v3.35.0

New Analytics

• Windows Rasautou DLL Execution
• Linux pkexec Privilege Escalation
• Potentially malicious code on commandline (MLTK based detection that works with a pre shipped model file)

Updated Analytics

• Linux pkexec Privilege Escalation
• Windows Possible Credential Dumping
• Windows Remote Assistance Spawning Process
• Windows Schtasks Create Run As System
• RunDLL Loading DLL By Ordinal
• CertUtil Download With URLCache and Split Arguments
• CertUtil Download With VerifyCtl and Split Arguments
• O365 Added Service Principal (Bug fix contributed by @ionsor)
• O365 Bypass MFA via Trusted IP (Bug fix contributed by @ionsor)
• O365 Disable MFA (Bug fix contributed by @ionsor)
• Powershell Remove Windows Defender Directory (Bug fix contributed by @BlackB0lt)
• GetWmiObject Ds Computer with PowerShell Script Block (Bug fix contributed by @sanjay900)
• GetWmiObject Ds Group with PowerShell Script Block (Bug fix contributed by @sanjay900)

New Playbooks

• Trustar Enrich Indicators
• Threat Intel Investigate
• Start Investigation
• AWS Disable User Accounts
• AWS Find Inactive Users

New BA Analytics

• Windows Powershell Connect to Internet With Hidden Window(SRS)
• Windows Powershell DownloadFile(SRS)
• Unusual Volume of Data Download from Internal Server Per Entity (experimental detection - Not shipped in the SSA package )

Other ESCU updates

• Updated 20+ detections based on Endpoint.Registry and tested with the latest Microsoft Sysmon TA(https://splunkbase.splunk.com/app/5709/)
• Updated Detect GCP Storage access from a new IP based on customer reported bug.
• Updated deprecation note in Detection of DNS Tunnels with reference to new detection.
• Updated savedsearches.conf with a risk parameter that previously did not allow a search to be saved from the UI
• Updated generate.py to output correct UTF-8 rendered savedsearches.conf stanzas for Malicious PowerShell Process - Encoded Command and PowerShell - Connect To Internet With Hidden Window