New Analytic Story
- AWS Credential Access
Updated Analytic Story
- Splunk Vulnerabilities
- DarkCrystal RAT
- Living Off The Land
- Linux Privilege Escalation
New Analytics
- AWS Credential Access Failed Login
- AWS Credential Access GetPasswordData
- AWS Credential Access RDS Password reset
- Linux AWK Privilege Escalation
- Linux Docker Privilege Escalation
- Linux Node Privilege Escalation
- Linux Curl Upload File
- Linux Ingress Tool Transfer Hunting
- Linux Ingress Tool Transfer with Curl
- Linux Proxy Socks Curl
- Windows DLL Search Order Hijacking with iscsicpl
- Windows Gather Victim Host Information Camera
- Windows Ingress Tool Transfer Using Explorer
- Splunk Endpoint Denial of Service DoS Zip Bomb
- Splunk Account Discovery Drilldown Dashboard Disclosure
Updated Analytics
- Executables Or Script Creation In Suspicious Path
- Windows Hunting System Account Targeting Lsass
- Scheduled Task Deleted Or Created via CMD
- Suspicious Scheduled Task from Public Directory
- Windows Command Shell DCRat ForkBomb Payload
- Windows System LogOff Commandline
- Windows System Shutdown CommandLine
- Windows System Reboot CommandLine
- Windows System Time Discovery W32tm Delay
- Potential password in username
Other Updates
- Added an optional enrichment to the BA detections that include a research_site_url tag.
- Added new arguments
init,inspect,cloud_deployto the contentctl project to initilialize a new repo from scratch and easily add your own content to a custom application, run appinspect locally and deploy the application to Splunk Cloud