Releases: splunk/security_content
Releases · splunk/security_content
v4.23.0
Release notes for ESCU v4.23.0
New Analytics Story
Updated Analytics Story
New Analytics
- Splunk Information Disclosure in Splunk Add-on Builder
- Kubernetes Anomalous Inbound Network Activity from Process
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Traffic on Network Edge
- Kubernetes Create or Update Privileged Pod
- Kubernetes Cron Job Creation
- Kubernetes DaemonSet Deployed
- Kubernetes Falco Shell Spawned
- Kubernetes newly seen TCP edge
- Kubernetes newly seen UDP edge
- Kubernetes Node Port Creation
- Kubernetes Pod Created in Default Namespace
- Kubernetes Pod With Host Network Attachment
- Kubernetes Scanning by Unauthenticated IP Address
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Configure App Install Control
- Windows Impair Defense Define Win Defender Threat Action
- Windows Impair Defense Disable Controlled Folder Access
- Windows Impair Defense Disable Defender Firewall And Network
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Impair Defense Disable PUA Protection
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Impair Defense Disable Web Evaluation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Windows MsiExec HideWindow Rundll32 Execution
- Windows Process Injection In Non-Service SearchIndexer
- Jenkins Arbitrary File Read CVE-2024-23897
Updated Analytics
- Kubernetes Access Scanning
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes AWS detect suspicious kubectl calls
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Previously Unseen Process
- Kubernetes Process Running From New Path
- Kubernetes Process with Anomalous Resource Utilisation
- Kubernetes Process with Resource Ratio Anomalies
- Kubernetes Shell Running on Worker Node
- Kubernetes Shell Running on Worker Node with CPU Activity
- Disable Windows SmartScreen Protection
- Linux Service Started Or Enabled
- Unknown Process Using The Kerberos Protocol
- Windows Excessive Disabled Services Event
Other Updates
- Added a new input macro
sourcetype="kube:container:falco"
Playbook Updates
- Splunk Attack Analyzer Dynamic Analysis
- Splunk Automated Email Investigation
- Splunk Identifier Activity Analysis
- Splunk Message Identifier Activity Analysis
v4.22.0
New Analytics Story
New Analytics
Updated Analytics
v4.21.0
Release notes for ESCUv4.21.0
New Analytics Story
Updated Analytics Story
New Analytics
- Splunk Enterprise KV Store Incorrect Authorization
- Splunk Enterprise Windows Deserialization File Partition
Updated Analytics
Other Updates
- Updated splunk_risky_command lookup with a new
splunk_risky_command_20240122.csvfile
v4.20.0
v4.19.0
Release Branch for ESCU 4.19.0
New Analytic Story
- CISA AA23-347A
- Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Updated Analytic Story
- Office 365 Account Takeover
- Office 365 Persistence Mechanisms
- Splunk Vulnerabilities
New Analytics
- Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor : Matthew Moore )
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor : Matthew Moore )
- Kubernetes Previously Unseen Container Image Name (Internal Contributor : Matthew Moore )
- Kubernetes Previously Unseen Process (Internal Contributor : Matthew Moore )
- Kubernetes Process Running From New Path (Internal Contributor : Matthew Moore )
- Kubernetes Process with Anomalous Resource Utilisation (Internal Contributor : Matthew Moore )
- Kubernetes Process with Resource Ratio Anomalies (Internal Contributor : Matthew Moore )
- Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor : Matthew Moore )
- Kubernetes Shell Running on Worker Node (Internal Contributor : Matthew Moore )
- Windows Account Discovery For None Disable User Account
- Windows Lsa Secrets Nolmhash Registry
- Windows Modify Registry Disable Restricted Admin
- Windows Account Discovery For Sam Account Name
- Windows Account Discovery With Netuser Preauthnotrequire
- Windows Archive Collected Data Via Powershell
- Windows Domain Account Discovery Via Get Netcomputer
- Windows Known Graphicalproton Loaded Modules
- Windows Process Commandline Discovery
- Windows System User Privilege Discovery
- Windows Modify Registry Nochangingwallpaper
- Windows Rundll32 Apply User Settings Changes
- Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k )
- Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k )
- Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k )
- Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k )
- Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k )
- O365 Concurrent Sessions From Different Ips
- Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor : Chase Franklin )
- Splunk ES DoS Through Investigation Attachments (Internal Contributor : Chase Franklin )
Updated Analytics
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Successful Single-Factor Authentication
- Windows Steal Authentication Certificates - ESC1 Abuse
- Allow Network Discovery In Firewall
- Msmpeng Application DLL Side Loading
Other Updates
- Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
- Updated ALL Azure AD analytics to use
sourcetype = azure:monitor:aadfor better CIM Compliance.
Contributors
nterl0k
Assets 3
v4.18.0
ESCU 4.18.0 Release branch
New Analytic Story
- Rhysida Ransomware
- Kubernetes Security
Updated Analytic Story
- NjRAT
- RedLine Stealer
- Amadey
New Analytics
- PingID Mismatch Auth Source and Verification Response (External Contributor : @nterl0k )
- PingID Multiple Failed MFA Requests For User (External Contributor : @nterl0k )
- PingID New MFA Method After Credential Reset (External Contributor : @nterl0k )
- PingID New MFA Method Registered For User (External Contributor : @nterl0k )
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Abuse of Secret by Unusual User Agent
- Windows Modify System Firewall with Notable Process Path
- Kubernetes Abuse of Secret by Unusual User Group
- Kubernetes Abuse of Secret by Unusual User Name
- Kubernetes Access Scanning
- Kubernetes Suspicious Image Pulling
- Kubernetes Unauthorized Access
- Windows Modify System Firewall with Notable Process Path
Updated Analytics
- Allow File And Printing Sharing In Firewall
- Azure AD PIM Role Assigned
- CMD Carry Out String Command Parameter
- Detect Use of cmd exe to Launch Script Interpreters
- Modification Of Wallpaper
Other Updates
- Added two new lookup files
ransomware_extensions_20231219.csvandransomware_notes_20231219.csvand updated the existing transforms definitions ofransomware_extensions_lookupandransomware_notes_lookupto use the latest csv files.
Contributors
nterl0k
Assets 3
v4.17.0
ESCU 4.17.0 Release branch
New Analytic Story
- Office 365 Account Takeover
- Office 365 Persistence Mechanisms
- Windows Attack Surface Reduction
Updated Analytic Story
- DarkGate Malware
New Analytics
- O365 Service Principal New Client Credentials
- O365 Mailbox Read Access Granted to Application
- O365 Tenant Wide Admin Consent Granted
- O365 Application Registration Owner Added
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Advanced Audit Disabled
- O365 High Number Of Failed Authentications for User
- O365 Multiple Users Failing To Authenticate From Ip
- O365 User Consent Blocked for Risky Application
- O365 User Consent Denied for OAuth Application
- O365 Mail Permissioned Application Consent Granted by User
- O365 ApplicationImpersonation Role Assigned
- O365 File Permissioned Application Consent Granted by User
- O365 Multiple Failed MFA Requests For User
- O365 High Privilege Role Granted
- O365 New MFA Method Registered
- O365 Multiple AppIDs and UserAgents Authentication Spike
- O365 Block User Consent For Risky Apps Disabled
- O365 Multi-Source Failed Authentications Spike
- Powershell Remote Services Add TrustedHost
- Windows Modify Registry AuthenticationLevelOverride
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Modify Registry DisableSecuritySettings
- Windows Modify Registry DontShowUI
- Windows Modify Registry ProxyEnable
- Windows Modify Registry ProxyServer
- Windows Archive Collected Data via Rar
- Windows Indicator Removal Via Rmdir
- Windows Credentials from Password Stores Creation
- Windows Credentials from Password Stores Deletion
- Windows Defender ASR Rules Stacking
- Windows Defender ASR Rule Disabled
- Windows Defender ASR Registry Modification
- Windows Defender ASR Block Events
- Windows Defender ASR Audit Events
- Windows Masquerading Msdtc Process
- Windows Parent PID Spoofing with Explorer
- Web Remote ShellServlet Access
- Splunk RCE via User XSLT
Updated Analytics
- High Number of Login Failures from a single source
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive SSO logon errors
- O365 New Federated Domain Added
- O365 PST export alert
- O365 Suspicious Admin Email Forwarding*
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Splunk App for Lookup File Editing RCE via User XSLT
Other Updates
- Added
Experiementaltoaction.correlationsearch.labelname for Content Management - Updated the
splunk_risky_commandlookup - Updated several detections to output accurate risk/threat objects
v4.16.0
New Analytic Story
- DarkGate Malware
- SysAid On-Prem Software CVE-2023-47246 Vulnerability
Updated Analytic Story
- Azure Active Directory Account Takeover
- Splunk Vulnerabilities
New Analytics
- Azure AD Device Code Authentication
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- Azure AD Block User Consent For Risky Apps Disabled
- Azure AD User Consent Blocked for Risky Application
- Azure AD OAuth Application Consent Granted By User
- Azure AD User Consent Denied for OAuth Application
- Azure AD New MFA Method Registered
- Azure AD Multiple Denied MFA Requests For User
- Azure AD Multi-Source Failed Authentications Spike
- Risk Rule for Dev Sec Ops by Repository
- Windows ConHost with Headless Argument
- Windows CAB File on Disk
- Windows WinDBG Spawning AutoIt3
- Windows MSIExec Spawn WinDBG
- Windows Modify Registry Default Icon Setting
- Windows AutoIt3 Execution
- Splunk App for Lookup File Editing RCE via User XSLT
- Splunk XSS in Highlighted JSON Events
Updated Analytics
- AWS ECR Container Scanning Findings High
- AWS ECR Container Scanning Findings Medium
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS ECR Container Upload Outside Business Hours
Deprecated Analytics
- Correlation by Repository and Risk
- Correlation by User and Risk
Other Updates
- CI updates to release.yml
- Added downstream trigger to
security_content_automationrepo to facilitate automated integration testing - Updated Github CI workflow to use contentctl
v4.15.0
New Analytic Story
- Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
- PlugX
New Analytics
- Citrix ADC and Gateway Unauthorized Data Disclosure
Updated Analytics
- Windows Admin Permission Discovery
- Confluence CVE-2023-22515 Trigger Vulnerability
- Confluence Data Center and Server Privilege Escalation
Other Updates
- Updated Gitlab CI pipelines to leverage code contentctl for validating, building, inspecting and releasing the ESCU app
v4.14.0
Release notes
New Analytic Story
- Subvert Trust Controls SIP and Trust Provider Hijacking
- Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
- Cisco IOS XE Software Web Management User Interface vulnerability
New Analytics
- Confluence CVE-2023-22515 Trigger Vulnerability
- Cisco IOS XE Implant Access
- Detect Certipy File Modifications (External Contributor : @nterl0k )
- Windows Domain Admin Impersonation Indicator
- Windows Registry SIP Provider Modification
- Microsoft SharePoint Server Elevation of Privilege
- Windows Steal Authentication Certificates - ESC1 Abuse (External Contributor : @nterl0k )
- Windows SIP Provider Inventory
- Windows SIP WinVerifyTrust Failed Trust Validation
Updated Analytics
- Citrix ADC Exploitation CVE-2023-3519
Other Updates
- Minor changes to playbook names and UUID
- Updated descriptions for 50 detections
BA Updates
- Added lower() to BA detection searches in the eval function
Contributors
nterl0k