New Analytic Stories
- Masquerading - Rename System Utilities
- Command and Control
- Trickbot
New Detections
- Winword Spawning Windows Script Host
- Office Product Spawning Rundll32 with no DLL
- Office Application Spawn rundll32 process
- Office Document Creating Schedule Task
- Anomalous Usage of 7z
- Office Product Spawning MSHTA
- Office Product Spawning Wmic
- Office Product Spawning BITSAdmin
- Office Product Spawning CertUtil
- Office Document Executing Macro Code
- Office Document Spawned Child Process To Download
- Schedule Task with HTTP Command Arguments
- Winword Spawning Cmd
- WinEvent Scheduled Task Created Within Public Path
- WinEvent Scheduled Task Created to Spawn Shell
- Winword Spawning PowerShell
- Excel Spawning Windows Script Host
- Excel Spawning PowerShell
- DNS Exfiltration Using Nslookup App
- Excessive Usage of NSLOOKUP App
- Multiple Archive Files Http Post Traffic
- Plain HTTP POST Exfiltrated Data
- Anomalous Usage of 7z
- AWS IAM AccessDenied Discovery Events
- AWS IAM Assume Role Policy Brute Force
- AWS IAM Delete Policy
- AWS IAM Failure Group Deletion
- AWS IAM Successful Group Deletion
- Rundll32 with no Command Line Arguments with Network
- GPUpdate with no Command Line Arguments with Network
- DLLHost with no Command Line Arguments with Network
- SearchProtocolHost with no Command Line with Network
- DNS Exfiltration Using Nslookup App
- Excessive Usage of NSLOOKUP App
- Multiple Archive Files Http Post Traffic
- Plain HTTP POST Exfiltrated Data
Updated Analytic Stories
- Changed "Phishing Payloads" to "Spearphishing Attachments"
Updated Detections
- Malicious Powershell Executed As A Service
- Detect Outlook exe writing a zip file (Changed Analytic Story, updated Detection name (misspell and format))
- Process Creating LNK file in Suspicious Location (Changed Analytic Story)
- Updated all detections with "Phishing Payloads" to "Spearphishing Attachments"
- System Processes Run From Unexpected Locations
Upcoming changes to Enterprise Security Content Updates (ESCU) App
As we move towards a more unified content experience across a plethora of our products (ESCU, SSE, ES Use Case Library, Splunk Docs, and GitHub), the ESCU App will be changing its user interface, effective on version 3.22. Specifically removing the analytic details page and heavily modifying the ESCU summaries page to provide general metrics of content and point the user to SSE and or ES use case library for security content management (scheduling and metadata analysis). We recently removed the killchain phase graphics and replaced it with the most commonly used MITRE techniques bar chart.