assigned to Service Principal
- Azure AD Service Principal Owner Added
- PaperCut Remote Web Access Attempt
- PaperCut Suspicious Behavior Debug Log
- Windows PaperCut Spawn Shell
- Windows Registry Bootexecute Modification
- Windows Snake Malware File Modification Crmlog
- Windows Snake Malware Kernel Driver Comadmin
- Windows Snake Malware Registry Modification wav OpenWithProgIds
- Windows Snake Malware Service Create
- Windows Winlogon with Public Network Connection
Other Updates:
- Updated several detection analytics to not use the
join
command to improve search performance.
- Active Setup Registry Autostart
- Add DefaultUser And Password In Registry
- Allow Inbound Traffic By Firewall Rule Registry
- Allow Operation with Consent Admin
- Auto Admin Logon Registry Entry
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Registry Tool
- Disable Security Logs Using MiniNt Registry
- Disable Show Hidden Files
- Disable UAC Remote Restriction
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- Enable RDP In Other Port Number
- Enable WDigest UseLogonCredential Registry
- ETW Registry Disabled
- Hide User Account From Sign-In Screen
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion Of Cron Jobs
- Linux Deletion Of Init Daemon Script
- Linux Deletion Of Services
- Linux Deletion of SSL Certificate
- Linux High Frequency Of File Deletion In Boot Folder
- Linux High Frequency Of File Deletion In Etc Folder
- Monitor Registry Keys for Print Monitors
- Registry Keys for Creating SHIM Databases
- Registry Keys Used For Privilege Escalation
- Time Provider Persistence Registry
- Windows Defender Exclusion Registry Entry
- Windows Disable Change Password Through Registry
- Windows Disable Lock Workstation Feature Through Registry
- Windows Disable LogOff Button Through Registry
- Windows Disable Memory Crash Dump
- Windows Disable Notification Center
- Windows Disable Shutdown Button Through Registry
- Windows Disable Windows Group Policy Features Through Registry
- Windows Hide Notification Features Through Registry
- Windows Modify Show Compress Color And Info Tip Registry
- Windows Registry Certificate Added
- Windows Registry Modification for Safe Mode Persistence
- Windows Service Creation Using Registry Entry
- Added improvements for BA detections and the conversion tool and added ocsf fields
v4.1.0
New Analytic Story
- Active Directory Privilege Escalation
- RedLine Stealer
New Analytics
- Active Directory Lateral Movement Identified
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec CommandLine Parameters
- Steal or Forge Authentication Certificates Behavior Identified
- Windows Administrative Shares Accessed On Multiple Hosts
- Windows Admon Default Group Policy Object Modified
- Windows Admon Group Policy Object Created
- Windows Credentials from Password Stores Chrome Extension Access
- Windows Credentials from Password Stores Chrome LocalState Access
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Default Group Policy Object Modified
- Windows Default Group Policy Object Modified with GPME
- Windows DnsAdmins New Member Added
- Windows File Share Discovery With Powerview
- Windows Findstr GPP Discovery
- Windows Group Policy Object Created
- Windows Large Number of Computer Service Tickets Requested
- Windows Local Administrator Credential Stuffing
- Windows Modify Registry Auto Minor Updates
- Windows Modify Registry Auto Update Notif
- Windows Modify Registry Disable WinDefender Notifications
- Windows Modify Registry Do Not Connect To Win Update
- Windows Modify Registry No Auto Reboot With Logon User
- Windows Modify Registry No Auto Update
- Windows Modify Registry Tamper Protection
- Windows Modify Registry UpdateServiceUrlAlternate
- Windows Modify Registry USeWuServer
- Windows Modify Registry WuServer
- Windows Modify Registry wuStatusServer
- Windows PowerSploit GPP Discovery
- Windows PowerView AD Access Control List Enumeration
- Windows Query Registry Browser List Application
- Windows Query Registry UnInstall Program List
- Windows Rapid Authentication On Multiple Hosts
- Windows Service Stop Win Updates
- Windows Special Privileged Logon On Multiple Hosts
Other Updates:
- Added a new job for smoke testing experimental and deprecated detections
- Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
- Deprecated detection
Detect Mimikatz Using Loaded Images
v4.0.1
This is not a full release of ESCU. This is a patch release addressing one issue in the SSA_Content-v4.0.0.tar.gz and previous SSA_Content packages. The rest of this release is identical to v4.0.0
v4.0.0
ESCU v4.0.0
This major version change to 4.0 includes improvements to Sigma to Search Processing Language (SPL) converter, including backend changes testing and content generation.
NOTE: There is no impact to the ESCU application, our behind the scene tooling just got an upgrade!
New Analytic Story
- Winter Vivern
- Sandworm Tools
- BlackLotus Campaign
New Analytics
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Exfiltration Over C2 Via Powershell UploadString
- Windows Scheduled Task Created Via XML
- Windows Screen Capture Via Powershell
- Windows DNS Gather Network Info
- Windows Impair Defenses Disable HVCI
- Windows BootLoader Inventory
- Windows RDP Connection Successful
Other Updates
- Tagged several detections with
Data Destruction
- Fixed number of deprecated and experimental searches had some runtime syntactic/parsing/execution errors.
v3.64.0
Updated Analytic Story
- 3CX Supply Chain Attack
New Analytics
- PowerShell Invoke-WmiExec Usage
- PowerShell Invoke CIMMethod CIMSession
- PowerShell Enable PowerShell Remoting
- PowerShell Start or Stop Service
- Windows PowerShell Get-CIMInstance Remote Computer
- Windows Enable Win32_ScheduledJob via Registry
- Windows PowerShell WMI Win32_ScheduledJob
- Windows Service Create with Tscon
- Windows Lateral Tool Transfer RemCom
- Windows Service Create RemComSvc
Other Updates
- Updated 3CX related analytics with the CVE ID(CVE-2023-29059)
- Updated git actions with appropriate permissions