Merge pull request #2986 from splunk/gitlab_release_v4.28.0

Release v4.28.0

contentctl.yml

@@ -6,7 +6,7 @@ build:
   path_root: dist
   prefix: ESCU
   build: 004210
-  version: 4.26.0
+  version: 4.28.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: research@splunk.com

detections/application/splunk_authentication_token_exposure_in_debug_log.yml

@@ -0,0 +1,54 @@
+name: Splunk Authentication Token Exposure in Debug Log
+id: 9a67e749-d291-40dd-8376-d422e7ecf8b5
+version: 1
+date: '2024-03-18'
+author: Rod Soto, Chase Franklin
+type: TTP
+status: production
+data_source: []
+description: This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG. 
+search: '`splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" event_message="Validating token:*" 
+  | rex "Validating token: (?<token>.*)\.$" 
+  | search token!=None 
+  | stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `splunk_authentication_token_exposure_in_debug_log_filter`'
+how_to_implement: Requires access to internal Splunk indexes. 
+known_false_positives: Only applies to affected versions of Splunk Enterprise below 9.2.1, 9.1.4, and 9.0.9
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0301
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint
+  confidence: 100
+  cve:
+  - CVE-2024-29945
+  impact: 50
+  message: Possible JsonWebToken exposure, please investigate affected $host$
+  mitre_attack_id:
+  - T1654
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Cloud
+  required_fields:
+  - component
+  - log_level
+  - eventtype
+  - event_message 
+  - host
+  risk_score: 50
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1654/splunk/jsonwebtokenplaintokensvd_splunkd.log
+    source: /opt/splunk/var/log/splunk/splunkd.log
+    sourcetype: splunkd
+    custom_index: _internal

detections/application/splunk_command_and_scripting_interpreter_risky_commands.yml

@@ -48,13 +48,15 @@ known_false_positives: False positives will be present until properly filtered b
 references:
 - https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warning
 - https://www.github.com/splunk/security_content/blob/develop/workbooks/splunk_psa_0622.json
+- https://advisory.splunk.com/advisories/SVD-2024-0302
 tags:
   analytic_story:
   - Splunk Vulnerabilities
   asset_type: Web Server
   confidence: 40
   cve:
   - CVE-2022-32154
+  - CVE-2024-29946
   impact: 50
   message: A risky Splunk command has ran by $user$ and should be reviewed.
   mitre_attack_id:

detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml

@@ -34,7 +34,7 @@ references:
 tags:
   analytic_story:
   - Compromised User Account
-  - AWS Identity and Access Management Account
+  - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
   confidence: 60
   impact: 70

detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml

@@ -1,10 +1,10 @@
 name: Gsuite Outbound Email With Attachment To External Domain
 id: dc4dc3a8-ff54-11eb-8bf7-acde48001122
-version: 1
-date: '2021-08-17'
+version: 2
+date: '2024-03-25'
 author: Teoderick Contreras, Stanislav Miskovic, Splunk
 status: production
-type: Anomaly
+type: Hunting
 description: This search is to detect a suspicious outbound e-mail from internal email
   to external email domain. This can be a good hunting query to monitor insider or
   outbound email traffic for not common domain e-mail. The idea is to parse the domain
@@ -33,11 +33,15 @@ tags:
   asset_type: GSuite
   confidence: 30
   impact: 30
-  message: suspicious email from $source.address$ to $destination{}.address$
+  message: Suspicious email from $src_domain_list$ to $dest_domain$
   mitre_attack_id:
   - T1048.003
   - T1048
   observable:
+  - name: src_domain_list
+    type: Email Address
+    role:
+    - Victim
   - name: dest_domain
     type: IP Address
     role:
@@ -48,6 +52,12 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
+  - source.from_header_address
+  - destination.address
+  - num_message_attachments
+  - dest_domain 
+  - phase 
+  - severity
   risk_score: 9
   security_domain: endpoint
 tests:

detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml

@@ -1,7 +1,7 @@
 name: Detect Excessive Account Lockouts From Endpoint
 id: c026e3dd-7e18-4abb-8f41-929e836efe74
-version: 7
-date: '2024-02-14'
+version: 8
+date: '2024-03-19'
 author: David Dorsey, Splunk
 status: production
 type: Anomaly
@@ -32,7 +32,7 @@ known_false_positives: It's possible that a widely used system, such as a kiosk,
 references: []
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Password Spraying
   asset_type: Windows
   confidence: 60
   impact: 60

detections/endpoint/detect_excessive_user_account_lockouts.yml

@@ -1,7 +1,7 @@
 name: Detect Excessive User Account Lockouts
 id: 95a7f9a5-6096-437e-a19e-86f42ac609bd
-version: 4
-date: '2022-08-25'
+version: 5
+date: '2024-03-19'
 author: David Dorsey, Splunk
 status: production
 type: Anomaly
@@ -22,7 +22,7 @@ known_false_positives: It is possible that a legitimate user is experiencing an
 references: []
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Password Spraying
   asset_type: Windows
   confidence: 60
   impact: 60

detections/endpoint/short_lived_windows_accounts.yml

@@ -1,7 +1,7 @@
 name: Short Lived Windows Accounts
 id: b25f6f62-0782-43c1-b403-083231ffd97d
-version: 2
-date: '2020-07-06'
+version: 3
+date: '2024-03-19'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -23,7 +23,7 @@ known_false_positives: It is possible that an administrator created and deleted
 references: []
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Lateral Movement
   asset_type: Windows
   confidence: 90
   impact: 70

detections/endpoint/windows_create_local_account.yml

@@ -1,7 +1,7 @@
 name: Windows Create Local Account
 id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb
-version: 1
-date: '2022-10-05'
+version: 2
+date: '2024-03-19'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -24,7 +24,7 @@ references:
 - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 tags:
   analytic_story:
-  - Account Monitoring and Controls
+  - Active Directory Password Spraying
   asset_type: Endpoint
   confidence: 90
   impact: 20

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.26.0"
+      "version": "4.28.0"
     }, 
     "author": [
       {