splunk/security_content v5.0.0

on GitHub

🌟 Github Community

🎉 The Splunk Threat Research Team is thrilled to announce Enterprise Security Content Update (ESCU) v5.0.0!

Key Highlights

• (NEW) 🚨 Deprecation Assistant Dashboard: This release introduces a deprecation assistant dashboard for ESCU users to identify and manage deprecated detection analytics currently enabled in their Splunk Environment. These detections will be removed in ESCU v5.2.0 and could disrupt environments using them. For more in-depth information about which pieces of content will be removed and their replacements, please refer to the docs - 📄 Documentation.

• (NEW) 🛠️ Analytic Story Onboarding Assistant: In this release, we've introduced a redesigned home page with an enhanced UI that offers direct access to release notes, analytics counts, and the latest version on Splunkbase, complemented by a detailed timeline of STRT blogs and updates. Additionally, we've launched the Analytic Story Onboarding Assistant, a new preview feature designed to streamline the process of enabling several detections from multiple analytics stories for which there is data available in your Splunk Environment.

• 🔍 New Analytics: We have expanded our threat detection capabilities by mapping existing analytics and developing new detections for a range of threats, including Backdoor Pingpong, Cleo File Transfer Software, Crypto Stealer, SDDL Tampering Defense Evasion, Derusbi, Earth Estries, Nexus APT Threat Activity, WinDealer RAT, and XorDDos.

New Analytic Story - [9]

• Backdoor Pingpong
• Cleo File Transfer Software
• Crypto Stealer
• Defense Evasion or Unauthorized Access Via SDDL Tampering
• Derusbi
• Earth Estries
• Nexus APT Threat Activity
• WinDealer RAT
• XorDDos

New Analytics - [83]

• ASL AWS Create Access Key
• ASL AWS Create Policy Version to allow all resources
• ASL AWS Credential Access GetPasswordData
• ASL AWS Credential Access RDS Password reset
• ASL AWS Defense Evasion PutBucketLifecycle
• ASL AWS Detect Users creating keys with encrypt policy without MFA
• ASL AWS Disable Bucket Versioning
• ASL AWS EC2 Snapshot Shared Externally
• ASL AWS IAM AccessDenied Discovery Events
• ASL AWS IAM Assume Role Policy Brute Force
• ASL AWS Network Access Control List Created with All Open Ports
• ASL AWS Network Access Control List Deleted
• ASL AWS SAML Update identity provider
• ASL AWS UpdateLoginProfile
• Account Discovery With Net App
• Attempt To Stop Security Service
• Azure AD AzureHound UserAgent Detected
• Azure AD Service Principal Enumeration
• Azure AD Service Principal Privilege Escalation
• Change Default File Association
• Cmdline Tool Not Executed In CMD Shell
• Create local admin accounts using net exe
• Deleting Of Net Users
• Detect Remote Access Software Usage Registry
• Detect processes used for System Network Configuration Discovery
• Disabling Net User Account
• Domain Account Discovery With Net App
• Domain Group Discovery With Net
• Elevated Group Discovery With Net
• Excessive Service Stop Attempt
• Excessive Usage Of Net App
• Extraction of Registry Hives
• Linux Auditd Find Private Keys
• Local Account Discovery with Net
• MSHTML Module Load in Office Product
• Microsoft Intune Device Health Scripts
• Microsoft Intune DeviceManagementConfigurationPolicies
• Microsoft Intune Manual Device Management
• Net Localgroup Discovery
• Network Connection Discovery With Net
• O365 Service Principal Privilege Escalation
• Office Document Creating Schedule Task
• Office Document Executing Macro Code
• Office Document Spawned Child Process To Download
• Office Product Spawn CMD Process
• Password Policy Discovery with Net
• Windows Account Access Removal via Logoff Exec
• Windows CertUtil Download With URL Argument
• Windows Command Shell Fetch Env Variables
• Windows DNS Query Request by Telegram Bot API
• Windows Detect Network Scanner Behavior
• Windows File and Directory Enable ReadOnly Permissions
• Windows File and Directory Permissions Enable Inheritance
• Windows File and Directory Permissions Remove Inheritance
• Windows Impair Defenses Disable Auto Logger Session
• Windows Lateral Tool Transfer RemCom
• Windows MSIExec With Network Connections
• Windows Modify Registry Reg Restore
• Windows Network Share Interaction With Net
• Windows New Custom Security Descriptor Set On EventLog Channel
• Windows New Deny Permission Set On Service SD Via Sc.EXE
• Windows New EventLog ChannelAccess Registry Value Set
• Windows New Service Security Descriptor Set Via Sc.EXE
• Windows Obfuscated Files or Information via RAR SFX
• Windows Office Product Dropped Cab or Inf File
• Windows Office Product Dropped Uncommon File
• Windows Office Product Spawned Control
• Windows Office Product Spawned MSDT
• Windows Office Product Spawned Rundll32 With No DLL
• Windows Office Product Spawned Uncommon Process
• Windows Powershell Logoff User via Quser
• Windows Process With NetExec Command Line Parameters
• Windows Query Registry Reg Save
• Windows Registry Dotnet ETW Disabled Via ENV Variable
• Windows Remote Management Execute Shell
• Windows ScManager Security Descriptor Tampering Via Sc.EXE
• Windows Service Execution RemCom
• Windows Service Stop Attempt
• Windows Service Stop Via Net and SC Application
• Windows Set Account Password Policy To Unlimited Via Net
• Windows SubInAcl Execution
• Windows Suspicious Child Process Spawned From WebServer
• Windows User Discovery Via Net

Other Updates

• We've updated our YAML configurations by enhancing validation, improving accuracy and consistency, and replacing the 'observables' key with an 'RBA' key to better align with Enterprise Security standards and simplify risk attribution.