splunk/security_content v3.57.0

on GitHub

New Analytic Story

• Chaos Ransomware
• LockBit Ransomware

New Analytics

• Detect suspicious DNS TXT records using pretrained model in DSDL
• Windows Boot or Logon Autostart Execution In Startup Folder
• Windows Modify Registry Default Icon Setting
• Windows Phishing PDF File Executes URL Link
• Windows Replication Through Removable Media
• Windows User Execution Malicious URL Shortcut File
• Windows Vulnerable Driver Loaded
• Linux Ngrok Reverse Proxy Usage
• Windows Server Software Component GACUtil Install to GAC
• Windows PowerShell Add Module to Global Assembly Cache
• Windows Credential Dumping LSASS Memory Createdump

Updated Analytics

• Known Services Killed by Ransomware
• Windows DLL Search Order Hijacking Hunt
• Windows DLL Search Order Hijacking Hunt Sysmon
• ProxyShell ProxyNotShell Behavior Detected (correlation)

Other Updates

• Added 3 new playbook files: Dynamic Identifier Reputation Analysis, PhishTank URL Reputation Analysis, VirusTotal v3 Identifier Reputation Analysis from phantomcyber/playbooks to security_content
• Added onenote.exe to several detection analytics related to Office Products