Merge pull request #3378 from splunk/v5.1.1

Updating lookup 5.1.1
splunk · Mar 4, 2025 · 3dbc72f · 3dbc72f
2 parents f0857d6 + 6e84f4c
commit 3dbc72f
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/contentctl.yml b/contentctl.yml
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.1.0
+  version: 5.1.1
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

diff --git a/lookups/malicious_powershell_strings.csv b/lookups/malicious_powershell_strings.csv
@@ -16,7 +16,7 @@ command,toolkit,match,description
 *Invoke-TokenManipulation*,PowerSploit,Invoke-TokenManipulation,"Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread."
 *Invoke-CredentialInjection*,PowerSploit,Invoke-CredentialInjection,Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
 *Invoke-NinjaCopy*,PowerSploit,Invoke-NinjaCopy,Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
-*Invoke-Mimikatz*,PowerSploit,Invoke-Mimikatz,Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
+*Invoke-Mimikatz*,PowerSploit,Invoke-Mimikatz,Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to extract sensitive credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
 *Get-Keystrokes*,PowerSploit,Get-Keystrokes,"Logs keys pressed, time and the active window."
 *Get-GPPPassword*,PowerSploit,Get-GPPPassword,Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
 *Get-GPPAutologon*,PowerSploit,Get-GPPAutologon,Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.

diff --git a/lookups/malicious_powershell_strings.yml b/lookups/malicious_powershell_strings.yml
@@ -1,6 +1,6 @@
 name: malicious_powershell_strings
-date: 2025-01-20
-version: 1
+date: 2025-03-03
+version: 2
 id: d2fcf9eb-c7a4-4b05-9db4-99c6430d0513
 author: Steven Dick
 lookup_type: csv