github splunk/security_content v6.2.0

12 hours ago

🚀 Key Highlights

🏴 Linux Dirty Frag Privilege Escalation (CVE-2026-43284 & CVE-2026-43500) 🏴

Added a new detection for the Dirty Frag Linux kernel privilege escalation vulnerabilities, identifying the exploit's characteristic high-frequency splice() syscall activity followed by execution of a setuid binary within the same audit session. This analytic provides early visibility into attempts to corrupt the kernel page cache and escalate privileges to root through abuse of the IPsec ESP or RxRPC subsystems.

👻 Phantom Stealer 👻

Expanded detection coverage for this Windows information stealer that targets browser credentials, FTP/SSH clients, cryptocurrency wallets, and other sensitive application data. This release adds a new detection for unauthorized access to WinSCP security configuration folders while tagging and enhancing existing analytics covering browser credential theft, PowerShell abuse, process injection, persistence, suspicious browser behavior, and data exfiltration, improving visibility into credential harvesting and post-compromise activity commonly associated with modern infostealers.

⏫ Sysmon Event ID 8 Detection Improvements ⏫

Refined detection coverage built on Sysmon Event ID 8 (CreateRemoteThread) by aligning the data source with native Sysmon field mappings, updating analytics to use the correct raw field names, and reducing false positives through rule consolidation and deprecation of noisy content. This release also introduces a new detection — Windows Uncommon Remote Thread Creation in Browser Process — strengthening visibility into process injection techniques while improving the accuracy and maintainability of existing CreateRemoteThread analytics.

🪨 AWS Bedrock Claude AI Security Analytics 🪨

Introduced a new analytic story for AWS Bedrock Claude focused on detecting prompt injection, jailbreak attempts, and suspicious AI interactions targeting enterprise generative AI workloads. This release adds analytics to identify cross-region inference abuse, excessive token consumption, high-risk filesystem and execution tool invocation, hostile prompt sentiment, prompt injection attempts, sensitive data exposure in prompts, and unusually large prompt submissions, providing security teams with visibility into attempts to bypass AI safety controls, manipulate model behavior, or misuse Claude-powered applications.

New Analytic Story - [2]

New Analytics - [10]

Updated Analytics - [53]

Other Updates

🧱 PowerShell ScriptBlock Analytics Refinement 🧱

Updated the finding messages for detections leveraging the PowerShell ScriptBlock data source to improve readability by omitting oversized ScriptBlockText fields, while also converting these analytics to Anomaly detections and refining their descriptions for clearer triage.

Content Scheduled for Removal in Future Releases

Content Content Type Removed in Version Reason Replacement Content
PowerShell - Connect To Internet With Hidden Window Detection 6.4.0 Detection has been deprecated due to incorrect logic and bad performance. None
Regsvr32 with Known Silent Switch Cmdline Detection 6.4.0 Detection has been deprecated since its logic is already covered by another more improved detection. Regsvr32 Silent and Install Param Dll Loading
Rundll32 CreateRemoteThread In Browser Detection 6.4.0 Detection has been deprecated. The search is being replaced with a more generic detection that captures the behavior instead of relying on specific source processes. Windows Uncommon Remote Thread Creation In Browser Process
Splunk App for Lookup File Editing RCE via User XSLT Detection 6.4.0 Detection has been deprecated because it's too generic and does not provide the ability to detect the payload executed via this exploit. None
Splunk Code Injection via custom dashboard leading to RCE Detection 6.4.0 Detection has been deprecated. The affected Splunk software versions (8.1.12, 8.2.9, and 9.0.2) are no longer supported, having reached End of Life (EOL) between 2023 and 2024. Also, the logic is not perfectly capturing the malicious activity. None
Splunk Enterprise KV Store Incorrect Authorization Detection 6.4.0 Detection has been deprecated. The affected Splunk software versions (below 9.0.8 and 9.1.3)are no longer supported, having reached End of Life (EOL), and the logic is not accurately detecting the malicious activity. None
Splunk Information Disclosure on Account Login Detection 6.4.0 Detection has been deprecated. The logic is not accurately detecting the malicious activity. None
Splunk Path Traversal In Splunk App For Lookup File Edit Detection 6.4.0 Detection has been deprecated. The logic is not accurately detecting the malicious activity. None
Splunk RCE PDFgen Render Detection 6.4.0 Detection has been deprecated. The metadata along with the search are not accurately capturing the malicious activity. None
Windows Process Injection Of Wermgr to Known Browser Detection 6.4.0 Detection has been deprecated. The search is being replaced with a more generic detection that captures the behavior instead of relying on specific source processes. Windows Uncommon Remote Thread Creation In Browser Process
Windows Process Injection With Public Source Path Detection 6.4.0 Detection has been deprecated. The search is not helpful for the user to implement nor use, as it will generate too many false positives. None

Don't miss a new security_content release

NewReleases is sending notifications on new releases.