RELEASE NOTES
Version 1.0.48 was released on December 20, 2019 and introduced input(pre-filter) and output(post-filter) macros for all new detection searches after v. 1.0.46. These macros let you update a macro definition once and then apply the new definition across all detections that leverage that macro. These changes will be local to your Splunk environment.
New detection searches added to the "Credential Dumping" Analytic Story:
- Access LSASS Memory for Dump Creation
- Create Remote Thread into LSASS
- Detect Credential Dumping through LSASS access
- Unsigned Image Loaded by LSASS
- Attempted Credential Dump From Registry via Reg.exe
- Detect Mimikatz Using Loaded Images
- Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Creation of Shadow Copy with ntdsutil
- Creation of Shadow Copy with vssadmin
- Creation of Shadow Copy with wmic and powershell
- Creation of Shadow Copy with wmicCredential Dumping via Copy Command from Shadowcopy
- Credential Dumping via Symlink to Shadowcopy
Fixed a bug in the security_content_ctime macro, which was not working as expected.