New Analytics
- Windows Rasautou DLL Execution
- Linux pkexec Privilege Escalation
- Potentially malicious code on commandline (MLTK based detection that works with a pre shipped model file)
Updated Analytics
- Linux pkexec Privilege Escalation
- Windows Possible Credential Dumping
- Windows Remote Assistance Spawning Process
- Windows Schtasks Create Run As System
- RunDLL Loading DLL By Ordinal
- CertUtil Download With URLCache and Split Arguments
- CertUtil Download With VerifyCtl and Split Arguments
- O365 Added Service Principal (Bug fix contributed by @ionsor)
- O365 Bypass MFA via Trusted IP (Bug fix contributed by @ionsor)
- O365 Disable MFA (Bug fix contributed by @ionsor)
- Powershell Remove Windows Defender Directory (Bug fix contributed by @BlackB0lt)
- GetWmiObject Ds Computer with PowerShell Script Block (Bug fix contributed by @sanjay900)
- GetWmiObject Ds Group with PowerShell Script Block (Bug fix contributed by @sanjay900)
New Playbooks
- Trustar Enrich Indicators
- Threat Intel Investigate
- Start Investigation
- AWS Disable User Accounts
- AWS Find Inactive Users
New BA Analytics
- Windows Powershell Connect to Internet With Hidden Window(SRS)
- Windows Powershell DownloadFile(SRS)
- Unusual Volume of Data Download from Internal Server Per Entity (experimental detection - Not shipped in the SSA package )
Other ESCU updates
- Updated 20+ detections based on Endpoint.Registry and tested with the latest Microsoft Sysmon TA(https://splunkbase.splunk.com/app/5709/)
- Updated
Detect GCP Storage access from a new IPbased on customer reported bug. - Updated deprecation note in
Detection of DNS Tunnelswith reference to new detection. - Updated savedsearches.conf with a risk parameter that previously did not allow a search to be saved from the UI
- Updated
generate.pyto output correct UTF-8 rendered savedsearches.conf stanzas forMalicious PowerShell Process - Encoded CommandandPowerShell - Connect To Internet With Hidden Window