New Analytic Story
- Splunk Vulnerabilities
- Double Zero Destructor
- Windows Registry Abuse
New Analytics
- Splunk DoS via Malformed S2S Request
- Windows Deleted Registry By A Non Critical Process File Path
- Windows Terminating Lsass Process
- MacOS LOLbin
Updated Analytics
- SQL Injection with Long URLs
- Modify ACL permission To Files Or Folder
- Windows InstallUtil Remote Network Connection
- Windows InstallUtil Uninstall Option with Network
- Detect Regasm with no Command Line Arguments
- Detect Regsvcs with No Command Line Arguments
- DLLHost with no Command Line Arguments with Network
- GPUpdate with no Command Line Arguments with Network
- Rundll32 with no Command Line Arguments with Network
- SearchProtocolHost with no Command Line with Network
- Suspicious DLLHost no Command Line Arguments
- Suspicious GPUpdate no Command Line Arguments
- Suspicious Rundll32 no Command Line Arguments
- Suspicious SearchProtocolHost no Command Line
- AWS CreateAccessKey
- AWS UpdateLoginProfile
New BA Analytics
- Windows DotNet Binary in Non Standard Path
- Windows LOLBin Binary in Non Standard Path
- Windows Script Host Spawn MSBuild
- Windows WMIPrvse Spawn MSBuild
Updated BA Analytics
- System Process Running from Unexpected Location
- Delete A Net User
- Modify ACLs Permission Of Files Or Folders
- WBAdmin Delete System Backups
- Minor chanage: Added CIS and NIST tags to all BA detections
Other ESCU updates
- MAJOR UPDATE: Overhauled old tooling in bin/ and replaced all functionality in bin/contentctl_project
- Updated playbook
playbooks/custom_functions/indicator_collect.pyandartifact_create.py - Added Supported TAs to research.splunk.com
- Several updates to the detection_testing backend
- Tagged several detections with story name:
Windows Registry Abuse,Data Destruction,Living Off The Land Story - Updated detection names to have a max length of 67 characters