github splunk/security_content v3.28.0
on GitHub

latest releases: v4.30.0, v4.29.0, v4.28.0...
2 years ago

New Analytic Stories

  • BlackMatter Ransomware
  • Active Directory Discovery
  • ProxyShell
  • PetitPotam NTLM Relay on Active Directory Certificate Services
  • Microsoft MSHTML Remote Code Execution CVE-2021-40444

Updated Analytic Stories

  • Dev Sec Ops

New Analytics

  • Add DefaultUser And Password In Registry
  • Auto Admin Logon Registry Entry
  • Bcdedit Command Back To Normal Mode Boot
  • Change To Safe Mode With Network Config
  • SchCache Change By App Connect And Create ADSI Object
  • Circle CI Disable Security Job
  • Circle CI Disable Security Step
  • Github Commit In Develop
  • GitHub Dependabot Alert
  • GitHub Pull Request from Unknown User
  • Get ADDefaultDomainPasswordPolicy with Powershell
  • Get ADDefaultDomainPasswordPolicy with Powershell Script Block
  • Get ADUserResultantPasswordPolicy with Powershell
  • Get ADUserResultantPasswordPolicy with Powershell Script Block
  • Get DomainPolicy with Powershell
  • Get DomainPolicy with Powershell Script Block
  • Password Policy Discovery with Net
  • AdsiSearcher Account Discovery
  • Domain Account Discovery with Dsquery
  • Domain Account Discovery With Net App
  • Domain Account Discovery with Wmic
  • Get ADUser with PowerShell
  • Get ADUser with PowerShell Script Block
  • Get DomainUser with PowerShell
  • Get DomainUser with PowerShell Script Block
  • GetWmiObject DS User with PowerShell
  • GetWmiObject DS User with PowerShell Script Block
  • GetLocalUser with PowerShell
  • GetLocalUser with PowerShell Script Block
  • GetWmiObject User Account with PowerShell
  • GetWmiObject User Account with PowerShell Script Block
  • Local Account Discovery with Net
  • Local Account Discovery With Wmic
  • Exchange PowerShell Module Usage (Experimental)
  • Exchange PowerShell Abuse via SSRF (Experimental)
  • PetitPotam Network Share Access Request
  • Windows Kerberos Auth Ticket Request
  • Kubernetes Scanner Image Pulling
  • Gsuite Email Suspicious Subject With Attachment
  • Gsuite Email With Known Abuse Web Service Link
  • Gsuite Suspicious Shared File Name
  • AWS ECR Container Upload Outside Business Hours
  • AWS ECR Container Upload Unknown User
  • Github Commit Changes In Master
  • Esentutl SAM Copy
  • PowerShell 4104 Hunting
  • Gsuite Drive Share In External Email
  • GSuite Email Suspicious Attachment
  • Gsuite Outbound Email With Attachment To External Domain
  • Rundll32 Control_RunDLL World Writable Directory
  • Rundll32 Control_Rundll Hunt
  • Office Spawning Control
  • Control Loading from World Writable Directory
  • MSHTML Module Load in Office Product

Updated Analytics

  • Create local admin accounts using net exe (Thank you for reporting this @mschilt )
  • Create or delete windows shares using net exe (Thank you for reporting this @thejanit0r)
  • Extraction of Registry Hives (Thank you for reporting this @thejanit0r)
  • System Information Discovery Detection (Thank you for reporting this @mschilt )
  • Registry Keys Used For Persistence (Thank you for reporting this @mschilt )
  • Process Creating LNK file in Suspicious Location (Thank you for reporting this @mschilt )

Other Updates

  • Minor Readme updates
  • Added Missing risk scores
  • Update links to spec files

CI Updates

  • Migrate CI from CircleCI to GitHub Actions
  • Reduce External Tool Dependencies
  • Increase Transparency and Portability of CI Pipeline
  • Prepare for future CI changes
Check out latest releases or
releases around splunk/security_content v3.28.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications