v3.55.0

New Analytic Story

• Prestige Ransomware
• Windows Post-Exploitation

New Analytics

• Windows Modify Registry Reg Restore
• Windows Query Registry Reg Save
• Windows System User Discovery Via Quser
• Windows WMI Process And Service List
• Windows Cached Domain Credentials Reg Query
• Windows ClipBoard Data via Get-ClipBoard
• Windows Credentials from Password Stores Query
• Windows Credentials in Registry Reg Query
• Windows Indirect Command Execution Via Series Of Forfiles
• Windows Information Discovery Fsutil
• Windows Password Managers Discovery
• Windows Private Keys Discovery
• Windows Security Support Provider Reg Query
• Windows Steal or Forge Kerberos Tickets Klist
• Windows System Network Config Discovery Display DNS
• Windows System Network Connections Discovery Netsh
• Windows Change Default File Association For No File Ext
• Windows Service Stop Via Net and SC Application

Other Updates

• Added new Mitre MAP Coverage map json files to show the CISA 2021 Top Malware TTP coverage in docs/mitre-map.
• Fixed a bug in contentctl to appropriate scheduling configuration in savedsearches.conf

v3.54.0

New Analytic Story

• CISA AA22-320A
• Reverse Network Proxy
• MetaSploit

New Analytics

• Ngrok Reverse Proxy on Network
• Powershell Load Module in Meterpreter
• Windows Apache Benchmark Binary
• Windows Mimikatz Binary Execution
• Windows MSExchange Management Mailbox Cmdlet Usage
• Windows Ngrok Reverse Proxy Usage
• Windows Service Created with Suspicious Service Path

Updated Analytics

• BITSAdmin Download File (Thank you @BlackB0lt)
• Common Ransomware Extensions (Thank you Steven Dick!) Issue 2448
• Exchange PowerShell Module Usage

New BA Analytics

• Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
• Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView

Updated BA Analytics

• Windows Exchange PowerShell Module Usage

Other Updates

• Tagged several detections for AgentTesla, Qakbot
• Crowdstike TA added to detection testing pipeline

v3.53.0

New Analytic Story

• OpenSSL CVE-2022-3602

Updated Analytic Story

• IcedID
• Remcos
• Qakbot
• Azorult

New Analytics

• SSL Certificates with Punycode
• Windows App Layer Protocol Qakbot NamedPipe
• Zeek x509 Certificate with Punycode

Updated Analytics

• Attempted Credential Dump From Registry via Reg exe
• AWS Detect Users with KMS keys performing encryption S3 (thank you Antony Bowesman)
• AWS ECR Container Upload Outside Business Hours (thank you Antony Bowesman)
• BITSAdmin Download File
• BITS Job Persistence
• Common Ransomware Extensions (thank you Steven Dick)
• Creation of Shadow Copy
• Detect Rare Executables (thank you Antony Bowesman)
• Dump LSASS via procdump
• Executables Or Script Creation In Suspicious Path
• Kubernetes AWS detect suspicious kubectl calls (thank you Antony Bowesman)
• O365 Disable MFA (thank you Jamie Windley)
• Office Document Executing Macro Code
• Office Product Spawn CMD Process
• Office Product Spawning Windows Script Host
• Process Creating LNK file in Suspicious Location
• RunDLL Loading DLL By Ordinal
• Suspicious Process File Path

Other updates

• The name for a few analytics tests were updated #2455
• Added a CI check to validate NIST and CIS20 tags #2390

v3.52.0

New Analytic Story

• CVE-2022-40684 Fortinet Appliance Auth bypass
• GCP Account Takeover
• Qakbot
• Text4Shell CVE-2022-42889

Updated Analytic Story

• Splunk Vulnerabilities - Please refer here for more information around the November 2, 2022 Release

New Analytics

• Exploit Public Facing Application via Apache Commons Text
• Fortinet Appliance Auth bypass
• GCP Authentication Failed During MFA Challenge
• GCP Multi-Factor Authentication Disabled
• GCP Multiple Failed MFA Requests For User
• GCP Multiple Users Failing To Authenticate From Ip
• GCP Successful Single-Factor Authentication
• GCP Unusual Number of Failed Authentications From Ip
• Splunk Code Injection via custom dashboard leading to RCE
• Splunk Data exfiltration from Analytics Workspace using sid query
• Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
• Splunk Reflected XSS in the templates lists radio
• Splunk Stored XSS via Data Model objectName field
• Splunk XSS in Save table dialog header in search page
• Windows App Layer Protocol Wermgr Connect To NamedPipe
• Windows Command Shell Fetch Env Variables
• Windows DLL Side-Loading In Calc
• Windows DLL Side-Loading Process Child Of Calc
• Windows Masquerading Explorer As Child Process
• Windows Modify Registry Qakbot Binary Data Registry
• Windows Process Injection Of Wermgr to Known Browser
• Windows Process Injection Remote Thread
• Windows Process Injection Wermgr Child Process
• Windows Regsvr32 Renamed Binary
• Windows System Discovery Using ldap Nslookup
• Windows System Discovery Using Qwinsta
• Windows WMI Impersonate Token

New BA Analytics

• Office Product Spawning Windows Script Host
• Windows COM Hijacking InprocServer32 Modification
• Windows Exchange PowerShell Module Usage

Other updates

• Added a tag called data_schema that has the version used for CIM/OCSF
• Updated a bug template for creating better Github Issues

v3.51.0

New Analytic Story

• CISA AA22-277A
• ProxyNotShell

New Analytics

• AWS Console Login Failed During MFA Challenge
• AWS Multi-Factor Authentication Disabled
• AWS Multiple Failed MFA Requests For User
• AWS Successful Single-Factor Authentication
• Detect Exchange Web Shell
• ProxyShell ProxyNotShell Behavior Detected
• Windows Create Local Account
• Windows Exchange Autodiscover SSRF Abuse (Thank you Nathaniel Stearns!)
• Windows Mshta Execution In Registry

Updated Analytics

• Detect SharpHound File Modifications
• Exchange PowerShell Abuse via SSRF
• Exchange PowerShell Module Usage
• Unified Messaging Service Spawning a Process

New BA Analytics

• Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Advpack dll LOLBAS in Non Standard
• Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
• Windows Rename System Utilities At exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path

Other updates

• Added a new tool lolbas_enrichment.py when executed builds a csv of all the lolbas paths: ./lolbas_file_path.csv and auto generated the BA detection with the latest lolbas paths: ./ssa___windows_lolbin_binary_in_non_standard_path.yml and its required supporting testing artifacts.
• Updated Attacker Tools lookup with Mimikatz and Advanced IP Scanner

v3.50.0

New Analytic Story

• AgentTesla
• AWS Identity and Access Management Account Takeover
• CISA AA22-264A
• Okta MFA Exhaustion

New Analytics

• AWS Multiple Users Failing To Authenticate From Ip
• AWS Unusual Number of Failed Authentications From Ip
• Detect DGA domains using pretrained model in DSDL
• Okta Account Locked Out
• Okta MFA Exhaustion Hunt
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Suspicious Activity Reported
• Okta ThreatInsight Threat Detected
• Okta Two or More Rejected Okta Pushes
• Okta Risk Threshold Exceeded
• Office Product Spawning Windows Script Host
• Powershell COM Hijacking InprocServer32 Modification
• Windows COM Hijacking InprocServer32 Modification
• Windows File Transfer Protocol In Non-Common Process Path
• Windows ISO LNK File Creation
• Windows Mail Protocol In Non-Common Process Path
• Windows Multi hop Proxy TOR Website Query
• Windows System Script Proxy Execution Syncappvpublishingserver

Updated Analytics

• Multiple Okta Users With Invalid Credentials From The Same IP
• Okta Account Lockout Events
• Okta Failed SSO Attempts
• Exchange PowerShell Module Usage
• Registry Keys Used For Persistence
• Windows Phishing Recent ISO Exec Registry

BA Updates

• source field updated to XmlWinEventLog for Windows System Binary Proxy Execution Compiled HTML File Decompile (released in 3.49.1)

Other updates

• Removed slim dependency in Github Actions, skip detection testing on tag creation and token updated
• Fixed bugs in the init functionality for creating a security_content custom application
• Added advanced_port_scanner.exe to Attacker Tools Lookup
• Updated the Github Actions workflow steps to create and push files for the SSE API

NOTE

This release contains a new type of analytic( Detect DGA domains using pretrained model in DSDL) that leverages the Splunk App for Data Science and Deep Learning to detect DNS connections to domains generated by Domain Generation Algorithms. This detection uses a pre-trained deep learning model and you can find the steps to deploy this model in our GitHub Wiki.

v3.49.1

Merge pull request #2386 from splunk/fixing-winxml-log

fix ssa___windows_system_binary_proxy_execution_compiled_html_file test file

v3.49.0

New Analytic Story

• Azure Active Directory Persistence
• Brute Ratel C4
• CISA AA22-257A

New Analytics

• Azure AD External Guest User Invited
• Azure AD Global Administrator Role Assigned
• Azure AD Multiple Failed MFA Requests For User
• Azure AD New Custom Domain Added
• Azure AD New Federated Domain Added
• Azure AD Privileged Role Assigned
• Azure AD Service Principal Created
• Azure AD Service Principal Credentials Added
• Azure AD Service Principal Owner Added
• Azure AD User Enabled And Password Reset
• Azure AD User ImmutableId Attribute Updated
• Azure Automation Account Created
• Azure Automation Runbook Created
• Azure Runbook Webhook Created
• Windows Access Token Manipulation SeDebugPrivilege
• Windows Access Token Manipulation Winlogon Duplicate Token Handle
• Windows Access Token Winlogon Duplicate Handle In Uncommon Path
• Windows Defacement Modify Transcodedwallpaper File
• Windows Event Triggered Image File Execution Options Injection
• Windows Gather Victim Identity SAM Info
• Windows Hijack Execution Flow Version Dll Side Load
• Windows Input Capture Using Credential UI Dll
• Windows Phishing Recent ISO Exec Registry
• Windows Process Injection With Public Source Path
• Windows Protocol Tunneling with Plink
• Windows Remote Access Software BRC4 Loaded Dll
• Windows Service Deletion In Registry
• Windows System Binary Proxy Execution Compiled HTML File Decompile

Updated Analytics

• AdsiSearcher Account Discovery
• Get ADUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
• Get DomainUser with PowerShell Script Block(Thanks to @TheLawsOfChaos)
• High Process Termination Frequency
• Linux Persistence and Privilege Escalation Risk Behavior
• Living Off The Land
• Log4Shell CVE-2021-44228 Exploitation
• Recursive Delete of Directory In Batch CMD(Thanks to @TheLawsOfChaos)
• Remote Process Instantiation via WMI and PowerShell Script Block(Thanks to @TheLawsOfChaos)
• Svchost LOLBAS Execution Process Spawn(Thanks to @swe)

New BA Analytics

• Windows Execute Arbitrary Commands with MSDT
• Windows Ingress Tool Transfer Using Explorer
• Windows Odbcconf Load Response File
• Windows OS Credential Dumping with Ntdsutil Export NTDS
• Windows OS Credential Dumping with Procdump
• Windows System Binary Proxy Execution Compiled HTML File Decompile
• Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
• Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
• Windows System Binary Proxy Execution MSIExec DLLRegisterServer
• Windows System Binary Proxy Execution MSIExec Remote Download
• Windows System Binary Proxy Execution MSIExec Unregister DLL

BA Updates

• Tagged several BA analytics with Insider Threat and Information Sabotage analytic story

Other updates

Correlation type searches have a new set of behaviors:

• The action.notable.param.rule_tile is now prefixed with “RBA:”, for example “RBA: Living Off The Land”
• The action.correlationsearch.label is now updated to reflect “ESCU - RIR - <rule_name> - Rule”, for example: “ESCU - RIR - Living Off The Land - Rule”
• The action.risk, action.risk.param.* fields have been removed to avoid a circular loop of increasing risk scores.

v3.48.0

Updated Analytic Story

• Azure Active Directory Account Takeover
• Linux Living Off The Land
• Linux Privilege Escalation
• Windows Registry Abuse
• Windows Defense Evasion Tactics

New Analytics

• Azure AD Multi-Factor Authentication Disabled
• Linux apt-get Privilege Escalation
• Linux Busybox Privilege Escalation
• Linux c89 Privilege Escalation
• Linux c99 Privilege Escalation
• Linux Composer Privilege Escalation
• Linux Cpulimit Privilege Escalation
• Linux Csvtool Privilege Escalation
• Linux Emacs Privilege Escalation
• Linux Find Privilege Escalation
• Linux GDB Privilege Escalation
• Linux Gem Privilege Escalation
• Linux GNU Awk Privilege Escalation
• Linux Make Privilege Escalation
• Linux MySQL Privilege Escalation
• Linux Octave Privilege Escalation
• Linux OpenVPN Privilege Escalation
• Linux Persistence and Privilege Escalation Risk Behavior
• Linux PHP Privilege Escalation
• Linux Puppet Privilege Escalation
• Linux RPM Privilege Escalation
• Linux Ruby Privilege Escalation
• Linux Sqlite3 Privilege Escalation
• Windows Autostart Execution LSASS Driver Registry Modification
• Windows DLL Search Order Hijacking Hunt
• Windows DLL Search Order Hijacking Hunt with Sysmon
• Windows Remote Access Software Hunt

Updated Analytics

• AWS ECR Container Scanning Findings Low Informational Unknown
• Detect AWS Console Login by User from New City
• Detect AWS Console Login by User from New Country
• Detect AWS Console Login by User from New Region
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Log4Shell CVE-2021-44228 Exploitation
• MSHTML Module Load in Office Product
• Office Document Creating Schedule Task
• Powershell Remote Thread To Known Windows Process
• Windows InstallUtil Credential Theft
• Windows Possible Credential Dumping

Other Updates

• Minor text update to research.splunk.com (thanks to @yaleman )
• Added fillnull_value=null to security_content_summariesonly macro
• Consolidated requirements.txt file for contentctl and docker detection testing and updated github actions workflow to run detection testing based on the code in the pull request.

v3.47.0

New Analytic Story

• AWS Credential Access

Updated Analytic Story

• Splunk Vulnerabilities
• DarkCrystal RAT
• Living Off The Land
• Linux Privilege Escalation

New Analytics

• AWS Credential Access Failed Login
• AWS Credential Access GetPasswordData
• AWS Credential Access RDS Password reset
• Linux AWK Privilege Escalation
• Linux Docker Privilege Escalation
• Linux Node Privilege Escalation
• Linux Curl Upload File
• Linux Ingress Tool Transfer Hunting
• Linux Ingress Tool Transfer with Curl
• Linux Proxy Socks Curl
• Windows DLL Search Order Hijacking with iscsicpl
• Windows Gather Victim Host Information Camera
• Windows Ingress Tool Transfer Using Explorer
• Splunk Endpoint Denial of Service DoS Zip Bomb
• Splunk Account Discovery Drilldown Dashboard Disclosure

Updated Analytics

• Executables Or Script Creation In Suspicious Path
• Windows Hunting System Account Targeting Lsass
• Scheduled Task Deleted Or Created via CMD
• Suspicious Scheduled Task from Public Directory
• Windows Command Shell DCRat ForkBomb Payload
• Windows System LogOff Commandline
• Windows System Shutdown CommandLine
• Windows System Reboot CommandLine
• Windows System Time Discovery W32tm Delay
• Potential password in username

Other Updates

• Added an optional enrichment to the BA detections that include a research_site_url tag.
• Added new arguments init ,inspect, cloud_deploy to the contentctl project to initilialize a new repo from scratch and easily add your own content to a custom application, run appinspect locally and deploy the application to Splunk Cloud