Releases: splunk/security_content
v4.43.0
Release notes - v4.43.0
Total New and Updated Content: [1645]
Key highlights
Detection Analytics Updates
- Critical Alerts: Introduced a new analytic to detect critical alerts from multiple security tools, enhancing quick identification and response for high-priority threats. Tested with MS365 Defender and Windows Defender Alerts, compatible with any vendor alerts mapped to the Alerts data model.
- Braodo Stealer: Added detections focused on identifying malicious behaviors associated with information-stealing malware.
Tooling Updates
We have released new version of contentctl (v4.4.5) that help with build and test ESCU content:
- Enhanced Drilldowns: Added two default drilldowns for all notable detections, enabling users to view detection results for specific risk objects and access risk events from the past 7 days. This improves investigation workflows and response efficiency.
- Version Enforcement & Datasource Testing: Enhanced version enforcement for detection content, automatically updating search versions when YAML changes. Added new datasource testing for detections, ensuring compatibility when new TAs are available.
Documentation Update
Additionally, the Splunk documentation and Github Wiki is also updated to include the latest features shipped in the Enterprise Security Content Update (ESCU). This update provides detailed guidance on using and testing these detections with Splunk Enterprise Security.
New Analytic Story - [2]
New Analytics - [9]
- Detect Critical Alerts from Security Tools
- High Volume of Bytes Out to Url
- Internal Horizontal Port Scan NMAP Top 20
- Plain HTTP POST Exfiltrated Data
- Windows Archived Collected Data In TEMP Folder
- Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Windows Credentials from Web Browsers Saved in TEMP Folder
- Windows Disable or Stop Browser Process
- Windows Screen Capture in TEMP folder
Updated Analytics - [1532]
- All TTP/Anomaly and Correlation type detections now have two drilldowns added to their yaml files.
Huge thanks to @dluxtron for contributing new detections and enhancing existing ones!
v4.42.0
Total New and Updated Content: [18]
Key Highlights:
Splunk Vulnerabilities: This release introduces key detections for recently disclosed Splunk vulnerabilities, including issues like disabling KVStore via CSRF, image file disclosure in PDF exports, and persistent XSS attacks. It also covers critical vulnerabilities such as remote code execution through arbitrary file writes and sensitive information disclosure in low-privileged user sessions and DEBUG logs. These detections enhance monitoring for exploitation attempts, improving Splunk's defenses against potential attacks and data breaches.
CISA AA24-241A : This new analytic story delivers detections tailored to identify malicious usage of PowerShell Web Access (PSWA) in Windows environments. These new detections focus on monitoring PowerShell Web Access activity through the IIS application pool and web access logs, providing enhanced visibility into suspicious or unauthorized access. The story introduces two key detections: "Windows Identify PowerShell Web Access IIS Pool" and "Windows IIS Server PSWA Console Access," which track the creation and usage of PSWA sessions, anomalies in IIS pool configurations, and unusual patterns of console access. By improving detection of PowerShell Web Access exploitation, we can defenses against potential privilege escalation, lateral movement, and remote code execution attempts within Windows infrastructures.
In addition to these updates, the detection logic for "Windows AdFind Exe" and "Linux Auditd Change File Owner To Root" has been improved based on customer feedback. These enhancements provide more accurate identification of AdFind tool usage in Windows environments and better detection of unauthorized file ownership changes to root in Linux systems, further fortifying defenses against privilege abuse and lateral movement techniques across both platforms.
New Analytic Story - [0]
Updated Analytic Story - [1]
New Analytics - [10]
- Splunk Disable KVStore via CSRF Enabling Maintenance Mode
- Splunk Image File Disclosure via PDF Export in Classic Dashboard
- Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App
- Splunk Persistent XSS via Props Conf
- Splunk Persistent XSS via Scheduled Views
- Splunk RCE Through Arbitrary File Write to Windows System Root
- Splunk SG Information Disclosure for Low Privs User
- Splunk Sensitive Information Disclosure in DEBUG Logging Channels
- Windows IIS Server PSWA Console Access
- Windows Identify PowerShell Web Access IIS Pool
Updated Analytics - [15]
- Create Remote Thread into LSASS
- Detect Regsvcs with Network Connection
- Linux Auditd Change File Owner To Root
- Possible Lateral Movement PowerShell Spawn
- Suspicious Process DNS Query Known Abuse Web Services
- Windows AdFind Exe
- Windows DISM Install PowerShell Web Access
- Windows Enable PowerShell Web Access
- Windows Impair Defenses Disable AV AutoStart via Registry
- Windows Modify Registry Utilize ProgIDs
- Windows Modify Registry ValleyRAT C2 Config
- Windows Modify Registry ValleyRat PWN Reg Entry
- Windows Privileged Group Modification
- Windows Scheduled Task DLL Module Loaded
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
Other Updates
- Updated README.md and WIKI on Github repository
v4.41.0
Key Highlights
ValleyRAT Analytic Story: This update introduces comprehensive detections tailored to the ValleyRAT malware, providing enhanced monitoring and threat-hunting capabilities for adversarial activity on Windows systems. The story includes new detections focusing on impairing defenses, modifying system registries, and exploiting privilege escalation mechanisms. Key detections cover tactics such as disabling antivirus via registry modifications, setting Windows Defender exclusions, and UAC bypass techniques like FodHelper and Eventvwr. These detections improve visibility into malicious registry changes, task scheduling anomalies, and suspicious executable behavior, fortifying defenses against ValleyRAT C2 activity and privilege abuse attempts.
Total New and Updated Content: [16]
New Analytic Story - [1]
Updated Analytic Story - [0]
New Analytics - [6]
Windows Impair Defenses Disable AV AutoStart via Registry
Windows Modify Registry Utilize ProgIDs
Windows Modify Registry ValleyRAT C2 Config
Windows Modify Registry ValleyRat PWN Reg Entry
Windows Schedule Task DLL Module Loaded
Windows Schedule Tasks for CompMgmtLauncher or Eventvwr
Updated Analytics - [9]
Add or Set Windows Defender Exclusion
CMLUA Or CMSTPLUA UAC Bypass
Eventvwr UAC Bypass
Executables Or Script Creation In Suspicious Path
FodHelper UAC Bypass
Suspicious Process File Path
WinEvent Windows Task Scheduler Event Action Started
Windows Access Token Manipulation SeDebugPrivilege
Windows Defender Exclusion Registry Entry
v4.40.0
Key highlights
Key Highlights for Enterprise Security Content Update version 4.40.0:
Compromised Linux Host: This update introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.
Black Suit Ransomware: We have tagged existing analytics, aligning with tactics, techniques, and procedures (TTPs) associated with the Black Suit ransomware, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.
CISA Alert (CISA AA24-241A): In response to a joint advisory regarding Iran-based cyber actors exploiting U.S. and foreign organizations, this update includes new detections for identifying PowerShell Web Access installations and enabling activities, strengthening defenses against ransomware and espionage activities linked to these threats.
Total New and Updated Content: [133]
New Analytic Story - [3]
Updated Analytic Story - [0]
New Analytics - [52]
- Linux Auditd Add User Account Type
- Linux Auditd Add User Account
- Linux Auditd At Application Execution
- Linux Auditd Auditd Service Stop
- Linux Auditd Base64 Decode Files
- Linux Auditd Change File Owner To Root
- Linux Auditd Clipboard Data Copy
- Linux Auditd Data Destruction Command
- Linux Auditd Data Transfer Size Limits Via Split Syscall
- Linux Auditd Data Transfer Size Limits Via Split
- Linux Auditd Database File And Directory Discovery
- Linux Auditd Dd File Overwrite
- Linux Auditd Disable Or Modify System Firewall
- Linux Auditd Doas Conf File Creation
- Linux Auditd Doas Tool Execution
- Linux Auditd Edit Cron Table Parameter
- Linux Auditd File And Directory Discovery
- Linux Auditd File Permission Modification Via Chmod
- Linux Auditd File Permissions Modification Via Chattr
- Linux Auditd Find Credentials From Password Managers
- Linux Auditd Find Credentials From Password Stores
- Linux Auditd Find Private Keys
- Linux Auditd Find Ssh Private Keys
- Linux Auditd Hardware Addition Swapoff
- Linux Auditd Hidden Files And Directories Creation
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd Kernel Module Enumeration
- Linux Auditd Kernel Module Using Rmmod Utility
- Linux Auditd Nopasswd Entry In Sudoers File
- Linux Auditd Osquery Service Stop
- Linux Auditd Possible Access Or Modification Of Sshd Config File
- Linux Auditd Possible Access To Credential Files
- Linux Auditd Possible Access To Sudoers File
- Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
- Linux Auditd Preload Hijack Library Calls
- Linux Auditd Preload Hijack Via Preload File
- Linux Auditd Service Restarted
- Linux Auditd Service Started
- Linux Auditd Setuid Using Chmod Utility
- Linux Auditd Setuid Using Setcap Utility
- Linux Auditd Shred Overwrite Command
- Linux Auditd Stop Services
- Linux Auditd Sudo Or Su Execution
- Linux Auditd Sysmon Service Stop
- Linux Auditd System Network Configuration Discovery
- Linux Auditd Unix Shell Configuration Modification
- Linux Auditd Unload Module Via Modprobe
- Linux Auditd Virtual Disk File And Directory Discovery
- Linux Auditd Whoami User Discovery
- Windows DISM Install PowerShell Web Access
- Windows Enable PowerShell Web Access
Updated Analytics - [72]
- ASL AWS Concurrent Sessions From Different Ips
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- Anomalous usage of 7zip
- Citrix ADC Exploitation CVE-2023-3519
- Create Remote Thread into LSASS
- Create local admin accounts using net exe
- Detect Credential Dumping through LSASS access
- Detect New Local Admin account
- Detect Remote Access Software Usage DNS
- Detect Remote Access Software Usage File
- Detect Remote Access Software Usage Process
- Detect Remote Access Software Usage URL
- Detect SharpHound Command-Line Arguments
- Detect SharpHound File Modifications
- Disable Defender AntiVirus Registry
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Domain Controller Discovery with Nltest
- [Elevated ...
v4.39.1
Release notes
- RMM Software Tracking Dashboard was missing in the 4.39.0 release. This has been resolved in Content Update 4.39.1.
v4.39.0
Key Highlights
Enterprise Security Content Update version 4.39.0 introduces critical detections aimed at addressing vulnerabilities in Ivanti Virtual Traffic Manager (CVE-2024-7593), with a particular focus on detecting SQL injection remote code execution and unauthorized account creation activities.This update also significantly enhances Office 365 security by incorporating advanced detections that monitor data loss prevention triggers, identify suspicious email behaviors, and track critical security feature changes across email and SharePoint environments, ensuring a more robust defense against potential threats. Additionally, a comprehensive set of new detections for Windows Active Directory is included, targeting potential threats related to privilege escalation, dangerous ACL modifications, GPO changes, and suspicious attribute modifications, thereby strengthening the overall identity and access management defenses within the enterprise. This release also introduces a new RMM Software Tracking Dashboard, designed to assist with the auditing and monitoring of Remote Monitoring and Management (RMM) software. This dashboard provides comprehensive visibility into RMM alert content, enabling more effective tracking and analysis of RMM-related activities and potential security risks within your environment.
New Analytic Story - [2]
New Analytics - [29]
- Detect Password Spray Attack Behavior From Source (External Contributor: @nterl0k )
- Detect Password Spray Attack Behavior On User(External Contributor: @nterl0k )
- Ivanti EPM SQL Injection Remote Code Execution
- Ivanti VTM New Account Creation
- O365 DLP Rule Triggered(External Contributor: @nterl0k )
- O365 Email Access By Security Administrator(External Contributor: @nterl0k )
- O365 Email Reported By Admin Found Malicious(External Contributor: @nterl0k )
- O365 Email Reported By User Found Malicious(External Contributor: @nterl0k )
- O365 Email Security Feature Changed(External Contributor: @nterl0k )
- O365 Email Suspicious Behavior Alert(External Contributor: @nterl0k )
- O365 Safe Links Detection(External Contributor: @nterl0k )
- O365 SharePoint Allowed Domains Policy Changed(External Contributor: @nterl0k )
- O365 SharePoint Malware Detection(External Contributor: @nterl0k )
- O365 Threat Intelligence Suspicious Email Delivered(External Contributor: @nterl0k )
- O365 Threat Intelligence Suspicious File Detected(External Contributor: @nterl0k )
- O365 ZAP Activity Detection(External Contributor: @nterl0k )
- Windows AD DCShadow Privileges ACL Addition(External Contributor: @dluxtron)
- Windows AD Dangerous Deny ACL Modification(External Contributor: @dluxtron)
- Windows AD Dangerous Group ACL Modification(External Contributor: @dluxtron)
- Windows AD Dangerous User ACL Modification(External Contributor: @dluxtron)
- Windows AD Domain Root ACL Deletion(External Contributor: @dluxtron)
- Windows AD Domain Root ACL Modification(External Contributor: @dluxtron)
- Windows AD GPO Deleted(External Contributor: @dluxtron)
- Windows AD GPO Disabled(External Contributor: @dluxtron)
- Windows AD GPO New CSE Addition(External Contributor: @dluxtron)
- Windows AD Hidden OU Creation(External Contributor: @dluxtron)
- Windows AD Object Owner Updated(External Contributor: @dluxtron)
- Windows AD Self DACL Assignment(External Contributor: @dluxtron)
- Windows AD Suspicious Attribute Modification(External Contributor: @dluxtron)
Updated Analytics - [2]
- Azure AD Concurrent Sessions From Different Ips
- Azure AD High Number Of Failed Authentications From Ip
New Dashboards
- RMM Software Tracking: Utilize this dashboard to assist with auditing and monitoring of Remote Monitoring and Management (RMM) alert content. (External Contributor: @nterl0k )
Other Updates
- Updated observables for 300+ analytics to improve creation accuracy of risk and threat objects
- contentctl was updated to v4.3.3, expanding the validation of content which leverages risk-based alerting (RBA). All production ESCU content, which uses RBA is now tested to ensure that threat objects, risk objects, and risk messages are generated accurately. These additional validations have resulted in the improvement of over 300 pieces of content in ESCU 4.39.0.
v4.38.0
Key highlights
Enterprise Security Content Update version 4.38.0 introduces new detections focusing on Windows Endpoints and Office365 with specific attention to identity and access management vulnerabilities. This version also includes detections to identify unusual NTLM authentication patterns. A number of new detections are included for Crowdstrike environments to identify weak password policies, detect duplicate passwords among users and administrators, assess identity risk with various severity levels, and detect privilege escalation attempts in non-administrative accounts. For Office 365 environments, this update includes detections to monitor cross-tenant access changes, external guest invitations, changes in external identity policies, and privileged role assignments. Finally, two new analytic stores are included for help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.
New Analytic Story - [2]
Updated Analytic Story - [1]
New Analytics - [20]
- Crowdstrike Admin Weak Password Policy
- Crowdstrike Admin With Duplicate Password
- Crowdstrike High Identity Risk Severity
- Crowdstrike Medium Identity Risk Severity
- Crowdstrike Medium Severity Alert
- Crowdstrike Multiple LOW Severity Alerts
- Crowdstrike Privilege Escalation For Non-Admin User
- Crowdstrike User Weak Password Policy
- Crowdstrike User with Duplicate Password
- O365 Application Available To Other Tenants(External Contributor: @nterl0k )
- O365 Cross-Tenant Access Change (External Contributor: @nterl0k )
- O365 External Guest User Invited (External Contributor: @nterl0k )
- O365 External Identity Policy Changed(External Contributor: @nterl0k )
- O365 Privileged Role Assigned To Service Principal(External Contributor: @nterl0k )
- O365 Privileged Role Assigned(External Contributor: @nterl0k )
- Windows Multiple NTLM Null Domain Authentications(External Contributor: @nterl0k )
- Windows Unusual NTLM Authentication Destinations By Source(External Contributor: @nterl0k )
- Windows Unusual NTLM Authentication Destinations By User(External Contributor: @nterl0k )
- Windows Unusual NTLM Authentication Users By Destination(External Contributor: @nterl0k )
- Windows Unusual NTLM Authentication Users By Source(External Contributor: @nterl0k )
Updated Analytics - [13]
- Detect Regasm Spawning a Process
- Detect Regasm with Network Connection
- Detect Regasm with no Command Line Arguments
- Executables Or Script Creation In Suspicious Path
- Internal Horizontal Port Scan
- Linux c99 Privilege Escalation
- Powershell Windows Defender Exclusion Commands
- Suspicious Process File Path
- Windows AutoIt3 Execution
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Gather Victim Network Info Through Ip Check Web Services
- Windows High File Deletion Frequency
- Windows Vulnerable Driver Installed
Macros Added - [3]
- crowdstrike_identities
- crowdstrike_stream
- ntlm_audit
Macros Updated - [1]
- linux_hosts
Lookups Updated - [1]
- privileged_azure_ad_roles
Other Updates
- Added new data_source objects
- Changes TA names in data sources to match the name in Splunk
- Updated TA version to match the latest (new check in contentctl)
- Add configuration file to Sysmon and Windows Event Code 4688
- Update analytic story on detections for Handala Wiper
v4.37.0
Key Highlights
Enterprise Security Content Updates version 4.37.0 introduces new detections focused on emerging threats like AcidPour, Gozi Malware, and ShrinkLocker. These analytics identify sophisticated techniques used by these malware families to compromise Windows environments, primarily through registry modifications. The update includes detections for attempts to configure BitLocker, delete firewall rules, disable Remote Desktop Protocol (RDP), alter Smart Card Group Policy, modify firewall rules, and change Outlook WebView settings. By monitoring these critical registry changes, security teams can more effectively identify potential compromises and swiftly mitigate risks associated with these advanced malware variants.We have also published a detailed blog on Acid Pour Wiper Malware and the various TTPs used by this wiper malware.
This release also contains detections for identifying exploitation of the following vulnerabilities:
- CVE-2024-5806, published by Progress Software, describes an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass.
- CVE-2024-29824, published by ZDI and Ivanti, concerns an enterprise endpoint management solution and describes a SQL injection resulting in remote code execution with a CVSS score of 9.8.
- CVE-2024-37085, published by Broadcom, impacts VMware ESXi hypervisors. Successful exploitation of this flaw allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host configured to use AD for user management by re-creating the default 'ESXi Admins' group after it has been deleted from Active Directory.
New Analytic Story - [6]
- AcidPour
- Gozi Malware
- Ivanti EPM Vulnerabilities
- MOVEit Transfer Authentication Bypass
- ShrinkLocker
- VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
New Analytics - [16]
- Ivanti EPM SQL Injection Remote Code Execution
- MOVEit Certificate Store Access Failure
- MOVEit Empty Key Fingerprint Authentication Attempt
- Windows ESX Admins Group Creation Security Event
- Windows ESX Admins Group Creation via Net
- Windows ESX Admins Group Creation via PowerShell
- Windows Known Abused DLL Loaded Suspiciously (External Contributor: @nterl0k )
- Windows LOLBAS Executed As Renamed File (External Contributor: @nterl0k)
- Windows LOLBAS Executed Outside Expected Path (External Contributor: @nterl0k )
- Windows Modify Registry Configure BitLocker
- Windows Modify Registry Delete Firewall Rules
- Windows Modify Registry Disable RDP
- Windows Modify Registry on Smart Card Group Policy
- Windows Modify Registry to Add or Modify Firewall Rule
- Windows Outlook WebView Registry Modification
- Windows Privileged Group Modification (External Contributor: @TheLawsOfChaos )
Updated Analytics - [11]
- Detect Remote Access Software Usage DNS (External Contributor: @nterl0k )
- Detect Remote Access Software Usage FileInfo(External Contributor: @nterl0k )
- Detect Remote Access Software Usage File(External Contributor: @nterl0k )
- Detect Remote Access Software Usage Process(External Contributor: @nterl0k )
- Detect Remote Access Software Usage Traffic(External Contributor: @nterl0k )
- Detect Remote Access Software Usage URL(External Contributor: @nterl0k )
- Possible Lateral Movement PowerShell Spawn
- Linux Obfuscated Files or Information Base64 Decode
- Linux Decode Base64 to Shell
- Windows Protocol Tunneling with Plink
- Malicious PowerShell Process - Encoded Command
- Windows Event Log Cleared
- Azure AD Admin Consent Bypassed by Service Principal (External Contributor: @dluxtron)
- Azure AD Global Administrator Role Assigned (External Contributor: @dluxtron)
- Azure AD Privileged Role Assigned (External Contributor: @dluxtron)
- Azure AD Service Principal New Client Credentials (External Contributor: @dluxtron)
- Detect New Local Admin account (External Contributor: @dluxtron)
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl (External Contributor: @dluxtron)
- Detect Renamed PSExec (External Contributor: Alex Oberkircher, Github)
- Scheduled Task Initiation on Remote Endpoint(External Contributor: @Badoodish, Github)
Macros Added - [2]
- moveit_sftp_logs
- remote_access_software_usage_exceptions
Lookups Added - [1]
- remote_access_software_exceptions
Lookups Updated - [4]
- lolbas_file_path
- privileged_azure_ad_roles
- remote_access_software
- splunk_risky_command
Other Updates
- Remove usage_searches.conf from the ESCU app
- Update the yaml file structure for data_sources objects
- Remove dev/ directory from Github repo as we do not actively maintain Sigma supported detections in this directory
- Removed ransomware_extensions.csv from the repo and replaced it with an updated lookup - ransomware_extensions_20231219.csv
- Removed ransomware_notes.csv from the repo and replaced it with an updated lookup - ransomware_notes_20231219.csv
- Removed privileged_azure_ad_roles.csv from the repo and replaced it with an updated lookup - privileged_azure_ad_roles20240729.csv
- Removed remote_access_software.csv from the repo and replaced it with an updated lookup - remote_access_software20240726.csv
v4.36.0
Key highlights
Enterprise Security Content Updates version 4.36.0 introduces a comprehensive suite of new detections related to Sneaky Active Directory Persistence Tricks. These detections are designed to identify and alert on subtle techniques used by attackers to maintain unauthorized access within Active Directory environments. The update includes analytics for detecting distributed and localized password spray attempts, identifying internal horizontal and vertical port scans, and alerting on Windows AD self-group additions.
Additionally, this release incorporates detections for monitoring increases in group/object modification activity, tracking unusual spikes in user modification activity, detecting suspicious Windows network share interactions, and identifying installations of known vulnerable drivers. These new capabilities significantly enhance an organization's ability to spot and respond to sophisticated persistence techniques in Active Directory, improving overall security posture against advanced persistent threats.
ESCU 4.36.0
###Total New and Updated Content: [10]
New Analytics - [10]
- Detect Distributed Password Spray Attempts
- Detect Password Spray Attempts
- Internal Horizontal Port Scan
- Internal Vertical Port Scan
- Windows AD add Self to Group
- Windows Increase in Group or Object Modification Activity
- Windows Increase in User Modification Activity
- Windows Network Share Interaction With Net
- Windows Vulnerable Driver Installed
Other Updates
- Added new data_source objects
v4.35.0
Key Highlights
- Enterprise Security Content Updates version 4.35.0 contains 11 new analytics and 6 updated analytics that are specifically crafted to detect the Splunk Security Advisories that were published on July 1st, 2024 for Splunk Enterprise 9.2.2, 9.1.5, 9.0.10 and Splunk Cloud. These Splunk Enterprise updates address several critical vulnerabilities, including multiple instances of persistent cross-site scripting (XSS) in various endpoints, remote code execution (RCE) exploits, and denial of service (DoS) vulnerabilities. Additionally, in this ESCU build we have updated the analytics for detecting information disclosure of user names, path traversal, insecure file uploads, and risky command safeguards bypasses, ensuring a more secure environment for Splunk Enterprise users. Please refer to https://advisory.splunk.com/ for specific details about the vulnerabilities.
Total New and Updated Content: [19]
New Analytic Story - [0]
Updated Analytic Story - [0]
New Analytics - [11]
- Splunk DoS via POST Request Datamodel Endpoint
- Splunk Information Disclosure on Account Login
- Splunk RCE PDFgen Render
- Splunk RCE via External Lookup Copybuckets
- Splunk Stored XSS conf-web Settings on Premises
- Splunk Stored XSS via Specially Crafted Bulletin Message
- Splunk Unauthenticated DoS via Null Pointer References
- Splunk Unauthenticated Path Traversal Modules Messaging
- Splunk Unauthorized Experimental Items Creation
- Splunk XSS Privilege Escalation via Custom Urls in Dashboard
- Splunk XSS Via External Urls in Dashboards SSRF
Updated Analytics - [6]
- Splunk CSRF in the SSG kvstore Client Endpoint
- Splunk Enterprise Windows Deserialization File Partition
- Splunk Stored XSS via Data Model objectName Field
- Splunk XSS in Highlighted JSON Events
- Splunk XSS in Save table dialog header in search page
- Splunk risky Command Abuse disclosed february 2023
Macros Added - [1]
- splunkd_webs
Macros Updated - [0]
Lookups Added - [0]
Lookups Updated - [1]
- splunk_risky_command
Playbooks Added - [0]
Playbooks Updated - [0]
Deprecated Analytics - [0]
Other Updates
- Updated the ESCU Summary Dashboard to link directly to the Enterprise Security Use Case Library.
Full Changelog: v4.34.0...v4.35.0