splunk/security_content v4.24.0

on GitHub

Release notes for ESCUv4.24.0

New Analytics Story

• Office 365 Collection Techniques
• Phemedrone Stealer

Updated Analytics Story

• NOBELIUM Group

New Analytics

• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Multiple Service Principals Created by SP
• Azure AD Multiple Service Principals Created by User
• Azure AD Privileged Graph API Permission Assigned
• Azure AD Service Principal Authentication
• O365 Admin Consent Bypassed by Service Principal
• O365 FullAccessAsApp Permission Assigned
• O365 Multiple Mailboxes Accessed via API
• O365 Multiple Service Principals Created by SP
• O365 Multiple Service Principals Created by User
• O365 OAuth App Mailbox Access via EWS
• O365 OAuth App Mailbox Access via Graph API
• O365 Privileged Graph API Permission Assigned
• Network Traffic to Active Directory Web Services Protocol
• Windows Privilege Escalation Suspicious Process Elevation
• Windows Privilege Escalation System Process Without System Parent
• Windows Privilege Escalation User Process Spawn System Process
• Windows SOAPHound Binary Execution
• Ivanti Connect Secure SSRF in SAML Component

Updated Analytics

• Splunk unnecessary file extensions allowed by lookup table uploads
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD Multi-Source Failed Authentications Spike
• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Created
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Tenant Wide Admin Consent Granted
• O365 Added Service Principal
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Mailbox Read Access Granted to Application
• O365 Multi-Source Failed Authentications Spike
• O365 Multiple Users Failing To Authenticate From Ip
• O365 Service Principal New Client Credentials
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• O365 Tenant Wide Admin Consent Granted
• Correlation by Repository and Risk
• Correlation by User and Risk
• Any Powershell DownloadFile
• Any Powershell DownloadString
• Attacker Tools On Endpoint
• Create local admin accounts using net exe
• Create Remote Thread In Shell Application
• Creation of Shadow Copy
• Detect Certify Command Line Arguments
• Detect Certify With PowerShell Script Block Logging
• Detect Excessive Account Lockouts From Endpoint
• Detect New Local Admin account
• Detect Regasm with Network Connection
• Detect Regsvcs with Network Connection
• Detect Use of cmd exe to Launch Script Interpreters
• Disable Show Hidden Files
• Disable Windows SmartScreen Protection
• Disabling ControlPanel
• Disabling SystemRestore In Registry
• Download Files Using Telegram
• Elevated Group Discovery with PowerView
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• Execute Javascript With Jscript COM CLSID
• Execution of File with Multiple Extensions
• Extraction of Registry Hives
• Hiding Files And Directories With Attrib exe
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• MacOS LOLbin
• MacOS plutil
• Network Discovery Using Route Windows App
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Overwriting Accessibility Binaries
• PowerShell - Connect To Internet With Hidden Window
• Rundll32 Process Creating Exe Dll Files
• Scheduled Task Deleted Or Created via CMD
• Schtasks scheduling job on remote system
• Spoolsv Spawning Rundll32
• Spoolsv Writing a DLL
• Spoolsv Writing a DLL - Sysmon
• Suspicious Driver Loaded Path
• Suspicious mshta child process
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process File Path
• System Processes Run From Unexpected Locations
• Trickbot Named Pipe
• Windows Account Discovery for None Disable User Account
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows Admin Permission Discovery
• Windows Alternate DataStream - Base64 Content
• Windows Alternate DataStream - Executable Content
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Process Injection Remote Thread
• Windows Registry Payload Injection
• Windows Replication Through Removable Media
• Windows Rundll32 WebDav With Network Connection
• Windows Scheduled Task Created Via XML
• Windows Scheduled Task Service Spawned Shell
• Windows Security Account Manager Stopped
• Windows Suspect Process With Authentication Traffic
• Windows UAC Bypass Suspicious Child Process
• Windows UAC Bypass Suspicious Escalation Behavior
• Windows WinLogon with Public Network Connection
• WinEvent Scheduled Task Created Within Public Path
• Detect DGA domains using pretrained model in DSDL
• DNS Query Length With High Standard Deviation
• Multiple Archive Files Http Post Traffic
• Plain HTTP POST Exfiltrated Data

Playbooks Updated

• Splunk Automated Email Investigation

Other Updates