Skip to content

Releases: splunk/security_content

v4.43.0

14 Nov 01:21
738216a
Compare
Choose a tag to compare

Release notes - v4.43.0

Total New and Updated Content: [1645]

Key highlights

Detection Analytics Updates

  • Critical Alerts: Introduced a new analytic to detect critical alerts from multiple security tools, enhancing quick identification and response for high-priority threats. Tested with MS365 Defender and Windows Defender Alerts, compatible with any vendor alerts mapped to the Alerts data model.
  • Braodo Stealer: Added detections focused on identifying malicious behaviors associated with information-stealing malware.

Tooling Updates

We have released new version of contentctl (v4.4.5) that help with build and test ESCU content:

  • Enhanced Drilldowns: Added two default drilldowns for all notable detections, enabling users to view detection results for specific risk objects and access risk events from the past 7 days. This improves investigation workflows and response efficiency.
  • Version Enforcement & Datasource Testing: Enhanced version enforcement for detection content, automatically updating search versions when YAML changes. Added new datasource testing for detections, ensuring compatibility when new TAs are available.

Documentation Update

Additionally, the Splunk documentation and Github Wiki is also updated to include the latest features shipped in the Enterprise Security Content Update (ESCU). This update provides detailed guidance on using and testing these detections with Splunk Enterprise Security.

New Analytic Story - [2]

New Analytics - [9]

Updated Analytics - [1532]

  • All TTP/Anomaly and Correlation type detections now have two drilldowns added to their yaml files.

Huge thanks to @dluxtron for contributing new detections and enhancing existing ones!

v4.42.0

14 Oct 22:21
eb2e7d3
Compare
Choose a tag to compare

Total New and Updated Content: [18]

Key Highlights:

Splunk Vulnerabilities: This release introduces key detections for recently disclosed Splunk vulnerabilities, including issues like disabling KVStore via CSRF, image file disclosure in PDF exports, and persistent XSS attacks. It also covers critical vulnerabilities such as remote code execution through arbitrary file writes and sensitive information disclosure in low-privileged user sessions and DEBUG logs. These detections enhance monitoring for exploitation attempts, improving Splunk's defenses against potential attacks and data breaches.

CISA AA24-241A : This new analytic story delivers detections tailored to identify malicious usage of PowerShell Web Access (PSWA) in Windows environments. These new detections focus on monitoring PowerShell Web Access activity through the IIS application pool and web access logs, providing enhanced visibility into suspicious or unauthorized access. The story introduces two key detections: "Windows Identify PowerShell Web Access IIS Pool" and "Windows IIS Server PSWA Console Access," which track the creation and usage of PSWA sessions, anomalies in IIS pool configurations, and unusual patterns of console access. By improving detection of PowerShell Web Access exploitation, we can defenses against potential privilege escalation, lateral movement, and remote code execution attempts within Windows infrastructures.

In addition to these updates, the detection logic for "Windows AdFind Exe" and "Linux Auditd Change File Owner To Root" has been improved based on customer feedback. These enhancements provide more accurate identification of AdFind tool usage in Windows environments and better detection of unauthorized file ownership changes to root in Linux systems, further fortifying defenses against privilege abuse and lateral movement techniques across both platforms.

New Analytic Story - [0]

Updated Analytic Story - [1]

New Analytics - [10]

Updated Analytics - [15]

Other Updates

  • Updated README.md and WIKI on Github repository

v4.41.0

26 Sep 17:25
2e0a7c5
Compare
Choose a tag to compare

Key Highlights

ValleyRAT Analytic Story: This update introduces comprehensive detections tailored to the ValleyRAT malware, providing enhanced monitoring and threat-hunting capabilities for adversarial activity on Windows systems. The story includes new detections focusing on impairing defenses, modifying system registries, and exploiting privilege escalation mechanisms. Key detections cover tactics such as disabling antivirus via registry modifications, setting Windows Defender exclusions, and UAC bypass techniques like FodHelper and Eventvwr. These detections improve visibility into malicious registry changes, task scheduling anomalies, and suspicious executable behavior, fortifying defenses against ValleyRAT C2 activity and privilege abuse attempts.

Total New and Updated Content: [16]

New Analytic Story - [1]

ValleyRAT

Updated Analytic Story - [0]

New Analytics - [6]

Windows Impair Defenses Disable AV AutoStart via Registry
Windows Modify Registry Utilize ProgIDs
Windows Modify Registry ValleyRAT C2 Config
Windows Modify Registry ValleyRat PWN Reg Entry
Windows Schedule Task DLL Module Loaded
Windows Schedule Tasks for CompMgmtLauncher or Eventvwr

Updated Analytics - [9]

Add or Set Windows Defender Exclusion
CMLUA Or CMSTPLUA UAC Bypass
Eventvwr UAC Bypass
Executables Or Script Creation In Suspicious Path
FodHelper UAC Bypass
Suspicious Process File Path
WinEvent Windows Task Scheduler Event Action Started
Windows Access Token Manipulation SeDebugPrivilege
Windows Defender Exclusion Registry Entry

v4.40.0

11 Sep 16:48
c80663d
Compare
Choose a tag to compare

Key highlights

Key Highlights for Enterprise Security Content Update version 4.40.0:

Compromised Linux Host: This update introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.

Black Suit Ransomware: We have tagged existing analytics, aligning with tactics, techniques, and procedures (TTPs) associated with the Black Suit ransomware, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.

CISA Alert (CISA AA24-241A): In response to a joint advisory regarding Iran-based cyber actors exploiting U.S. and foreign organizations, this update includes new detections for identifying PowerShell Web Access installations and enabling activities, strengthening defenses against ransomware and espionage activities linked to these threats.

Total New and Updated Content: [133]

New Analytic Story - [3]

Updated Analytic Story - [0]

New Analytics - [52]

Updated Analytics - [72]

Read more

v4.39.1

30 Aug 21:16
a20338d
Compare
Choose a tag to compare

Release notes

  • RMM Software Tracking Dashboard was missing in the 4.39.0 release. This has been resolved in Content Update 4.39.1.

v4.39.0

29 Aug 16:37
f7112e6
Compare
Choose a tag to compare

Key Highlights

Enterprise Security Content Update version 4.39.0 introduces critical detections aimed at addressing vulnerabilities in Ivanti Virtual Traffic Manager (CVE-2024-7593), with a particular focus on detecting SQL injection remote code execution and unauthorized account creation activities.This update also significantly enhances Office 365 security by incorporating advanced detections that monitor data loss prevention triggers, identify suspicious email behaviors, and track critical security feature changes across email and SharePoint environments, ensuring a more robust defense against potential threats. Additionally, a comprehensive set of new detections for Windows Active Directory is included, targeting potential threats related to privilege escalation, dangerous ACL modifications, GPO changes, and suspicious attribute modifications, thereby strengthening the overall identity and access management defenses within the enterprise. This release also introduces a new RMM Software Tracking Dashboard, designed to assist with the auditing and monitoring of Remote Monitoring and Management (RMM) software. This dashboard provides comprehensive visibility into RMM alert content, enabling more effective tracking and analysis of RMM-related activities and potential security risks within your environment.

New Analytic Story - [2]

New Analytics - [29]

Updated Analytics - [2]

New Dashboards

  • RMM Software Tracking: Utilize this dashboard to assist with auditing and monitoring of Remote Monitoring and Management (RMM) alert content. (External Contributor: @nterl0k )

Other Updates

  • Updated observables for 300+ analytics to improve creation accuracy of risk and threat objects
  • contentctl was updated to v4.3.3, expanding the validation of content which leverages risk-based alerting (RBA). All production ESCU content, which uses RBA is now tested to ensure that threat objects, risk objects, and risk messages are generated accurately. These additional validations have resulted in the improvement of over 300 pieces of content in ESCU 4.39.0.

v4.38.0

16 Aug 00:15
9f85603
Compare
Choose a tag to compare

Key highlights

Enterprise Security Content Update version 4.38.0 introduces new detections focusing on Windows Endpoints and Office365 with specific attention to identity and access management vulnerabilities. This version also includes detections to identify unusual NTLM authentication patterns. A number of new detections are included for Crowdstrike environments to identify weak password policies, detect duplicate passwords among users and administrators, assess identity risk with various severity levels, and detect privilege escalation attempts in non-administrative accounts. For Office 365 environments, this update includes detections to monitor cross-tenant access changes, external guest invitations, changes in external identity policies, and privileged role assignments. Finally, two new analytic stores are included for help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.

New Analytic Story - [2]

Updated Analytic Story - [1]

New Analytics - [20]

Updated Analytics - [13]

Macros Added - [3]

  • crowdstrike_identities
  • crowdstrike_stream
  • ntlm_audit

Macros Updated - [1]

  • linux_hosts

Lookups Updated - [1]

  • privileged_azure_ad_roles

Other Updates

  • Added new data_source objects
  • Changes TA names in data sources to match the name in Splunk
  • Updated TA version to match the latest (new check in contentctl)
  • Add configuration file to Sysmon and Windows Event Code 4688
  • Update analytic story on detections for Handala Wiper

v4.37.0

31 Jul 18:30
891ebbe
Compare
Choose a tag to compare

Key Highlights

Enterprise Security Content Updates version 4.37.0 introduces new detections focused on emerging threats like AcidPour, Gozi Malware, and ShrinkLocker. These analytics identify sophisticated techniques used by these malware families to compromise Windows environments, primarily through registry modifications. The update includes detections for attempts to configure BitLocker, delete firewall rules, disable Remote Desktop Protocol (RDP), alter Smart Card Group Policy, modify firewall rules, and change Outlook WebView settings. By monitoring these critical registry changes, security teams can more effectively identify potential compromises and swiftly mitigate risks associated with these advanced malware variants.We have also published a detailed blog on Acid Pour Wiper Malware and the various TTPs used by this wiper malware.

This release also contains detections for identifying exploitation of the following vulnerabilities:

  • CVE-2024-5806, published by Progress Software, describes an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass.
  • CVE-2024-29824, published by ZDI and Ivanti, concerns an enterprise endpoint management solution and describes a SQL injection resulting in remote code execution with a CVSS score of 9.8.
  • CVE-2024-37085, published by Broadcom, impacts VMware ESXi hypervisors. Successful exploitation of this flaw allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host configured to use AD for user management by re-creating the default 'ESXi Admins' group after it has been deleted from Active Directory.

New Analytic Story - [6]

New Analytics - [16]

Updated Analytics - [11]

Macros Added - [2]

  • moveit_sftp_logs
  • remote_access_software_usage_exceptions

Lookups Added - [1]

  • remote_access_software_exceptions

Lookups Updated - [4]

  • lolbas_file_path
  • privileged_azure_ad_roles
  • remote_access_software
  • splunk_risky_command

Other Updates

  • Remove usage_searches.conf from the ESCU app
  • Update the yaml file structure for data_sources objects
  • Remove dev/ directory from Github repo as we do not actively maintain Sigma supported detections in this directory
  • Removed ransomware_extensions.csv from the repo and replaced it with an updated lookup - ransomware_extensions_20231219.csv
  • Removed ransomware_notes.csv from the repo and replaced it with an updated lookup - ransomware_notes_20231219.csv
  • Removed privileged_azure_ad_roles.csv from the repo and replaced it with an updated lookup - privileged_azure_ad_roles20240729.csv
  • Removed remote_access_software.csv from the repo and replaced it with an updated lookup - remote_access_software20240726.csv

v4.36.0

17 Jul 23:06
16885f0
Compare
Choose a tag to compare

Key highlights

Enterprise Security Content Updates version 4.36.0 introduces a comprehensive suite of new detections related to Sneaky Active Directory Persistence Tricks. These detections are designed to identify and alert on subtle techniques used by attackers to maintain unauthorized access within Active Directory environments. The update includes analytics for detecting distributed and localized password spray attempts, identifying internal horizontal and vertical port scans, and alerting on Windows AD self-group additions.

Additionally, this release incorporates detections for monitoring increases in group/object modification activity, tracking unusual spikes in user modification activity, detecting suspicious Windows network share interactions, and identifying installations of known vulnerable drivers. These new capabilities significantly enhance an organization's ability to spot and respond to sophisticated persistence techniques in Active Directory, improving overall security posture against advanced persistent threats.

ESCU 4.36.0

###Total New and Updated Content: [10]

New Analytics - [10]

Other Updates

  • Added new data_source objects

v4.35.0

01 Jul 18:38
fb7346f
Compare
Choose a tag to compare

Key Highlights

  • Enterprise Security Content Updates version 4.35.0 contains 11 new analytics and 6 updated analytics that are specifically crafted to detect the Splunk Security Advisories that were published on July 1st, 2024 for Splunk Enterprise 9.2.2, 9.1.5, 9.0.10 and Splunk Cloud. These Splunk Enterprise updates address several critical vulnerabilities, including multiple instances of persistent cross-site scripting (XSS) in various endpoints, remote code execution (RCE) exploits, and denial of service (DoS) vulnerabilities. Additionally, in this ESCU build we have updated the analytics for detecting information disclosure of user names, path traversal, insecure file uploads, and risky command safeguards bypasses, ensuring a more secure environment for Splunk Enterprise users. Please refer to https://advisory.splunk.com/ for specific details about the vulnerabilities.

Total New and Updated Content: [19]

New Analytic Story - [0]

Updated Analytic Story - [0]

New Analytics - [11]

Updated Analytics - [6]

Macros Added - [1]

  • splunkd_webs

Macros Updated - [0]

Lookups Added - [0]

Lookups Updated - [1]

  • splunk_risky_command

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [0]

Other Updates

  • Updated the ESCU Summary Dashboard to link directly to the Enterprise Security Use Case Library.

Full Changelog: v4.34.0...v4.35.0