splunk/security_content v5.1.0

on GitHub

Release notes - v5.1.0

Key highlights

We released 4 new analytic stories and added 41 new detection analytics. Some high level details of the new analytic stories in this release

• 📡 Remote Monitoring and Management Software: Added a new story file to help users analyze unauthorized remote monitoring & management (RMM) tool usage, including detection of 3rd-party software installations like AnyDesk and TeamViewer through phishing/drive-by compromises.

• ☁️ AWS S3 Bucket Security Monitoring: A new analytic story which addresses the risks associated with S3 bucket misconfigurations and potential hijacking of decommissioned buckets. This story includes baselines and detections that track public S3 buckets before deletion, monitor access attempts to these bucket names, and identify potential hijacking activities, leveraging AWS CloudTrail logs, DNS queries, and web proxy data to ensure robust monitoring and security.

• 🛡️ Security Solution Tampering: A new analytic story, which includes new detections focused on identifying tampering activities with Cisco Secure Endpoint services. These detections cover techniques such as inhibiting system recovery and disabling or modifying security tools, enhancing our ability to detect and respond to potential security threats.

• 📋 Windows Audit Policy Tampering: We also added detections for Windows audit policies, which are crucial for logging key system activities for monitoring and forensic analysis. This analytic story provides a framework to detect suspicious activities involving audit policy manipulation, such as the use of auditpol.exe with specific flags, helping to uncover potential malicious activity and maintain the integrity of security monitoring mechanisms.

• In addition, external contributor @nterl0k has significantly enhanced our detection capabilities with six new Office 365 security detections and several other detections.. These include monitoring changes to email transport rules, various methods of data exfiltration, and suspicious authentication and search behaviors, providing robust protection against potential threats.

New Analytic Story - [4]

• AWS S3 Bucket Security Monitoring
• Remote Monitoring and Management Software (External Contributor: @nterl0k)
• Security Solution Tampering
• Windows Audit Policy Tampering

New Analytics - [41]

• Cisco Secure Application Alerts
• Cisco AI Defense Security Alerts by Application Name
• Detect Web Access to Decommissioned S3 Bucket
  Detect DNS Query to Decommissioned S3 Bucket
• O365 Email Transport Rule Changed (External Contributor: @nterl0k)
• O365 Exfiltration via File Access (External Contributor: @nterl0k)
• O365 Exfiltration via File Download (External Contributor: @nterl0k)
• O365 Exfiltration via File Sync Download (External Contributor: @nterl0k)
• O365 Multiple OS Vendors Authenticating From User (External Contributor: @nterl0k)
• O365 SharePoint Suspicious Search Behavior (External Contributor: @nterl0k)
• Potential Telegram API Request Via CommandLine (External Contributor: @zake1god)
• Windows Audit Policy Auditing Option Disabled via Auditpol
• Windows Audit Policy Auditing Option Modified - Registry
• Windows Audit Policy Cleared via Auditpol
• Windows Audit Policy Disabled via Auditpol
• Windows Audit Policy Disabled via Legacy Auditpol
• Windows Audit Policy Excluded Category via Auditpol
• Windows Audit Policy Restored via Auditpol
• Windows Audit Policy Security Descriptor Tampering via Auditpol
• Windows BitLocker Suspicious Command Usage (External Contributor: @nterl0k)
• Windows Cisco Secure Endpoint Related Service Stopped
• Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
• Windows Cisco Secure Endpoint Unblock File Via Sfc
• Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
• Windows Compatibility Telemetry Suspicious Child Process
• Windows Compatibility Telemetry Tampering Through Registry
• Windows Event Logging Service Has Shutdown
• Windows Global Object Access Audit List Cleared Via Auditpol
• Windows Important Audit Policy Disabled
• Windows PowerShell Process With Malicious String (External Contributor: @nterl0k)
• Windows PowerShell Script Block With Malicious String (External Contributor: @nterl0k)
• Windows Process Executed From Removable Media (External Contributor: @nterl0k)
• Windows Process Execution in Temp Dir
• Windows Remote Desktop Network Bruteforce Attempt
• Windows Security And Backup Services Stop
• Windows Service Created with Suspicious Service Name
• Windows Suspicious Driver Loaded Path
• Windows Suspicious Process File Path
• Windows System Remote Discovery With Query
• Windows USBSTOR Registry Key Modification (External Contributor: @nterl0k)
• Windows WPDBusEnum Registry Key Modification (External Contributor: @nterl0k)

(Big thank you to @nterl0k from our Github Community for contributing several amazing tested detections, stories, lookups for this release! )

Macros Added - [4]

• important_audit_policy_subcategory_guids
• normalized_service_binary_field
• process_auditpol
• windows_exchange_iis

Macros Updated - [11]

• ms_defender
• powershell
• printservice
• remoteconnectionmanager
• sysmon
• wineventlog_application
• wineventlog_rdp
• wineventlog_security
• wineventlog_system
• wineventlog_task_scheduler
• wmi

Lookups Added - [2]

• malicious_powershell_strings
• windows_suspicious_services

Lookups Updated - [5]

• asr_rules
• builtin_groups_lookup
• dynamic_dns_providers_default
• remote_access_software
• security_services_lookup

Other updates

• New baselines: Baseline Of Open S3 Bucket Decommissioning
• Added a dropdown for dashboards to the navigation bar