github splunk/security_content v3.49.0
on GitHub

latest releases: v4.41.0, v4.40.0, v4.39.1...
2 years ago

New Analytic Story

  • Azure Active Directory Persistence
  • Brute Ratel C4
  • CISA AA22-257A

New Analytics

  • Azure AD External Guest User Invited
  • Azure AD Global Administrator Role Assigned
  • Azure AD Multiple Failed MFA Requests For User
  • Azure AD New Custom Domain Added
  • Azure AD New Federated Domain Added
  • Azure AD Privileged Role Assigned
  • Azure AD Service Principal Created
  • Azure AD Service Principal Credentials Added
  • Azure AD Service Principal Owner Added
  • Azure AD User Enabled And Password Reset
  • Azure AD User ImmutableId Attribute Updated
  • Azure Automation Account Created
  • Azure Automation Runbook Created
  • Azure Runbook Webhook Created
  • Windows Access Token Manipulation SeDebugPrivilege
  • Windows Access Token Manipulation Winlogon Duplicate Token Handle
  • Windows Access Token Winlogon Duplicate Handle In Uncommon Path
  • Windows Defacement Modify Transcodedwallpaper File
  • Windows Event Triggered Image File Execution Options Injection
  • Windows Gather Victim Identity SAM Info
  • Windows Hijack Execution Flow Version Dll Side Load
  • Windows Input Capture Using Credential UI Dll
  • Windows Phishing Recent ISO Exec Registry
  • Windows Process Injection With Public Source Path
  • Windows Protocol Tunneling with Plink
  • Windows Remote Access Software BRC4 Loaded Dll
  • Windows Service Deletion In Registry
  • Windows System Binary Proxy Execution Compiled HTML File Decompile

Updated Analytics

  • AdsiSearcher Account Discovery
  • Get ADUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
  • Get DomainUser with PowerShell Script Block(Thanks to @TheLawsOfChaos)
  • High Process Termination Frequency
  • Linux Persistence and Privilege Escalation Risk Behavior
  • Living Off The Land
  • Log4Shell CVE-2021-44228 Exploitation
  • Recursive Delete of Directory In Batch CMD(Thanks to @TheLawsOfChaos)
  • Remote Process Instantiation via WMI and PowerShell Script Block(Thanks to @TheLawsOfChaos)
  • Svchost LOLBAS Execution Process Spawn(Thanks to @swe)

New BA Analytics

  • Windows Execute Arbitrary Commands with MSDT
  • Windows Ingress Tool Transfer Using Explorer
  • Windows Odbcconf Load Response File
  • Windows OS Credential Dumping with Ntdsutil Export NTDS
  • Windows OS Credential Dumping with Procdump
  • Windows System Binary Proxy Execution Compiled HTML File Decompile
  • Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
  • Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
  • Windows System Binary Proxy Execution MSIExec DLLRegisterServer
  • Windows System Binary Proxy Execution MSIExec Remote Download
  • Windows System Binary Proxy Execution MSIExec Unregister DLL

BA Updates

  • Tagged several BA analytics with Insider Threat and Information Sabotage analytic story

Other updates

Correlation type searches have a new set of behaviors:

  • The action.notable.param.rule_tile is now prefixed with “RBA:”, for example “RBA: Living Off The Land”
  • The action.correlationsearch.label is now updated to reflect “ESCU - RIR - <rule_name> - Rule”, for example: “ESCU - RIR - Living Off The Land - Rule”
  • The action.risk, action.risk.param.* fields have been removed to avoid a circular loop of increasing risk scores.
Check out latest releases or
releases around splunk/security_content v3.49.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications