Updated Analytic Story
- Malicious PowerShell
- Data Exfiltration
- Ransomware
- Meterpreter
New Analytics
- Detect Empire with PowerShell Script Block Logging
- Detect Mimikatz With PowerShell Script Block Logging
- Powershell Fileless Process Injection via GetProcAddress
- Powershell Fileless Script Contains Base64 Encoded Content
- Unloading AMSI via Reflection
- PowerShell Domain Enumeration
- PowerShell Loading DotNET into Memory via System Reflection Assembly
- Detect WMI Event Subscription Persistence
- Suspicious Event Log Service Behavior
- Powershell Creating Thread Mutex
- Powershell Processing Stream Of Data
- Powershell Using memory As Backing Store
- Recon AVProduct Through Pwh or WMI
- Recon Using WMI Class
- WMI Recon Running Process Or Services
- Start Up During Safe Mode Boot
- Prevent Automatic Repair Mode using Bcdedit
- Permission Modification using Takeown App
- Disable Logs Using WevtUtil
- Clear Unallocated Sector Using Cipher App
- Allow Operation with Consent Admin
- Excessive number of distinct processes created in Windows Temp folder
- Excessive number of taskhost processes
Updated Analytics
- Remote WMI Command Attempt
- Process Execution via WMI
- WMI Permanent Event Subscription - Sysmon
- Office Document Spawned Child Process To Download(Thank you @mschilt for reporting)
- Suspicious MSBuild Rename(Thank you @mschilt for reporting)
NOTE:
We have made some changes to deprecated detections.
doc_gen.pywill not longer include deprecated detections on Splunk Docs.- The correlation search label is updated to
ESCU - Deprecated -<search_name> - Rule - The following note is added to the beginning of the description of the deprecated detection:
WARNING, this detection has been marked deprecated by the Splunk Threat Research team, this means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com.*