github splunk/security_content v3.31.0
on GitHub

latest releases: v4.31.1, v4.31.0, v4.30.0...
2 years ago

New Analytic Story

  • Signed Binary Proxy Execution InstallUtil

Updated Analytic Story

  • Lateral Movement

New Analytics

  • Add or Set Windows Defender Exclusion
  • Powershell Windows Defender Exclusion Commands
  • Windows Defender Exclusion Registry Entry
  • Impacket Lateral Movement Commandline Parameters
  • Windows Service Created Within Public Path
  • Wmiprsve LOLBAS Execution Process Spawn
  • Services LOLBAS Execution Process Spawn
  • Svchost LOLBAS Execution Process Spawn
  • Wsmprovhost LOLBAS Execution Process Spawn
  • Mmc LOLBAS Execution Process Spawn
  • CSC Net On The Fly Compilation
  • Firewall Allowed Program Enable
  • High Frequency Copy Of Files In Network Share
  • Loading Of Dynwrapx Module
  • Network Discovery Using Route Windows App
  • Runas Execution in CommandLine
  • Suspicious Process DNS Query Known Abuse Web Services
  • Remote Process Instantiation via WMI and PowerShell Script Block
  • Remote Process Instantiation via WMI and PowerShell
  • Remote Process Instantiation via DCOM and PowerShell Script Block
  • Remote Process Instantiation via DCOM and PowerShell
  • Remote Process Instantiation via WinRM and PowerShell
  • Remote Process Instantiation via WinRM and PowerShell Script Block
  • WMIC XSL Execution via URL
  • Windows InstallUtil Remote Network Connection
  • Windows InstallUtil URL in Command Line
  • Windows InstallUtil Credential Theft
  • Windows InstallUtil Uninstall Option
  • Windows InstallUtil Uninstall Option with Network
  • Windows DiskCryptor Usage
  • Windows Service Creation on Remote Endpoint
  • Windows Service Initiation on Remote Endpoint
  • Scheduled Task Initiation on Remote Endpoint
  • Scheduled Task Creation on Remote Endpoint using At
  • Remote Process Instantiation via WinRM and Winrs

Updated Analytics

  • Detect RClone Command-Line Usage
  • Detect HTML Help Renamed search
  • Windows Service Created With Suspicious Service Path
  • Possible Browser Pass View Parameter
  • System Info Gathering Using Dxdiag Application
  • ServicePrincipalNames Discovery with PowerShell
  • ServicePrincipalNames Discovery with SetSPN
  • WinEvent Scheduled Task Created Within Public Path
  • Kerberoasting spn request with RC4 encryption
  • Schtasks scheduling job on remote system
  • Remote Process Instantiation via WMI
  • Regsvr32 Silent and Install Param Dll Loading
  • Regsvr32 with Known Silent Switch Cmdline
  • Detect AWS Console Login by New User (thank you @jay-merry)
  • Detect AWS Console Login by User from New City (thank you @jay-merry)
  • Detect AWS Console Login by User from New Region (thank you @jay-merry)
  • Detect AWS Console Login by User from New Country (thank you @jay-merry)
  • AWS IAM AccessDenied Discovery Events (thank you @infosecB)
  • Attacker Tools On Endpoint (thank you @huskersec)

Other updates

  • Updated 20+ Endpoint Registry detections to leverage the correct field names mapped by Splunk Add-on for Sysmon (https://splunkbase.splunk.com/app/5709/)
  • Removed devsecops package from the repository

New BA Analytics

  • Anomalous usage of Archive Tools
  • Sdelete Application Execution

BA Analytics Updates

  • Detect Prohibited Applications Spawning cmd exe (updated)
  • Delete A Net User (updated)
  • Potential Pass the Token or Hash Observed at the Destination Device (updated)
  • Potential Pass the Token or Hash Observed by an Event Collecting Device (updated)
  • Improved BA testing pipeline
  • Updated metadata in several BA detections
Check out latest releases or
releases around splunk/security_content v3.31.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications