splunk/security_content v5.26.0

on GitHub

🚀 Key Highlights

• 🍎 macOS Detection Coverage Expansion: Expanded detection coverage for macOS environments with three new analytic stories - macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation - delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
• ⛓️ Axios Supply Chain Post-Compromise Activity: Expanded detection coverage for Axios-related supply chain post-compromise scenarios by tagging existing analytics that capture behaviors associated with malicious package execution and downstream abuse. This update improves visibility into post-installation script execution, credential access, data exfiltration, and persistence mechanisms often triggered after a compromised dependency is introduced, helping defenders detect and respond to supply chain attacks impacting JavaScript and Node.js ecosystems.

New Analytic Story - [4]

• Axios Supply Chain Post Compromise
• MacOS Persistence Techniques
• MacOS Post-Exploitation
• MacOS Privilege Escalation

New Analytics - [11]

• MacOS Account Created
• MacOS Data Chunking
• MacOS Gatekeeper Bypass
• MacOS Hidden Files and Directories
• MacOS Kextload Usage
• MacOS Keychains Dumped
• MacOS List Firewall Rules (Internal Contributor :Jamie Windley)
• MacOS Log Removal
• MacOS LoginHook Persistence
• MacOS Network Share Discovery
• Microsoft Intune Bulk Wipe (External Contributor: jakeenea51)

Other Updates

• Fixed a bug in the Onboarding Assistant that affected Splunk Cloud customers using instances configured on ports (other than 8000). In these cases, detections within an analytic story failed to enable correctly or behaved inconsistently. This issue has been resolved, and detections can now be enabled successfully.
• Updated all View risk events for the last 7 days drilldown searches to reflect the correct earliest and latest time configuration.
• Improved detection coverage and accuracy across multiple rules by fixing regex issues, refining conditions, adding macro usage, and reducing false positives. To view the detailed list of updates and the associated Github issues, please view the details in this pull request.
• Removed missing fields from the Windows Event Log Cleared detection (External Contributor: AndreiBanaru).

Breaking Changes

As previously communicated in the ESCU v5.24.0 release, several detections have been removed. For a complete list of the detections removed in version v5.26.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v6.1.0, see the List of Detections Scheduled for Removal.