v3.39.0

New Analytic Story

• Cyclops BLink
• Local Privilege Escalation With KrbRelayUp
• Industroyer2
• AcidRain
• Windows Drivers

Updated Analytic Story

• Splunk Vulnerabilities

New Analytics

• Path traversal SPL injection
• Splunk User Enumeration Attempt
• Splunk XSS in Monitoring Console
• Linux Iptables Firewall Modification
• Linux Kworker Process In Writable Process Path
• Windows Computer Account Created by Computer Account
• Windows Computer Account Requesting Kerberos Ticket
• Windows Computer Account With SPN
• Windows Kerberos Local Successful Logon
• Windows KrbRelayUp Service Creation
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux deletion Of SSH Key
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Etc Folder
• Windows ISO LNK File Creation
• Windows Registry Modification for Safe Mode Persistence
• Windows Registry Certificate Added
• Windows Registry Delete Task SD

Updated Analytics

• Splunk DoS via Malformed S2S Request

BA updates

• Moved TCP Command and Scripting Interpreter Outbound LDAP Traffic to experimental

Other Updates

• Fixed API version error
• CI update to push packages to Pre-QA artifactory
• Fixed nes_fields parameter in savedsearches.conf
• Updated prohibited_apps_launching_cmd.csv

v3.38.1

Merge pull request #2172 from splunk/moving_tcp_command_and_scripting…

v3.38.0

New Analytic Story

• Spring4Shell CVE-2022-22965

New Analytics

• Java Writing JSP File
• Spring4Shell Payload URL Request
• Web JSP Request via URL
• Web Spring4Shell HTTP Request Class Module
• Web Spring Cloud Function FunctionRouter
• Kerberos TGT Request Using RC4 Encryption
• Unknown Process Using The Kerberos Protocol
• Kerberos User Enumeration
• Kerberos Service Ticket Request Using RC4 Encryption
• Windows PowerView Unconstrained Delegation Discovery
• Windows Get-ADComputer Unconstrained Delegation Discovery
• Windows PowerView Constrained Delegation Discovery
• GitHub Actions Disable Security Workflow
• MacOS plutil

Updated Analytics

• MacOS LOLbin
• Suspicious Kerberos Service Ticket Request
• Suspicious Ticket Granting Ticket Request
• Unusual Number of Computer Service Tickets Requested
• PetitPotam Suspicious Kerberos TGT Request

v3.37.1

Merge pull request #2147 from splunk/descp_fix

descp_fix

v3.37.0

New Analytic Story

• Splunk Vulnerabilities
• Double Zero Destructor
• Windows Registry Abuse

New Analytics

• Splunk DoS via Malformed S2S Request
• Windows Deleted Registry By A Non Critical Process File Path
• Windows Terminating Lsass Process
• MacOS LOLbin

Updated Analytics

• SQL Injection with Long URLs
• Modify ACL permission To Files Or Folder
• Windows InstallUtil Remote Network Connection
• Windows InstallUtil Uninstall Option with Network
• Detect Regasm with no Command Line Arguments
• Detect Regsvcs with No Command Line Arguments
• DLLHost with no Command Line Arguments with Network
• GPUpdate with no Command Line Arguments with Network
• Rundll32 with no Command Line Arguments with Network
• SearchProtocolHost with no Command Line with Network
• Suspicious DLLHost no Command Line Arguments
• Suspicious GPUpdate no Command Line Arguments
• Suspicious Rundll32 no Command Line Arguments
• Suspicious SearchProtocolHost no Command Line
• AWS CreateAccessKey
• AWS UpdateLoginProfile

New BA Analytics

• Windows DotNet Binary in Non Standard Path
• Windows LOLBin Binary in Non Standard Path
• Windows Script Host Spawn MSBuild
• Windows WMIPrvse Spawn MSBuild

Updated BA Analytics

• System Process Running from Unexpected Location
• Delete A Net User
• Modify ACLs Permission Of Files Or Folders
• WBAdmin Delete System Backups
  - Minor chanage: Added CIS and NIST tags to all BA detections

Other ESCU updates

- MAJOR UPDATE: Overhauled old tooling in bin/ and replaced all functionality in bin/contentctl_project

• Updated playbookplaybooks/custom_functions/indicator_collect.py and artifact_create.py
• Added Supported TAs to research.splunk.com
• Several updates to the detection_testing backend
• Tagged several detections with story name: Windows Registry Abuse , Data Destruction, Living Off The Land Story
• Updated detection names to have a max length of 67 characters

v3.34.4

Fixes FPs with robocopy.exe.

v3.36.0

New Analytic Story

• Hermetic Wiper
• Living Off The Land
• Data Destruction
• Network Discovery
• Active Directory Kerberos Attacks

New Analytics

• Windows Modify Show Compress Color And Info Tip Registry
• AWS Lambda UpdateFunctionCode
• Windows Disable Memory Crash Dump
• Windows File Without Extension In Critical Folder
• Windows Raw Access To Disk Volume Partition
• Windows Event For Service Disabled
• Windows Excessive Disabled Services Event
• Windows Process With NamedPipe CommandLine
• Windows Raw Access To Master Boot Record Drive
• Windows Service Creation Using Registry Entry
• Windows WMI Process Call Create
• Windows Diskshadow Proxy Execution
• Linux DD File Overwrite
• Linux System Network Discovery
• Kerberoasting spn request with RC4 encryption
• Mimikatz PassTheTicket CommandLine Parameters
• Rubeus Command Line Parameters
• Rubeus Kerberos Ticket Exports Through Winlogon Access
• Unusual Number of Kerberos Service Tickets Requested
• Disabled Kerberos Pre-Authentication Discovery With PowerView
• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl
• Kerberos Pre-Authentication Flag Disabled with PowerShell

Updated Analytics

• Excessive number of distinct processes created in Windows Temp folder
• O365 Excessive Authentication Failures Alert (thanks to @schwedenmut)
• Excessive number of distinct processes created in Windows Temp folder (Issue #1526)
• Scheduled Task Deleted Or Created via
• Windows High File Deletion Frequency
• Linux At Application Execution

New BA Analytics

• Windows Eventvwr UAC Bypass
• Windows MSHTA Command-Line URL
• Windows Rundll32 Inline HTA Execution
• Windows MSHTA Inline HTA Execution
• Windows MSHTA Child Process
• TCP Command and Scripting Interpreter Outbound LDAP Traffic
• Windows Diskshadow Proxy Execution
• Windows Rasautou DLL Execution
• Windows Bits Job Persistence
• Windows Bitsadmin Download File
• Windows PowerShell Start-BitsTransfer
• Windows CertUtil URLCache Download
• Windows CertUtil VerifyCtl Download
• Windows CertUtil Decode File
• Windows WSReset UAC Bypass(experimental)

Updated BA Analytics

• Unusual Volume of Data Download from Internal Server Per Entity(experimental)
• Detect Prohibited Applications Spawning cmd exe

Other ESCU updates

• Updated lookups/ransomware_extensions.csv
• Updated functions in several playbooks and added a new type field in the ymls
• Updated detection testing CI job to report failure when the testing fails
• Updated the Application Baseline that we use for CI/CD in Github Actions for detection-testing

v3.35.0

New Analytics

• Windows Rasautou DLL Execution
• Linux pkexec Privilege Escalation
• Potentially malicious code on commandline (MLTK based detection that works with a pre shipped model file)

Updated Analytics

• Linux pkexec Privilege Escalation
• Windows Possible Credential Dumping
• Windows Remote Assistance Spawning Process
• Windows Schtasks Create Run As System
• RunDLL Loading DLL By Ordinal
• CertUtil Download With URLCache and Split Arguments
• CertUtil Download With VerifyCtl and Split Arguments
• O365 Added Service Principal (Bug fix contributed by @ionsor)
• O365 Bypass MFA via Trusted IP (Bug fix contributed by @ionsor)
• O365 Disable MFA (Bug fix contributed by @ionsor)
• Powershell Remove Windows Defender Directory (Bug fix contributed by @BlackB0lt)
• GetWmiObject Ds Computer with PowerShell Script Block (Bug fix contributed by @sanjay900)
• GetWmiObject Ds Group with PowerShell Script Block (Bug fix contributed by @sanjay900)

New Playbooks

• Trustar Enrich Indicators
• Threat Intel Investigate
• Start Investigation
• AWS Disable User Accounts
• AWS Find Inactive Users

New BA Analytics

• Windows Powershell Connect to Internet With Hidden Window(SRS)
• Windows Powershell DownloadFile(SRS)
• Unusual Volume of Data Download from Internal Server Per Entity (experimental detection - Not shipped in the SSA package )

Other ESCU updates

• Updated 20+ detections based on Endpoint.Registry and tested with the latest Microsoft Sysmon TA(https://splunkbase.splunk.com/app/5709/)
• Updated Detect GCP Storage access from a new IP based on customer reported bug.
• Updated deprecation note in Detection of DNS Tunnels with reference to new detection.
• Updated savedsearches.conf with a risk parameter that previously did not allow a search to be saved from the UI
• Updated generate.py to output correct UTF-8 rendered savedsearches.conf stanzas for Malicious PowerShell Process - Encoded Command and PowerShell - Connect To Internet With Hidden Window

v3.34.3

BA

Fixed null pointer exceptions : #1996

v3.34.2

Updated SSA detection

• dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml