v3.63.0

New Analytic Story

• 3CX Supply Chain Attack

New Analytics

• Hunting 3CXDesktopApp Software
• Windows Vulnerable 3CX Software
• 3CX Supply Chain Attack Network Indicators

Updated Analytics

• Splunk Improperly Formatted Parameter Crashes splunkd

v3.62.0

New Analytic Story

• CVE-2023-21716 Word RTF Heap Corruption
• CVE-2023-23397 Outlook Elevation of Privilege

New Analytics

• Okta Mismatch Between Source and Response for Okta Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta Suspicious Use of a Session Cookie
• Okta Phishing Detection with FastPass Origin Check
• Okta ThreatInsight Login Failure with High Unknown users
• Okta ThreatInsight Suspected PasswordSpray Attack
• Windows Rundll32 WebDAV Request
• Windows Rundll32 WebDav With Network Connection

Other Updates

• Updated ransomware_notes.csv and ransomware_extensions.csv files and transforms definition (thanks to @VatsalJagani )
• Updated playbook name to CrowdStrike OAuth API Device Attribute Lookup
• Updated several analytics to integrate better with Enterprise Security

v3.61.0

New Analytic Story

• Sneaky Active Directory Persistence Tricks (Huge thanks and shoutout to Dean Luxton, Steven Dick for contributing detections)
• BishopFox Sliver Adversary Emulation Framework

New Analytics

• Notepad with no Command Line Arguments
• Windows Process Injection into Notepad
• Windows AD Same Domain SID History Addition
• Windows AD Cross Domain SID History Addition
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows AD Domain Replication ACL Addition
• Windows AD DSRM Account Changes
• Windows AD DSRM Password Reset
• Windows AD Short Lived Domain Controller SPN Attribute
• Windows AD Short Lived Server Object
• Windows AD SID History Attribute Modified
• Windows AD AdminSDHolder ACL Modified
• Windows AD ServicePrincipalName Added To Domain Account
• Windows AD Short Lived Domain Account ServicePrincipalName
• Windows AD Rogue Domain Controller Network Activity
• Windows AD Account SID History Addition
• Windows AD Replication Service Traffic
• Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
• Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
• Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
• Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
• Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
• Windows Unusual Count Of Users Failed To Auth Using Kerberos
• Windows Unusual Count Of Users Failed To Authenticate From Process
• Windows Unusual Count Of Users Failed To Authenticate Using NTLM
• Windows Unusual Count Of Users Remotely Failed To Auth From Host

Updated Analytics

• Impacket Lateral Movement Commandline Parameters (Thank you Chris Chantrey)
• Suspicious Regsvr32 Register Suspicious Path (Thank you DipsyTipsy)
• Suspcious Reg.exe Process (Thank you DipsyTipsy)
• Linux SSH Remote Services Script Execute (Thank you DipsyTipsy)

New Playbooks

• Automated Enrichment (Parent Playbook)

  • Dynamic Attribute Lookup
  • Dynamic Identifier Reputation Analysis
  • Dynamic Related Tickets Search

• ServiceNow Related Tickets Search

• Splunk Notable Related Tickets Search

• AD LDAP Entity Attributes Lookup

• Azure AD Graph User Attributes Lookup

• Crowdstrike OAuth API Device Attribute

Other Updates

• Removed Experiemental/Deprecated BA detections removed from develop and research.splunk.com
• Migrating Password Spraying to XML
• Updates all of the splunkbase apps that are used for our automated testing framework

v3.60.0

New Analytics Story

• AwfulShred
• Fortinet FortiNAC CVE-2022-39952

New Analytics

• Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
• Linux Data Destruction Command
• Linux Hardware Addition SwapOff
• Linux Impair Defenses Process Kill
• Linux Indicator Removal Clear Cache
• Linux Indicator Removal Service File Deletion
• Linux System Reboot Via System Request Key
• Linux Unix Shell Enable All SysRq Functions
• Windows Steal Authentication Certificates CryptoAPI
• Windows Mimikatz Crypto Export File Extensions

Updated Analytics

• Linux Deletion Of Services
• Linux Disable Services
• Linux Shred Overwrite Command
• Linux Service Restarted
• Linux Stop Services
• Linux Deleting Critical Directory Using RM Command
• Wbemprox COM Object Execution

Other Updates:

• Added Lateral Movement story to deprecated with a note to refer to Active Directory Lateral Movement analytic story.
• Removed observables from action.escu.annotations in savedsearches.conf.
• Added MSAccess.exe to all the Microsoft Office analytics
• Updated Detect Outlook exe writing a zip file and removed explorer.exe as it was generating the bulk of noise.

v3.59.0

New Analytics

• Splunk csrf in the ssg kvstore client endpoint
• Splunk Improperly Formatted Parameter Crashes splunkd
• Persistent XSS in RapidDiag through User Interface Views
• Splunk risky Command Abuse disclosed february 2023
• Splunk unnecessary file extensions allowed by lookup table uploads
• Splunk XSS via View
• Splunk list all nonstandard admin accounts

Updated Analytic Story

• Splunk Vulnerabilities

v3.58.0

New Analytic Story

• AsyncRAT
• Compromised User Account
• Swift Slicer
• Windows Certificate Services

New Analytics

• AWS AD New MFA Method Registered For User
• AWS Concurrent Sessions From Different Ips
• AWS High Number Of Failed Authentications For User
• AWS High Number Of Failed Authentications From Ip
• AWS Password Policy Changes
• AWS Successful Console Authentication From Multiple IPs
• Azure AD Concurrent Sessions From Different Ips
• Azure AD High Number Of Failed Authentications For User
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD New MFA Method Registered For User
• Azure AD Successful Authentication From Different Ips
• Detect suspicious processnames using a pretrained model in DSDL
• Driver Inventory
• LOLBAS With Network Traffic (Thanks to @nterl0k)
• Windows Data Destruction Recursive Exec Files Deletion
• Windows Export Certificate
• Windows PowerShell Export Certificate
• Windows PowerShell Export PfxCertificate
• Windows Spearphishing Attachment Onenote Spawn Mshta
• Windows Steal Authentication Certificates Certificate Issued
• Windows Steal Authentication Certificates Certificate Request
• Windows Steal Authentication Certificates CertUtil Backup
• Windows Steal Authentication Certificates CS Backup
• Windows Steal Authentication Certificates Export Certificate
• Windows Steal Authentication Certificates Export PfxCertificate
• Windows Powershell Cryptography Namespace
• Windows Scheduled Task with Highest Privileges
• Windows Spearphishing Attachment Connect To None MS Office Domain

Updated Analytics

• AWS Multiple Users Failing To Authenticate From Ip
• Exploit Public Facing Application via Apache Commons Text
• Office Application Drop Executable (Thanks to @TheLawsOfChaos )
• Office Product Spawning MSHTA
• Rundll32 with no Command Line Arguments with Network (Thanks to @nterl0k)
• Windows Java Spawning Shells

Other Updates

• Moved 12 failing detections to experimental
• Fixed a number of detections that use an incorrect sourcetype in their macro.
• Several Endpoint detections updated to from proc_guid to process_guid (Thanks to @nterl0k)

v3.57.0

New Analytic Story

• Chaos Ransomware
• LockBit Ransomware

New Analytics

• Detect suspicious DNS TXT records using pretrained model in DSDL
• Windows Boot or Logon Autostart Execution In Startup Folder
• Windows Modify Registry Default Icon Setting
• Windows Phishing PDF File Executes URL Link
• Windows Replication Through Removable Media
• Windows User Execution Malicious URL Shortcut File
• Windows Vulnerable Driver Loaded
• Linux Ngrok Reverse Proxy Usage
• Windows Server Software Component GACUtil Install to GAC
• Windows PowerShell Add Module to Global Assembly Cache
• Windows Credential Dumping LSASS Memory Createdump

Updated Analytics

• Known Services Killed by Ransomware
• Windows DLL Search Order Hijacking Hunt
• Windows DLL Search Order Hijacking Hunt Sysmon
• ProxyShell ProxyNotShell Behavior Detected (correlation)

Other Updates

• Added 3 new playbook files: Dynamic Identifier Reputation Analysis, PhishTank URL Reputation Analysis, VirusTotal v3 Identifier Reputation Analysis from phantomcyber/playbooks to security_content
• Added onenote.exe to several detection analytics related to Office Products

v3.56.0

New Analytic Story

• IIS Components

New Analytics

• Windows Disable Windows Event Logging Disable HTTP Logging
• Windows IIS Components Add New Module
• Windows IIS Components Get-WebGlobalModule Module Query
• Windows IIS Components Module Failed to Load
• Windows IIS Components New Module Added
• Windows PowerShell Disable Windows Event Logging Disable HTTP Logging
• Windows PowerShell IIS Components WebGlobalModule Usage

Updated Analytics

• Account Discovery With Net App (Thanks to @TheLawsOfChaos)
• Msmpeng Application DLL Side Loading(Thanks to @sanjay900)
• Remcos RAT File Creation in Remcos Folder(Thanks to @sanjay900)
• Excessive DNS Failures (Thanks to @bowesmana)
• Batch File Write to System32 (Thanks to @nterl0k)
• Disable Defender AntiVirus Registry (Thanks to @nterl0k)
• Sc exe manipulating windows services
• Windows remote access software hunt

Other Updates

• Update to the CI workflow to Uploads the summary results to the s3 reporting bucket after a test completes.
• Added risk_index macro which expands to index=risk in security_content.

v3.55.0

New Analytic Story

• Prestige Ransomware
• Windows Post-Exploitation

New Analytics

• Windows Modify Registry Reg Restore
• Windows Query Registry Reg Save
• Windows System User Discovery Via Quser
• Windows WMI Process And Service List
• Windows Cached Domain Credentials Reg Query
• Windows ClipBoard Data via Get-ClipBoard
• Windows Credentials from Password Stores Query
• Windows Credentials in Registry Reg Query
• Windows Indirect Command Execution Via Series Of Forfiles
• Windows Information Discovery Fsutil
• Windows Password Managers Discovery
• Windows Private Keys Discovery
• Windows Security Support Provider Reg Query
• Windows Steal or Forge Kerberos Tickets Klist
• Windows System Network Config Discovery Display DNS
• Windows System Network Connections Discovery Netsh
• Windows Change Default File Association For No File Ext
• Windows Service Stop Via Net and SC Application

Other Updates

• Added new Mitre MAP Coverage map json files to show the CISA 2021 Top Malware TTP coverage in docs/mitre-map.
• Fixed a bug in contentctl to appropriate scheduling configuration in savedsearches.conf

v3.54.0

New Analytic Story

• CISA AA22-320A
• Reverse Network Proxy
• MetaSploit

New Analytics

• Ngrok Reverse Proxy on Network
• Powershell Load Module in Meterpreter
• Windows Apache Benchmark Binary
• Windows Mimikatz Binary Execution
• Windows MSExchange Management Mailbox Cmdlet Usage
• Windows Ngrok Reverse Proxy Usage
• Windows Service Created with Suspicious Service Path

Updated Analytics

• BITSAdmin Download File (Thank you @BlackB0lt)
• Common Ransomware Extensions (Thank you Steven Dick!) Issue 2448
• Exchange PowerShell Module Usage

New BA Analytics

• Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
• Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView

Updated BA Analytics

• Windows Exchange PowerShell Module Usage

Other Updates

• Tagged several detections for AgentTesla, Qakbot
• Crowdstike TA added to detection testing pipeline