splunk/security_content v4.2.0

on GitHub

New Analytic Story

• Azure Active Directory Privilege Escalation
• PaperCut MF NG Vulnerability
• Snake Malware
• Windows BootKits

Updated Analytic Story

• Data Exfiltration
• Suspicious AWS S3 Activities

New Analytics

• AWS AMI Attribute Modification for Exfiltration
• AWS Disable Bucket Versioning
• AWS EC2 Snapshot Shared Externally
• AWS Exfiltration via Anomalous GetObject API Activity
• AWS Exfiltration via Batch Service
• AWS Exfiltration via Bucket Replication
• AWS Exfiltration via DataSync Task
• AWS Exfiltration via EC2 Snapshot
• AWS S3 Exfiltration Behavior Identified
• Azure AD Application Administrator Role Assigned
• Azure AD Global Administrator Role Assigned
• Azure AD PIM Role Assigned
• Azure AD PIM Role Assignment Activated
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Owner Added
• PaperCut Remote Web Access Attempt
• PaperCut Suspicious Behavior Debug Log
• Windows PaperCut Spawn Shell
• Windows Registry Bootexecute Modification
• Windows Snake Malware File Modification Crmlog
• Windows Snake Malware Kernel Driver Comadmin
• Windows Snake Malware Registry Modification wav OpenWithProgIds
• Windows Snake Malware Service Create
• Windows Winlogon with Public Network Connection

Other Updates:

• Updated several detection analytics to not use the join command to improve search performance.
• Added improvements for BA detections and the conversion tool and added ocsf fields