github splunk/security_content v3.33.0
on GitHub

latest releases: v4.42.0, v4.41.0, v4.40.0...
2 years ago

New Analytic Story

  • Linux Privilege Escalation
  • Linux Persistence Techniques
  • sAMAccountName Spoofing and Domain Controller Impersonation

Updated Analytic Story

New Analytics

  • Windows Hunting System Account Targeting Lsass
  • Windows Non-System Account Targeting Lsass
  • Suspicious Computer Account Name Change
  • Suspicious Kerberos Service Ticket Request
  • Suspicious Ticket Granting Ticket Request
  • Linux NOPASSWD Entry In Sudoers File
  • Linux Possible Access Or Modification Of sshd Config File
  • Linux Possible Append Command To Profile Config File
  • Linux Possible Ssh Key File Creation
  • Linux Add User Account
  • Linux Common Process For Elevation Control
  • Linux Doas Conf File Creation
  • Linux Doas Tool Execution
  • Linux Possible Access To Credential Files
  • Linux Possible Access To Sudoers File
  • Linux Sudo OR Su Execution
  • Linux Change File Owner To Root
  • Linux File Created In Kernel Driver Directory
  • Linux Insert Kernel Module Using Insmod Utility
  • Linux Install Kernel Module Using Modprobe Utility
  • Linux Preload Hijack Library Calls
  • Linux Sudoers Tmp File Creation
  • Linux Visudo Utility Execution
  • Linux File Creation In Init Boot Directory
  • Linux File Creation In Profile Directory
  • Linux Service File Created In Systemd Directory
  • Linux Service Restarted
  • Linux Service Started Or Enabled
  • Linux Setuid Using Chmod Utility
  • Linux Setuid Using Setcap Utility
  • Linux Add Files In Known Crontab Directories
  • Linux At Allow Config File Creation
  • Linux At Application Execution
  • Linux Edit Cron Table Parameter
  • Linux Possible Append Command To At Allow Config File
  • Linux Possible Append Cronjob Entry on Existing Cronjob File
  • Linux Possible Cronjob Modification With Editor
  • Linux Java Spawning Shell

Updated Analytics

  • Outbound Network Connection from Java Using Default Ports
  • Hunting for Log4Shell

New Playbooks

  • Block Indicators
  • Email Notification for Malware
  • Malware Hunt and Contain

BA Updates

  • Fixed a bug with risk_severity values.
  • Updated directory structure for dist/ssa package. 
        dist/ssa
       ├── complex
       └── srs

Other updates

  • Deprecated SAAWS (DA-ESS_AmazonWebServices_Content) package from dist/
  • Renamed Malicious PowerShell Process - Connect To Internet With Hidden Window to PowerShell - Connect To Internet With Hidden Window
  • Added a warning message to experimental detections. These detections are not supported.
Check out latest releases or
releases around splunk/security_content v3.33.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications