github splunk/security_content v3.61.0

latest releases: v4.28.0, v4.27.0, v4.26.0...
12 months ago

New Analytic Story

  • Sneaky Active Directory Persistence Tricks (Huge thanks and shoutout to Dean Luxton, Steven Dick for contributing detections)
  • BishopFox Sliver Adversary Emulation Framework

New Analytics

  • Notepad with no Command Line Arguments
  • Windows Process Injection into Notepad
  • Windows AD Same Domain SID History Addition
  • Windows AD Cross Domain SID History Addition
  • Windows AD Replication Request Initiated by User Account
  • Windows AD Replication Request Initiated from Unsanctioned Location
  • Windows AD Domain Replication ACL Addition
  • Windows AD DSRM Account Changes
  • Windows AD DSRM Password Reset
  • Windows AD Short Lived Domain Controller SPN Attribute
  • Windows AD Short Lived Server Object
  • Windows AD SID History Attribute Modified
  • Windows AD AdminSDHolder ACL Modified
  • Windows AD ServicePrincipalName Added To Domain Account
  • Windows AD Short Lived Domain Account ServicePrincipalName
  • Windows AD Rogue Domain Controller Network Activity
  • Windows AD Account SID History Addition
  • Windows AD Replication Service Traffic
  • Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
  • Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
  • Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
  • Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
  • Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
  • Windows Unusual Count Of Users Failed To Auth Using Kerberos
  • Windows Unusual Count Of Users Failed To Authenticate From Process
  • Windows Unusual Count Of Users Failed To Authenticate Using NTLM
  • Windows Unusual Count Of Users Remotely Failed To Auth From Host

Updated Analytics

  • Impacket Lateral Movement Commandline Parameters (Thank you Chris Chantrey)
  • Suspicious Regsvr32 Register Suspicious Path (Thank you DipsyTipsy)
  • Suspcious Reg.exe Process (Thank you DipsyTipsy)
  • Linux SSH Remote Services Script Execute (Thank you DipsyTipsy)

New Playbooks

  • Automated Enrichment (Parent Playbook)

    • Dynamic Attribute Lookup
    • Dynamic Identifier Reputation Analysis
    • Dynamic Related Tickets Search
  • ServiceNow Related Tickets Search

  • Splunk Notable Related Tickets Search

  • AD LDAP Entity Attributes Lookup

  • Azure AD Graph User Attributes Lookup

  • Crowdstrike OAuth API Device Attribute

Other Updates

  • Removed Experiemental/Deprecated BA detections removed from develop and research.splunk.com
  • Migrating Password Spraying to XML
  • Updates all of the splunkbase apps that are used for our automated testing framework

Don't miss a new security_content release

NewReleases is sending notifications on new releases.