github splunk/security_content v3.29.0
on GitHub

latest releases: v4.42.0, v4.41.0, v4.40.0...
3 years ago

New Analytics Stories

  • Remcos
  • Fin7

Updated Analytic Stories

  • Microsoft MSHTML Remote Code Execution CVE-2021-40444
  • Active Directory Discovery
  • Ransomware

New Analytics

  • Remcos RAT File Creation in Remcos Folder
  • Suspicious Image Creation In Appdata Folder
  • Suspicious WAV file in Appdata Folder
  • Jscript Execution Using Cscript App
  • Office Application Drop Executable
  • XSL Script Execution With WMIC
  • Non Chrome Process Accessing Chrome Default Dir
  • Non Firefox Process Access Firefox Profile Dir
  • Check Elevated CMD using whoami
  • Cmdline Tool Not Executed In CMD Shell
  • MS Scripting Process Loading WMI Module
  • MS Scripting Process Loading ldap Module
  • Net Localgroup Discovery
  • Wmic Group Discovery
  • Powershell Get LocalGroup Discovery with Script Block Logging
  • PowerShell Get LocalGroup Discovery
  • Get WMIObject Group Discovery with Script Block Logging
  • Get WMIObject Group DiscoverySystem User Discovery With Query
  • System User Discovery With Whoami
  • GetCurrent User with PowerShell Script Block
  • GetCurrent User with PowerShell
  • User Discovery With Env Vars PowerShell
  • User Discovery With Env Vars PowerShell Script Block
  • Office Product Writing cab or inf
  • GetNetTcpconnection with PowerShell
  • GetNetTcpconnection with PowerShell Script Block
  • Network Connection Discovery With Arp
  • Network Connection Discovery With Net
  • Network Connection Discovery With Netstat

Playbooks:

  • Ransomware Investigate and Contain

BugFix:

  • Fixes in generate.py to ensure all Analytic Stories render correctly in Use Case Library
  • Deprecated Old AWS baselines

Other feature updates:

  • With CIM 4.20 and the latest Sysmon TA, we have introduced process macro's that may be used in content development to capture the process_name and original_file_name of a process executed. We have updated all detections that could match with this format.
  • Updated generate.py to add Playbook descriptions to Analytic Stories
  • Updates to doc_gen.py to adding markdown generation for all of the jekyll site components

SSA Detections

  • Potential Pass the Token or Hash Observed at the Destination Device

  • Potential Pass the Token or Hash Observed by an Event Collecting Device

  • Adding body to:

    • More than usual number of LOLBAS applications in short time period
    • Detect Dump LSASS Memory using comsvcs
Check out latest releases or
releases around splunk/security_content v3.29.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications