splunk/security_content v4.40.0

on GitHub

Key highlights

Key Highlights for Enterprise Security Content Update version 4.40.0:

Compromised Linux Host: This update introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.

Black Suit Ransomware: We have tagged existing analytics, aligning with tactics, techniques, and procedures (TTPs) associated with the Black Suit ransomware, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.

CISA Alert (CISA AA24-241A): In response to a joint advisory regarding Iran-based cyber actors exploiting U.S. and foreign organizations, this update includes new detections for identifying PowerShell Web Access installations and enabling activities, strengthening defenses against ransomware and espionage activities linked to these threats.

Total New and Updated Content: [133]

New Analytic Story - [3]

• BlackSuit Ransomware
• CISA AA24-241A
• Compromised Linux Host

Updated Analytic Story - [0]

New Analytics - [52]

• Linux Auditd Add User Account Type
• Linux Auditd Add User Account
• Linux Auditd At Application Execution
• Linux Auditd Auditd Service Stop
• Linux Auditd Base64 Decode Files
• Linux Auditd Change File Owner To Root
• Linux Auditd Clipboard Data Copy
• Linux Auditd Data Destruction Command
• Linux Auditd Data Transfer Size Limits Via Split Syscall
• Linux Auditd Data Transfer Size Limits Via Split
• Linux Auditd Database File And Directory Discovery
• Linux Auditd Dd File Overwrite
• Linux Auditd Disable Or Modify System Firewall
• Linux Auditd Doas Conf File Creation
• Linux Auditd Doas Tool Execution
• Linux Auditd Edit Cron Table Parameter
• Linux Auditd File And Directory Discovery
• Linux Auditd File Permission Modification Via Chmod
• Linux Auditd File Permissions Modification Via Chattr
• Linux Auditd Find Credentials From Password Managers
• Linux Auditd Find Credentials From Password Stores
• Linux Auditd Find Private Keys
• Linux Auditd Find Ssh Private Keys
• Linux Auditd Hardware Addition Swapoff
• Linux Auditd Hidden Files And Directories Creation
• Linux Auditd Insert Kernel Module Using Insmod Utility
• Linux Auditd Install Kernel Module Using Modprobe Utility
• Linux Auditd Kernel Module Enumeration
• Linux Auditd Kernel Module Using Rmmod Utility
• Linux Auditd Nopasswd Entry In Sudoers File
• Linux Auditd Osquery Service Stop
• Linux Auditd Possible Access Or Modification Of Sshd Config File
• Linux Auditd Possible Access To Credential Files
• Linux Auditd Possible Access To Sudoers File
• Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
• Linux Auditd Preload Hijack Library Calls
• Linux Auditd Preload Hijack Via Preload File
• Linux Auditd Service Restarted
• Linux Auditd Service Started
• Linux Auditd Setuid Using Chmod Utility
• Linux Auditd Setuid Using Setcap Utility
• Linux Auditd Shred Overwrite Command
• Linux Auditd Stop Services
• Linux Auditd Sudo Or Su Execution
• Linux Auditd Sysmon Service Stop
• Linux Auditd System Network Configuration Discovery
• Linux Auditd Unix Shell Configuration Modification
• Linux Auditd Unload Module Via Modprobe
• Linux Auditd Virtual Disk File And Directory Discovery
• Linux Auditd Whoami User Discovery
• Windows DISM Install PowerShell Web Access
• Windows Enable PowerShell Web Access

Updated Analytics - [72]

• ASL AWS Concurrent Sessions From Different Ips
• Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
• Anomalous usage of 7zip
• Citrix ADC Exploitation CVE-2023-3519
• Create Remote Thread into LSASS
• Create local admin accounts using net exe
• Detect Credential Dumping through LSASS access
• Detect New Local Admin account
• Detect Remote Access Software Usage DNS
• Detect Remote Access Software Usage File
• Detect Remote Access Software Usage Process
• Detect Remote Access Software Usage URL
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Disable Defender AntiVirus Registry
• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Domain Controller Discovery with Nltest
• Elevated Group Discovery With Net
• Excessive Usage Of Taskkill
• Executable File Written in Administrative SMB Share
• F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
• Ivanti Connect Secure Command Injection Attempts
• Ivanti Connect Secure System Information Access via Auth Bypass
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Abuse of Secret by Unusual User Agent
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Access Scanning
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Kubernetes Suspicious Image Pulling
• Kubernetes Unauthorized Access
• Ngrok Reverse Proxy on Network
• PowerShell 4104 Hunting
• Powershell Disable Security Monitoring
• Registry Keys Used For Persistence
• Rubeus Command Line Parameters
• Rubeus Kerberos Ticket Exports Through Winlogon Access
• Rundll32 with no Command Line Arguments with Network
• Scheduled Task Deleted Or Created via CMD
• Suspicious Scheduled Task from Public Directory
• System Information Discovery Detection
• Unknown Process Using The Kerberos Protocol
• WinEvent Windows Task Scheduler Event Action Started
• Windows AD Abnormal Object Access Activity
• Windows AD Privileged Object Access Activity
• Windows Abused Web Services
• Windows AdFind Exe
• Windows Alternate DataStream - Base64 Content
• Windows Alternate DataStream - Executable Content
• Windows Alternate DataStream - Process Execution
• Windows Create Local Account
• Windows Disable or Modify Tools Via Taskkill
• Windows Driver Load Non-Standard Path
• Windows Modify Registry Delete Firewall Rules
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Ngrok Reverse Proxy Usage
• Windows Privilege Escalation Suspicious Process Elevation
• Windows Privilege Escalation System Process Without System Parent
• Windows Privilege Escalation User Process Spawn System Process
• Windows Remote Create Service
• Windows Remote Services Rdp Enable
• Windows UAC Bypass Suspicious Child Process
• Windows UAC Bypass Suspicious Escalation Behavior
• Wsmprovhost LOLBAS Execution Process Spawn

Macros Added - [3]

• linux_auditd
• linux_auditd_normalized_execve_process
• linux_auditd_normalized_proctitle_process

Other Updates

• Updated text in feedback center dashboard
• Added Splunk Enterprise 9.3 as a version compatible with ESCU when uploading to Splunkbase