Skip to content

Releases: splunk/security_content

v5.1.0

24 Feb 20:19
@patel-bhavin patel-bhavin
v5.1.0
c795cda
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v5.1.0 Latest
Latest

Release notes - v5.1.0

Key highlights

We released 4 new analytic stories and added 41 new detection analytics. Some high level details of the new analytic stories in this release

  • 📡 Remote Monitoring and Management Software: Added a new story file to help users analyze unauthorized remote monitoring & management (RMM) tool usage, including detection of 3rd-party software installations like AnyDesk and TeamViewer through phishing/drive-by compromises.

  • ☁️ AWS S3 Bucket Security Monitoring: A new analytic story which addresses the risks associated with S3 bucket misconfigurations and potential hijacking of decommissioned buckets. This story includes baselines and detections that track public S3 buckets before deletion, monitor access attempts to these bucket names, and identify potential hijacking activities, leveraging AWS CloudTrail logs, DNS queries, and web proxy data to ensure robust monitoring and security.

  • 🛡️ Security Solution Tampering: A new analytic story, which includes new detections focused on identifying tampering activities with Cisco Secure Endpoint services. These detections cover techniques such as inhibiting system recovery and disabling or modifying security tools, enhancing our ability to detect and respond to potential security threats.

  • 📋 Windows Audit Policy Tampering: We also added detections for Windows audit policies, which are crucial for logging key system activities for monitoring and forensic analysis. This analytic story provides a framework to detect suspicious activities involving audit policy manipulation, such as the use of auditpol.exe with specific flags, helping to uncover potential malicious activity and maintain the integrity of security monitoring mechanisms.

  • In addition, external contributor @nterl0k has significantly enhanced our detection capabilities with six new Office 365 security detections and several other detections.. These include monitoring changes to email transport rules, various methods of data exfiltration, and suspicious authentication and search behaviors, providing robust protection against potential threats.

New Analytic Story - [4]

New Analytics - [41]

(Big thank you to @nterl0k from our Github Community for contributing several amazing tested detections, stories, lookups for this release! )

Macros Added - [4]

  • important_audit_policy_subcategory_guids
  • normalized_service_binary_field
  • process_auditpol
  • windows_exchange_iis

Macros Updated - [11]

  • ms_defender
  • powershell
  • printservice
  • remoteconnectionmanager
  • sysmon
  • wineventlog_application
  • wineventlog_rdp
  • wineventlog_security
  • wineventlog_system
  • wineventlog_task_scheduler
  • wmi

Lookups Added - [2]

  • malicious_powershell_strings
  • windows_suspicious_services

Lookups Updated - [5]

  • asr_rules
  • builtin_groups_lookup
  • dynamic_dns_providers_default
  • remote_access_software
  • security_services_lookup

Other updates

  • New baselines: Baseline Of Open S3 Bucket Decommissioning
  • Added a dropdown for dashboards to the navigation bar

Contributors

nterl0k and zake1god
Assets 3
Loading

v5.0.0

31 Jan 18:57
@patel-bhavin patel-bhavin
v5.0.0
7712cd9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v5.0.0

🌟 Github Community

🎉 The Splunk Threat Research Team is thrilled to announce Enterprise Security Content Update (ESCU) v5.0.0!

Key Highlights

  • (NEW) 🚨 Deprecation Assistant Dashboard: This release introduces a deprecation assistant dashboard for ESCU users to identify and manage deprecated detection analytics currently enabled in their Splunk Environment. These detections will be removed in ESCU v5.2.0 and could disrupt environments using them. For more in-depth information about which pieces of content will be removed and their replacements, please refer to the docs - 📄 Documentation.

  • (NEW) 🛠️ Analytic Story Onboarding Assistant: In this release, we've introduced a redesigned home page with an enhanced UI that offers direct access to release notes, analytics counts, and the latest version on Splunkbase, complemented by a detailed timeline of STRT blogs and updates. Additionally, we've launched the Analytic Story Onboarding Assistant, a new preview feature designed to streamline the process of enabling several detections from multiple analytics stories for which there is data available in your Splunk Environment.

  • 🔍 New Analytics: We have expanded our threat detection capabilities by mapping existing analytics and developing new detections for a range of threats, including Backdoor Pingpong, Cleo File Transfer Software, Crypto Stealer, SDDL Tampering Defense Evasion, Derusbi, Earth Estries, Nexus APT Threat Activity, WinDealer RAT, and XorDDos.

New Analytic Story - [9]

New Analytics - [52]

Other Updates

  • We've updated our YAML configurations by enhancing validation, improving accuracy and consistency, and replacing the 'observables' key with an 'RBA' key to better align with Enterprise Security standards and simplify risk attribution.
Loading

v4.44.0

05 Dec 22:31
@patel-bhavin patel-bhavin
v4.44.0
300af51
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.44.0

STRT is excited to welcome @nasbench to the team! Congrats on your first of many PRs! #3213

Release notes - v4.44.0

Total New and Updated Content: [357]

Key highlights

  • Windows Defender: Two new analytics now surface and summarize alerts from Microsoft Defender Advanced Threat Protection (ATP) as well as Microsoft Defender O365 Incidents.
  • BitLockerToGo Abuse: Two new analytics search for use of the legitimate BitLockerToGo.exe Windows utility. This application has been abused by the Lumma Stealer malware to manipulate registry keys, search for cryptocurrency wallets or credentials, and exfiltrate sensitive data.
  • VaultCLI Usage: One new analytic flags suspicious usage of the VaultCLI.dll, a technique observed by Information-Stealing Malware such as Meduza. This DLL allows processes to extract sensitive credentials from the Windows Credential Vault.
  • Windows RDP Activities: Two new analytics look for potentially suspicious Windows RDP activities.
  • Windows RunMRU Modifications: One analytic monitors changes to the RunMRU registry key. This key, which stores a history of commands executed via the windows Run dialog box, may capture commands run by malware attempting to appear legitimate.

New Analytic Story - [3]

New Analytics - [8]

Updated Analytics - [261]

Read more

Contributors

nasbench, ronan182, and bpluta-splunk
Loading

v4.43.0

14 Nov 01:21
@patel-bhavin patel-bhavin
v4.43.0
738216a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.43.0

Release notes - v4.43.0

Total New and Updated Content: [1645]

Key highlights

Detection Analytics Updates

  • Critical Alerts: Introduced a new analytic to detect critical alerts from multiple security tools, enhancing quick identification and response for high-priority threats. Tested with MS365 Defender and Windows Defender Alerts, compatible with any vendor alerts mapped to the Alerts data model.
  • Braodo Stealer: Added detections focused on identifying malicious behaviors associated with information-stealing malware.

Tooling Updates

We have released new version of contentctl (v4.4.5) that help with build and test ESCU content:

  • Enhanced Drilldowns: Added two default drilldowns for all notable detections, enabling users to view detection results for specific risk objects and access risk events from the past 7 days. This improves investigation workflows and response efficiency.
  • Version Enforcement & Datasource Testing: Enhanced version enforcement for detection content, automatically updating search versions when YAML changes. Added new datasource testing for detections, ensuring compatibility when new TAs are available.

Documentation Update

Additionally, the Splunk documentation and Github Wiki is also updated to include the latest features shipped in the Enterprise Security Content Update (ESCU). This update provides detailed guidance on using and testing these detections with Splunk Enterprise Security.

New Analytic Story - [2]

New Analytics - [9]

Updated Analytics - [1532]

  • All TTP/Anomaly and Correlation type detections now have two drilldowns added to their yaml files.

Huge thanks to @dluxtron for contributing new detections and enhancing existing ones!

Contributors

dluxtron
Loading

v4.42.0

14 Oct 22:21
@patel-bhavin patel-bhavin
v4.42.0
eb2e7d3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.42.0

Total New and Updated Content: [18]

Key Highlights:

Splunk Vulnerabilities: This release introduces key detections for recently disclosed Splunk vulnerabilities, including issues like disabling KVStore via CSRF, image file disclosure in PDF exports, and persistent XSS attacks. It also covers critical vulnerabilities such as remote code execution through arbitrary file writes and sensitive information disclosure in low-privileged user sessions and DEBUG logs. These detections enhance monitoring for exploitation attempts, improving Splunk's defenses against potential attacks and data breaches.

CISA AA24-241A : This new analytic story delivers detections tailored to identify malicious usage of PowerShell Web Access (PSWA) in Windows environments. These new detections focus on monitoring PowerShell Web Access activity through the IIS application pool and web access logs, providing enhanced visibility into suspicious or unauthorized access. The story introduces two key detections: "Windows Identify PowerShell Web Access IIS Pool" and "Windows IIS Server PSWA Console Access," which track the creation and usage of PSWA sessions, anomalies in IIS pool configurations, and unusual patterns of console access. By improving detection of PowerShell Web Access exploitation, we can defenses against potential privilege escalation, lateral movement, and remote code execution attempts within Windows infrastructures.

In addition to these updates, the detection logic for "Windows AdFind Exe" and "Linux Auditd Change File Owner To Root" has been improved based on customer feedback. These enhancements provide more accurate identification of AdFind tool usage in Windows environments and better detection of unauthorized file ownership changes to root in Linux systems, further fortifying defenses against privilege abuse and lateral movement techniques across both platforms.

New Analytic Story - [0]

Updated Analytic Story - [1]

New Analytics - [10]

Updated Analytics - [15]

Other Updates

  • Updated README.md and WIKI on Github repository
Loading

v4.41.0

26 Sep 17:25
@patel-bhavin patel-bhavin
v4.41.0
2e0a7c5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.41.0

Key Highlights

ValleyRAT Analytic Story: This update introduces comprehensive detections tailored to the ValleyRAT malware, providing enhanced monitoring and threat-hunting capabilities for adversarial activity on Windows systems. The story includes new detections focusing on impairing defenses, modifying system registries, and exploiting privilege escalation mechanisms. Key detections cover tactics such as disabling antivirus via registry modifications, setting Windows Defender exclusions, and UAC bypass techniques like FodHelper and Eventvwr. These detections improve visibility into malicious registry changes, task scheduling anomalies, and suspicious executable behavior, fortifying defenses against ValleyRAT C2 activity and privilege abuse attempts.

Total New and Updated Content: [16]

New Analytic Story - [1]

ValleyRAT

Updated Analytic Story - [0]

New Analytics - [6]

Windows Impair Defenses Disable AV AutoStart via Registry
Windows Modify Registry Utilize ProgIDs
Windows Modify Registry ValleyRAT C2 Config
Windows Modify Registry ValleyRat PWN Reg Entry
Windows Schedule Task DLL Module Loaded
Windows Schedule Tasks for CompMgmtLauncher or Eventvwr

Updated Analytics - [9]

Add or Set Windows Defender Exclusion
CMLUA Or CMSTPLUA UAC Bypass
Eventvwr UAC Bypass
Executables Or Script Creation In Suspicious Path
FodHelper UAC Bypass
Suspicious Process File Path
WinEvent Windows Task Scheduler Event Action Started
Windows Access Token Manipulation SeDebugPrivilege
Windows Defender Exclusion Registry Entry

Loading

v4.40.0

11 Sep 16:48
@patel-bhavin patel-bhavin
v4.40.0
c80663d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.40.0

Key highlights

Key Highlights for Enterprise Security Content Update version 4.40.0:

Compromised Linux Host: This update introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.

Black Suit Ransomware: We have tagged existing analytics, aligning with tactics, techniques, and procedures (TTPs) associated with the Black Suit ransomware, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.

CISA Alert (CISA AA24-241A): In response to a joint advisory regarding Iran-based cyber actors exploiting U.S. and foreign organizations, this update includes new detections for identifying PowerShell Web Access installations and enabling activities, strengthening defenses against ransomware and espionage activities linked to these threats.

Total New and Updated Content: [133]

New Analytic Story - [3]

Updated Analytic Story - [0]

New Analytics - [52]

Updated Analytics - [72]

Read more
Loading

v4.39.1

30 Aug 21:16
@gowthamarajr gowthamarajr
v4.39.1
a20338d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.39.1

Release notes

  • RMM Software Tracking Dashboard was missing in the 4.39.0 release. This has been resolved in Content Update 4.39.1.
Loading

v4.39.0

29 Aug 16:37
@gowthamarajr gowthamarajr
v4.39.0
f7112e6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.39.0

Key Highlights

Enterprise Security Content Update version 4.39.0 introduces critical detections aimed at addressing vulnerabilities in Ivanti Virtual Traffic Manager (CVE-2024-7593), with a particular focus on detecting SQL injection remote code execution and unauthorized account creation activities.This update also significantly enhances Office 365 security by incorporating advanced detections that monitor data loss prevention triggers, identify suspicious email behaviors, and track critical security feature changes across email and SharePoint environments, ensuring a more robust defense against potential threats. Additionally, a comprehensive set of new detections for Windows Active Directory is included, targeting potential threats related to privilege escalation, dangerous ACL modifications, GPO changes, and suspicious attribute modifications, thereby strengthening the overall identity and access management defenses within the enterprise. This release also introduces a new RMM Software Tracking Dashboard, designed to assist with the auditing and monitoring of Remote Monitoring and Management (RMM) software. This dashboard provides comprehensive visibility into RMM alert content, enabling more effective tracking and analysis of RMM-related activities and potential security risks within your environment.

New Analytic Story - [2]

New Analytics - [29]

Updated Analytics - [2]

New Dashboards

  • RMM Software Tracking: Utilize this dashboard to assist with auditing and monitoring of Remote Monitoring and Management (RMM) alert content. (External Contributor: @nterl0k )

Other Updates

  • Updated observables for 300+ analytics to improve creation accuracy of risk and threat objects
  • contentctl was updated to v4.3.3, expanding the validation of content which leverages risk-based alerting (RBA). All production ESCU content, which uses RBA is now tested to ensure that threat objects, risk objects, and risk messages are generated accurately. These additional validations have resulted in the improvement of over 300 pieces of content in ESCU 4.39.0.
Loading

v4.38.0

16 Aug 00:15
@gowthamarajr gowthamarajr
v4.38.0
9f85603
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.38.0

Key highlights

Enterprise Security Content Update version 4.38.0 introduces new detections focusing on Windows Endpoints and Office365 with specific attention to identity and access management vulnerabilities. This version also includes detections to identify unusual NTLM authentication patterns. A number of new detections are included for Crowdstrike environments to identify weak password policies, detect duplicate passwords among users and administrators, assess identity risk with various severity levels, and detect privilege escalation attempts in non-administrative accounts. For Office 365 environments, this update includes detections to monitor cross-tenant access changes, external guest invitations, changes in external identity policies, and privileged role assignments. Finally, two new analytic stores are included for help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.

New Analytic Story - [2]

Updated Analytic Story - [1]

New Analytics - [20]

Updated Analytics - [13]

Macros Added - [3]

  • crowdstrike_identities
  • crowdstrike_stream
  • ntlm_audit

Macros Updated - [1]

  • linux_hosts

Lookups Updated - [1]

  • privileged_azure_ad_roles

Other Updates

  • Added new data_source objects
  • Changes TA names in data sources to match the name in Splunk
  • Updated TA version to match the latest (new check in contentctl)
  • Add configuration file to Sysmon and Windows Event Code 4688
  • Update analytic story on detections for Handala Wiper

Contributors

nterl0k
Loading