v3.57.0

New Analytic Story

• Chaos Ransomware
• LockBit Ransomware

New Analytics

• Detect suspicious DNS TXT records using pretrained model in DSDL
• Windows Boot or Logon Autostart Execution In Startup Folder
• Windows Modify Registry Default Icon Setting
• Windows Phishing PDF File Executes URL Link
• Windows Replication Through Removable Media
• Windows User Execution Malicious URL Shortcut File
• Windows Vulnerable Driver Loaded
• Linux Ngrok Reverse Proxy Usage
• Windows Server Software Component GACUtil Install to GAC
• Windows PowerShell Add Module to Global Assembly Cache
• Windows Credential Dumping LSASS Memory Createdump

Updated Analytics

• Known Services Killed by Ransomware
• Windows DLL Search Order Hijacking Hunt
• Windows DLL Search Order Hijacking Hunt Sysmon
• ProxyShell ProxyNotShell Behavior Detected (correlation)

Other Updates

• Added 3 new playbook files: Dynamic Identifier Reputation Analysis, PhishTank URL Reputation Analysis, VirusTotal v3 Identifier Reputation Analysis from phantomcyber/playbooks to security_content
• Added onenote.exe to several detection analytics related to Office Products

v3.56.0

New Analytic Story

• IIS Components

New Analytics

• Windows Disable Windows Event Logging Disable HTTP Logging
• Windows IIS Components Add New Module
• Windows IIS Components Get-WebGlobalModule Module Query
• Windows IIS Components Module Failed to Load
• Windows IIS Components New Module Added
• Windows PowerShell Disable Windows Event Logging Disable HTTP Logging
• Windows PowerShell IIS Components WebGlobalModule Usage

Updated Analytics

• Account Discovery With Net App (Thanks to @TheLawsOfChaos)
• Msmpeng Application DLL Side Loading(Thanks to @sanjay900)
• Remcos RAT File Creation in Remcos Folder(Thanks to @sanjay900)
• Excessive DNS Failures (Thanks to @bowesmana)
• Batch File Write to System32 (Thanks to @nterl0k)
• Disable Defender AntiVirus Registry (Thanks to @nterl0k)
• Sc exe manipulating windows services
• Windows remote access software hunt

Other Updates

• Update to the CI workflow to Uploads the summary results to the s3 reporting bucket after a test completes.
• Added risk_index macro which expands to index=risk in security_content.

v3.55.0

New Analytic Story

• Prestige Ransomware
• Windows Post-Exploitation

New Analytics

• Windows Modify Registry Reg Restore
• Windows Query Registry Reg Save
• Windows System User Discovery Via Quser
• Windows WMI Process And Service List
• Windows Cached Domain Credentials Reg Query
• Windows ClipBoard Data via Get-ClipBoard
• Windows Credentials from Password Stores Query
• Windows Credentials in Registry Reg Query
• Windows Indirect Command Execution Via Series Of Forfiles
• Windows Information Discovery Fsutil
• Windows Password Managers Discovery
• Windows Private Keys Discovery
• Windows Security Support Provider Reg Query
• Windows Steal or Forge Kerberos Tickets Klist
• Windows System Network Config Discovery Display DNS
• Windows System Network Connections Discovery Netsh
• Windows Change Default File Association For No File Ext
• Windows Service Stop Via Net and SC Application

Other Updates

• Added new Mitre MAP Coverage map json files to show the CISA 2021 Top Malware TTP coverage in docs/mitre-map.
• Fixed a bug in contentctl to appropriate scheduling configuration in savedsearches.conf

v3.54.0

New Analytic Story

• CISA AA22-320A
• Reverse Network Proxy
• MetaSploit

New Analytics

• Ngrok Reverse Proxy on Network
• Powershell Load Module in Meterpreter
• Windows Apache Benchmark Binary
• Windows Mimikatz Binary Execution
• Windows MSExchange Management Mailbox Cmdlet Usage
• Windows Ngrok Reverse Proxy Usage
• Windows Service Created with Suspicious Service Path

Updated Analytics

• BITSAdmin Download File (Thank you @BlackB0lt)
• Common Ransomware Extensions (Thank you Steven Dick!) Issue 2448
• Exchange PowerShell Module Usage

New BA Analytics

• Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
• Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView

Updated BA Analytics

• Windows Exchange PowerShell Module Usage

Other Updates

• Tagged several detections for AgentTesla, Qakbot
• Crowdstike TA added to detection testing pipeline

v3.53.0

New Analytic Story

• OpenSSL CVE-2022-3602

Updated Analytic Story

• IcedID
• Remcos
• Qakbot
• Azorult

New Analytics

• SSL Certificates with Punycode
• Windows App Layer Protocol Qakbot NamedPipe
• Zeek x509 Certificate with Punycode

Updated Analytics

• Attempted Credential Dump From Registry via Reg exe
• AWS Detect Users with KMS keys performing encryption S3 (thank you Antony Bowesman)
• AWS ECR Container Upload Outside Business Hours (thank you Antony Bowesman)
• BITSAdmin Download File
• BITS Job Persistence
• Common Ransomware Extensions (thank you Steven Dick)
• Creation of Shadow Copy
• Detect Rare Executables (thank you Antony Bowesman)
• Dump LSASS via procdump
• Executables Or Script Creation In Suspicious Path
• Kubernetes AWS detect suspicious kubectl calls (thank you Antony Bowesman)
• O365 Disable MFA (thank you Jamie Windley)
• Office Document Executing Macro Code
• Office Product Spawn CMD Process
• Office Product Spawning Windows Script Host
• Process Creating LNK file in Suspicious Location
• RunDLL Loading DLL By Ordinal
• Suspicious Process File Path

Other updates

• The name for a few analytics tests were updated #2455
• Added a CI check to validate NIST and CIS20 tags #2390

v3.52.0

New Analytic Story

• CVE-2022-40684 Fortinet Appliance Auth bypass
• GCP Account Takeover
• Qakbot
• Text4Shell CVE-2022-42889

Updated Analytic Story

• Splunk Vulnerabilities - Please refer here for more information around the November 2, 2022 Release

New Analytics

• Exploit Public Facing Application via Apache Commons Text
• Fortinet Appliance Auth bypass
• GCP Authentication Failed During MFA Challenge
• GCP Multi-Factor Authentication Disabled
• GCP Multiple Failed MFA Requests For User
• GCP Multiple Users Failing To Authenticate From Ip
• GCP Successful Single-Factor Authentication
• GCP Unusual Number of Failed Authentications From Ip
• Splunk Code Injection via custom dashboard leading to RCE
• Splunk Data exfiltration from Analytics Workspace using sid query
• Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
• Splunk Reflected XSS in the templates lists radio
• Splunk Stored XSS via Data Model objectName field
• Splunk XSS in Save table dialog header in search page
• Windows App Layer Protocol Wermgr Connect To NamedPipe
• Windows Command Shell Fetch Env Variables
• Windows DLL Side-Loading In Calc
• Windows DLL Side-Loading Process Child Of Calc
• Windows Masquerading Explorer As Child Process
• Windows Modify Registry Qakbot Binary Data Registry
• Windows Process Injection Of Wermgr to Known Browser
• Windows Process Injection Remote Thread
• Windows Process Injection Wermgr Child Process
• Windows Regsvr32 Renamed Binary
• Windows System Discovery Using ldap Nslookup
• Windows System Discovery Using Qwinsta
• Windows WMI Impersonate Token

New BA Analytics

• Office Product Spawning Windows Script Host
• Windows COM Hijacking InprocServer32 Modification
• Windows Exchange PowerShell Module Usage

Other updates

• Added a tag called data_schema that has the version used for CIM/OCSF
• Updated a bug template for creating better Github Issues

v3.51.0

New Analytic Story

• CISA AA22-277A
• ProxyNotShell

New Analytics

• AWS Console Login Failed During MFA Challenge
• AWS Multi-Factor Authentication Disabled
• AWS Multiple Failed MFA Requests For User
• AWS Successful Single-Factor Authentication
• Detect Exchange Web Shell
• ProxyShell ProxyNotShell Behavior Detected
• Windows Create Local Account
• Windows Exchange Autodiscover SSRF Abuse (Thank you Nathaniel Stearns!)
• Windows Mshta Execution In Registry

Updated Analytics

• Detect SharpHound File Modifications
• Exchange PowerShell Abuse via SSRF
• Exchange PowerShell Module Usage
• Unified Messaging Service Spawning a Process

New BA Analytics

• Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Advpack dll LOLBAS in Non Standard
• Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
• Windows Rename System Utilities At exe LOLBAS in Non Standard Path
• Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path

Other updates

• Added a new tool lolbas_enrichment.py when executed builds a csv of all the lolbas paths: ./lolbas_file_path.csv and auto generated the BA detection with the latest lolbas paths: ./ssa___windows_lolbin_binary_in_non_standard_path.yml and its required supporting testing artifacts.
• Updated Attacker Tools lookup with Mimikatz and Advanced IP Scanner

v3.50.0

New Analytic Story

• AgentTesla
• AWS Identity and Access Management Account Takeover
• CISA AA22-264A
• Okta MFA Exhaustion

New Analytics

• AWS Multiple Users Failing To Authenticate From Ip
• AWS Unusual Number of Failed Authentications From Ip
• Detect DGA domains using pretrained model in DSDL
• Okta Account Locked Out
• Okta MFA Exhaustion Hunt
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Suspicious Activity Reported
• Okta ThreatInsight Threat Detected
• Okta Two or More Rejected Okta Pushes
• Okta Risk Threshold Exceeded
• Office Product Spawning Windows Script Host
• Powershell COM Hijacking InprocServer32 Modification
• Windows COM Hijacking InprocServer32 Modification
• Windows File Transfer Protocol In Non-Common Process Path
• Windows ISO LNK File Creation
• Windows Mail Protocol In Non-Common Process Path
• Windows Multi hop Proxy TOR Website Query
• Windows System Script Proxy Execution Syncappvpublishingserver

Updated Analytics

• Multiple Okta Users With Invalid Credentials From The Same IP
• Okta Account Lockout Events
• Okta Failed SSO Attempts
• Exchange PowerShell Module Usage
• Registry Keys Used For Persistence
• Windows Phishing Recent ISO Exec Registry

BA Updates

• source field updated to XmlWinEventLog for Windows System Binary Proxy Execution Compiled HTML File Decompile (released in 3.49.1)

Other updates

• Removed slim dependency in Github Actions, skip detection testing on tag creation and token updated
• Fixed bugs in the init functionality for creating a security_content custom application
• Added advanced_port_scanner.exe to Attacker Tools Lookup
• Updated the Github Actions workflow steps to create and push files for the SSE API

NOTE

This release contains a new type of analytic( Detect DGA domains using pretrained model in DSDL) that leverages the Splunk App for Data Science and Deep Learning to detect DNS connections to domains generated by Domain Generation Algorithms. This detection uses a pre-trained deep learning model and you can find the steps to deploy this model in our GitHub Wiki.

v3.49.1

Merge pull request #2386 from splunk/fixing-winxml-log

fix ssa___windows_system_binary_proxy_execution_compiled_html_file test file

v3.49.0

New Analytic Story

• Azure Active Directory Persistence
• Brute Ratel C4
• CISA AA22-257A

New Analytics

• Azure AD External Guest User Invited
• Azure AD Global Administrator Role Assigned
• Azure AD Multiple Failed MFA Requests For User
• Azure AD New Custom Domain Added
• Azure AD New Federated Domain Added
• Azure AD Privileged Role Assigned
• Azure AD Service Principal Created
• Azure AD Service Principal Credentials Added
• Azure AD Service Principal Owner Added
• Azure AD User Enabled And Password Reset
• Azure AD User ImmutableId Attribute Updated
• Azure Automation Account Created
• Azure Automation Runbook Created
• Azure Runbook Webhook Created
• Windows Access Token Manipulation SeDebugPrivilege
• Windows Access Token Manipulation Winlogon Duplicate Token Handle
• Windows Access Token Winlogon Duplicate Handle In Uncommon Path
• Windows Defacement Modify Transcodedwallpaper File
• Windows Event Triggered Image File Execution Options Injection
• Windows Gather Victim Identity SAM Info
• Windows Hijack Execution Flow Version Dll Side Load
• Windows Input Capture Using Credential UI Dll
• Windows Phishing Recent ISO Exec Registry
• Windows Process Injection With Public Source Path
• Windows Protocol Tunneling with Plink
• Windows Remote Access Software BRC4 Loaded Dll
• Windows Service Deletion In Registry
• Windows System Binary Proxy Execution Compiled HTML File Decompile

Updated Analytics

• AdsiSearcher Account Discovery
• Get ADUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
• Get DomainUser with PowerShell Script Block(Thanks to @TheLawsOfChaos)
• High Process Termination Frequency
• Linux Persistence and Privilege Escalation Risk Behavior
• Living Off The Land
• Log4Shell CVE-2021-44228 Exploitation
• Recursive Delete of Directory In Batch CMD(Thanks to @TheLawsOfChaos)
• Remote Process Instantiation via WMI and PowerShell Script Block(Thanks to @TheLawsOfChaos)
• Svchost LOLBAS Execution Process Spawn(Thanks to @swe)

New BA Analytics

• Windows Execute Arbitrary Commands with MSDT
• Windows Ingress Tool Transfer Using Explorer
• Windows Odbcconf Load Response File
• Windows OS Credential Dumping with Ntdsutil Export NTDS
• Windows OS Credential Dumping with Procdump
• Windows System Binary Proxy Execution Compiled HTML File Decompile
• Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
• Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
• Windows System Binary Proxy Execution MSIExec DLLRegisterServer
• Windows System Binary Proxy Execution MSIExec Remote Download
• Windows System Binary Proxy Execution MSIExec Unregister DLL

BA Updates

• Tagged several BA analytics with Insider Threat and Information Sabotage analytic story

Other updates

Correlation type searches have a new set of behaviors:

• The action.notable.param.rule_tile is now prefixed with “RBA:”, for example “RBA: Living Off The Land”
• The action.correlationsearch.label is now updated to reflect “ESCU - RIR - <rule_name> - Rule”, for example: “ESCU - RIR - Living Off The Land - Rule”
• The action.risk, action.risk.param.* fields have been removed to avoid a circular loop of increasing risk scores.