splunk/security_content v3.48.0

on GitHub

Updated Analytic Story

• Azure Active Directory Account Takeover
• Linux Living Off The Land
• Linux Privilege Escalation
• Windows Registry Abuse
• Windows Defense Evasion Tactics

New Analytics

• Azure AD Multi-Factor Authentication Disabled
• Linux apt-get Privilege Escalation
• Linux Busybox Privilege Escalation
• Linux c89 Privilege Escalation
• Linux c99 Privilege Escalation
• Linux Composer Privilege Escalation
• Linux Cpulimit Privilege Escalation
• Linux Csvtool Privilege Escalation
• Linux Emacs Privilege Escalation
• Linux Find Privilege Escalation
• Linux GDB Privilege Escalation
• Linux Gem Privilege Escalation
• Linux GNU Awk Privilege Escalation
• Linux Make Privilege Escalation
• Linux MySQL Privilege Escalation
• Linux Octave Privilege Escalation
• Linux OpenVPN Privilege Escalation
• Linux Persistence and Privilege Escalation Risk Behavior
• Linux PHP Privilege Escalation
• Linux Puppet Privilege Escalation
• Linux RPM Privilege Escalation
• Linux Ruby Privilege Escalation
• Linux Sqlite3 Privilege Escalation
• Windows Autostart Execution LSASS Driver Registry Modification
• Windows DLL Search Order Hijacking Hunt
• Windows DLL Search Order Hijacking Hunt with Sysmon
• Windows Remote Access Software Hunt

Updated Analytics

• AWS ECR Container Scanning Findings Low Informational Unknown
• Detect AWS Console Login by User from New City
• Detect AWS Console Login by User from New Country
• Detect AWS Console Login by User from New Region
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Log4Shell CVE-2021-44228 Exploitation
• MSHTML Module Load in Office Product
• Office Document Creating Schedule Task
• Powershell Remote Thread To Known Windows Process
• Windows InstallUtil Credential Theft
• Windows Possible Credential Dumping

Other Updates

• Minor text update to research.splunk.com (thanks to @yaleman )
• Added fillnull_value=null to security_content_summariesonly macro
• Consolidated requirements.txt file for contentctl and docker detection testing and updated github actions workflow to run detection testing based on the code in the pull request.