github splunk/security_content v3.32.0
on GitHub

latest releases: v4.42.0, v4.41.0, v4.40.0...
2 years ago

New Analytic Story

Updated Analytic Story

  • Active Directory Lateral Movement

New Analytics

  • Curl Download and Bash Execution
  • Wget Download and Bash Execution
  • Linux Java Spawning Shell
  • Windows Java Spawning Shell
  • Java Class File download by Java User Agent
  • Outbound Network Connection from Java Using Default Ports
  • Log4Shell JNDI Payload Injection Attempt
  • Log4Shell JNDI Payload Injection with Outbound Connection
  • Detect Outbound LDAP Traffic
  • Hunting for Log4Shell
  • Possible Lateral Movement PowerShell Spawn
  • Short Lived Scheduled Task
  • Randomly Generated Windows Service Name
  • Randomly Generated Scheduled Task Name
  • Unusual Number of Computer Service Tickets Requested
  • Unusual Number of Remote Endpoint Authentication Events

Updated Analytics

  • Any PowerShell DownloadFile
  • CMD Carry Out String Command Parameter
  • Malicious PowerShell Process - Connect To Internet With Hidden Window

New BA Analytics

  • Detect RClone Command-Line Usage
  • Windows Curl Upload to Remote Destination
  • DNS Exfiltration Using Nslookup App
  • Fsutil Zeroing File
  • BCDEdit Failure Recovery Modification
  • WBAdmin Delete System Backups
  • Excessive Number of Office Files Copied
  • High File Deletion Frequency

BA Analytics Updates

  • Attempt To Delete Services
  • Attempt To Disable Services
  • Attempted Credential Dump From Registry via Reg exe
  • Delete a net user
  • Deny Permission using Cacls Utility
  • Detect Dump LSASS Memory using comsvcs
  • Disable Net User Account
  • First time seen command line argument
  • Grant Permission Using Cacls Utility
  • Prohibited apps spawning cmdprompt
  • Potential Pass the Token or Hash Observed at the Destination Device
  • Rare Parent-Child Process Relationship
  • ptt pth kerb ntlm origin device
  • Resize Shadowstorage Volume
  • sdelete application execution

New Playbooks

  • Log4Shell Investigate and Respond
  • Internal Host Splunk Investigate
  • Internal Host SSH Log4j Investigate
  • Internal Host SSH Investigate
  • Internal Host Winrm Log4j Investigate
  • Internal Host Winrm Investigate
  • Internal Host Winrm Log4j Respond
  • Internal Host SSH Log4j Respond

Other updates

  • Added BA package
  • Update docker CI testing logic
  • Added rendering Playbook to docs
Check out latest releases or
releases around splunk/security_content v3.32.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications