Releases: splunk/security_content
Releases · splunk/security_content
v4.13.0
New Analytic Story
- NjRat
- WS FTP Server Critical Vulnerabilities
- JetBrains TeamCity Unauthenticated RCE
New Analytics
- Windows Abused Web Services
- Windows Admin Permission Discovery
- Windows Delete or Modify System Firewall
- Windows Disable or Modify Tools Via Taskkill
- Windows Executable in Loaded Modules
- Windows Njrat Fileless Storage via Registry
- Windows Modify Registry With MD5 Reg Key Name
- Splunk Absolute Path Traversal Using runshellscript
- Splunk DoS Using Malformed SAML Request
- Splunk RCE via Serialized Session Payload
- Splunk Reflected XSS on App Search Table Endpoint
- WS FTP Remote Code Execution
- JetBrains TeamCity RCE Attempt
Updated Analytics
- Windows Replication Through Removable Media"
- TOR Traffic
Other Updates
- Updates to the lookup file :
splunk_risky_command - Tagged relevant detections with NjRat Behavior
- Updates to pretrained_dga_model_dsdl.ipynb notebook for better performance
- Several production detections have correct observables to produce accurate risk objects
- Updates to the generate code for creating BA detection files in the latest SPLv2
v4.12.0
New Analytic Story
- Forest Blizzard
New analytics
- Windows Find Domain Organizational Units with GetDomainOU
- Windows Find Interesting ACL with FindInterestingDomainAcl
- Windows Forest Discovery with GetForestDomain
- Windows Get Local Admin with FindLocalAdminAccess
- Headless Browser Mockbin or Mocky Request
- Headless Browser Usage
- Windows AD Abnormal Object Access Activity (External Contributor : @nterl0k )
- Windows AD Privileged Object Access Activity (External Contributor : @nterl0k )
Other Updates
- Adding CVE to Splunk Edit User Privilege Escalation
- Observables updated for 143+ detections to create accurate risk objects
- Added status field to BA spec
- Updated how to implement sections for all detections based on Endpoint.Processes
New Playbooks
- Jira Related Tickets Search
Contributors
nterl0k
Assets 7
v4.11.1
New Analytic Story
- Juniper JunOS Remote Code Execution
- Flax Typhoon
- Windows Error Reporting Service Elevation of Privilege Vulnerability
- Ivanti Sentry Authentication Bypass CVE-2023-38035
- Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
New Analytics
- Juniper Networks Remote Code Execution Exploit Detection
- Windows SQL Spawning CertUtil
- Ivanti Sentry Authentication Bypass
- Adobe ColdFusion Access Control Bypass
- Adobe ColdFusion Unauthenticated Arbitrary File Read
- Splunk DOS via printf search function
Updated Analytics
- Splunk risky Command Abuse disclosed february 2023
Other Updates
- Added status field to BA package
- Updated
splunk_risky_command.csvtosplunk_risky_command_20230830.csvlookup file and updated the contents in the file
v4.11.0
New Analytic Story
- Juniper JunOS Remote Code Execution
- Flax Typhoon
- Windows Error Reporting Service Elevation of Privilege Vulnerability
- Ivanti Sentry Authentication Bypass CVE-2023-38035
- Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
New Analytics
- Juniper Networks Remote Code Execution Exploit Detection
- Windows SQL Spawning CertUtil
- Ivanti Sentry Authentication Bypass
- Adobe ColdFusion Access Control Bypass
- Adobe ColdFusion Unauthenticated Arbitrary File Read
- Splunk DOS via printf search function
Updated Analytics
- Splunk risky Command Abuse disclosed february 2023
Other Updates
- Added status field to BA package
- Updated
splunk_risky_command.csvtosplunk_risky_command_20230830.csvlookup file and updated the contents in the file
v4.10.0
New Analytic Story
- Warzone RAT
New Analytics
- Windows Bypass UAC via Pkgmgr Tool
- Windows Mark Of The Web Bypass
- Windows Modify Registry MaxConnectionPerServer
- Windows Unsigned DLL Side-Loading
- Detect Certify Command Line Arguments (External Contributor @nterl0k )
- Detect Certify With PowerShell Script Block Logging (External Contributor @nterl0k )
- Windows Steal Authentication Certificates - ESC1 Authentication (External Contributor @nterl0k )
- Windows Suspect Process With Authentication Traffic (External Contributor @nterl0k )
Updated Analytics
- Azure AD Global Administrator Role Assigned
- Azure AD Multiple Users Failing To Authenticate From Ip
- Azure AD Service Principal Owner Added
- Azure AD Unusual Number of Failed Authentications From Ip
- Azure AD Service Principal Created
- Azure AD Privileged Role Assigned
- Azure AD Privileged Authentication Administrator Role Assigned
- Azure AD Application Administrator Role Assigned
- Azure AD Multi-Factor Authentication Disabled
- Azure AD External Guest User Invited
- Azure AD User Enabled And Password Reset
- Azure AD Service Principal New Client Credentials
- Azure AD New Federated Domain Added
- Azure AD New Custom Domain Added
- Azure AD Successful Single-Factor Authentication
- Azure AD Authentication Failed During MFA Challenge
- Azure AD Successful PowerShell Authentication
- Azure AD Multiple Failed MFA Requests For User
- Azure AD User ImmutableId Attribute Updated
- Azure Active Directory High Risk Sign-in
- Unusually Long Command Line
- Suspicious Copy on System32
New Playbooks
- AD LDAP Account Unlocking
- AWS IAM Account Unlocking
- Azure AD Account Unlocking
- Active Directory Enable Account Dispatch
Updated Playbook
- Active Directory Disable Account Dispatch
Other Updates
- Updated several detections for better output and risk objects
Contributors
nterl0k
Assets 7
v4.9.1
Merge pull request #2809 from splunk/ssa_escalation_Aug16 SSA Regex Bugfixes
v4.9.0
New Analytics
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
- Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
- Citrix ShareFile Exploitation CVE-2023-24489
- Windows Powershell RemoteSigned File
- PowerShell Script Block With URL Chain (External Contributor @nterl0k )
- PowerShell WebRequest Using Memory Stream (External Contributor @nterl0k )
- Suspicious Process Executed From Container File (External Contributor @nterl0k )
- Windows Registry Payload Injection (External Contributor (External Contributor @nterl0k )
- Windows Scheduled Task Service Spawned Shell (External Contributor @nterl0k )
Updated Analytics
- Clop Common Exec Parameter (External Contributor @DipsyTipsy)
- O365 Added Service Principal
- O365 New Federated Domain Added
- O365 Excessive SSO logon errors
New Analytic Story
- Ivanti EPMM Remote Unauthenticated Access
- Citrix ShareFile RCE CVE-2023-24489
Other Updates
- Updated detections with test datasets
- Updated several observables in detections
Contributors
DipsyTipsy and nterl0k
Assets 7
v4.8.0
New Analytics
- Splunk Unauthenticated Log Injection Web Service Log
v4.7.0
New Analytics
- Citrix ADC Exploitation CVE-2023-3519
- Windows Modify Registry EnableLinkedConnections
- Windows Modify Registry LongPathsEnabled
- Windows Modify Registry Risk Behavior
- Windows Post Exploitation Risk Behavior
- Windows Common Abused Cmd Shell Risk Behavior
Updated Analytics
- O365 Add App Role Assignment Grant User
- MSHTML Module Load in Office Product
- Office Document Spawned Child Process To Download
- Office Product Spawn CMD Process
- Office Product Spawning BITSAdmin
- Office Product Spawning CertUtil
- Office Product Spawning MSHTA
- Office Product Spawning Rundll32 with no DLL
- Office Product Spawning Windows Script Host
New Analytic Story
- BlackByte Ransomware
- CVE-2023-36884 Office and Windows HTML RCE Vulnerability
- Citrix Netscaler ADC CVE-2023-3519
Other Updates
- Tagged several detection analytics to
BlackByte Ransomware - Removed unused fields from detections.json for SSE API
- Improved validation script for the csv lookup and yaml files
v4.6.0
New Analytics
- Windows PowerShell ScheduleTask
- Windows Files and Dirs Access Rights Modification Via Icacls
Updated Analytics
- ICACLS Grant Command
- Registry Keys Used For Persistence
- PowerShell 4104 Hunting
- Detect Baron Samedit CVE-2021-3156 Segfault
- Detect Baron Samedit CVE-2021-3156
- Windows System Shutdown CommandLine
- VMWare Aria Operations Exploit Attempt
New Analytic Story
- Scheduled Tasks
- Amadey
- Graceful Wipe Out Attack
- VMware Aria Operations vRealize CVE-2023-20887
Other Updates
- Improved descriptions of several detections, tagged appropriate Mitre IDs and Analytic Stories to detections
- Added filter macros to the macros.json file served via the API
- Added content_changer functionality to security content
New Playbooks
- URL Outbound Traffic Filtering Dispatch
- Panorama Outbound Traffic Filtering
- Splunk Message Identifier Activity Analysis
- G Suite for GMail Message Identifier Activity Analysis
- ZScaler Outbound Traffic Filtering