v4.15.0

New Analytic Story

• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
• PlugX

New Analytics

• Citrix ADC and Gateway Unauthorized Data Disclosure

Updated Analytics

• Windows Admin Permission Discovery
• Confluence CVE-2023-22515 Trigger Vulnerability
• Confluence Data Center and Server Privilege Escalation

Other Updates

• Updated Gitlab CI pipelines to leverage code contentctl for validating, building, inspecting and releasing the ESCU app

v4.14.0

Release notes

New Analytic Story

• Subvert Trust Controls SIP and Trust Provider Hijacking
• Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
• Cisco IOS XE Software Web Management User Interface vulnerability

New Analytics

• Confluence CVE-2023-22515 Trigger Vulnerability
• Cisco IOS XE Implant Access
• Detect Certipy File Modifications (External Contributor : @nterl0k )
• Windows Domain Admin Impersonation Indicator
• Windows Registry SIP Provider Modification
• Microsoft SharePoint Server Elevation of Privilege
• Windows Steal Authentication Certificates - ESC1 Abuse (External Contributor : @nterl0k )
• Windows SIP Provider Inventory
• Windows SIP WinVerifyTrust Failed Trust Validation

Updated Analytics

• Citrix ADC Exploitation CVE-2023-3519

Other Updates

• Minor changes to playbook names and UUID
• Updated descriptions for 50 detections

BA Updates

• Added lower() to BA detection searches in the eval function

v4.13.0

New Analytic Story

• NjRat
• WS FTP Server Critical Vulnerabilities
• JetBrains TeamCity Unauthenticated RCE

New Analytics

• Windows Abused Web Services
• Windows Admin Permission Discovery
• Windows Delete or Modify System Firewall
• Windows Disable or Modify Tools Via Taskkill
• Windows Executable in Loaded Modules
• Windows Njrat Fileless Storage via Registry
• Windows Modify Registry With MD5 Reg Key Name
• Splunk Absolute Path Traversal Using runshellscript
• Splunk DoS Using Malformed SAML Request
• Splunk RCE via Serialized Session Payload
• Splunk Reflected XSS on App Search Table Endpoint
• WS FTP Remote Code Execution
• JetBrains TeamCity RCE Attempt

Updated Analytics

• Windows Replication Through Removable Media"
• TOR Traffic

Other Updates

• Updates to the lookup file : splunk_risky_command
• Tagged relevant detections with NjRat Behavior
• Updates to pretrained_dga_model_dsdl.ipynb notebook for better performance
• Several production detections have correct observables to produce accurate risk objects
• Updates to the generate code for creating BA detection files in the latest SPLv2

v4.12.0

New Analytic Story

• Forest Blizzard

New analytics

• Windows Find Domain Organizational Units with GetDomainOU
• Windows Find Interesting ACL with FindInterestingDomainAcl
• Windows Forest Discovery with GetForestDomain
• Windows Get Local Admin with FindLocalAdminAccess
• Headless Browser Mockbin or Mocky Request
• Headless Browser Usage
• Windows AD Abnormal Object Access Activity (External Contributor : @nterl0k )
• Windows AD Privileged Object Access Activity (External Contributor : @nterl0k )

Other Updates

• Adding CVE to Splunk Edit User Privilege Escalation
• Observables updated for 143+ detections to create accurate risk objects
• Added status field to BA spec
• Updated how to implement sections for all detections based on Endpoint.Processes

New Playbooks

• Jira Related Tickets Search

v4.11.1

New Analytic Story

• Juniper JunOS Remote Code Execution
• Flax Typhoon
• Windows Error Reporting Service Elevation of Privilege Vulnerability
• Ivanti Sentry Authentication Bypass CVE-2023-38035
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

New Analytics

• Juniper Networks Remote Code Execution Exploit Detection
• Windows SQL Spawning CertUtil
• Ivanti Sentry Authentication Bypass
• Adobe ColdFusion Access Control Bypass
• Adobe ColdFusion Unauthenticated Arbitrary File Read
• Splunk DOS via printf search function

Updated Analytics

• Splunk risky Command Abuse disclosed february 2023

Other Updates

• Added status field to BA package
• Updated splunk_risky_command.csv to splunk_risky_command_20230830.csv lookup file and updated the contents in the file

v4.11.0

New Analytic Story

• Juniper JunOS Remote Code Execution
• Flax Typhoon
• Windows Error Reporting Service Elevation of Privilege Vulnerability
• Ivanti Sentry Authentication Bypass CVE-2023-38035
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

New Analytics

• Juniper Networks Remote Code Execution Exploit Detection
• Windows SQL Spawning CertUtil
• Ivanti Sentry Authentication Bypass
• Adobe ColdFusion Access Control Bypass
• Adobe ColdFusion Unauthenticated Arbitrary File Read
• Splunk DOS via printf search function

Updated Analytics

• Splunk risky Command Abuse disclosed february 2023

Other Updates

• Added status field to BA package
• Updated splunk_risky_command.csv to splunk_risky_command_20230830.csv lookup file and updated the contents in the file

v4.10.0

New Analytic Story

• Warzone RAT

New Analytics

• Windows Bypass UAC via Pkgmgr Tool
• Windows Mark Of The Web Bypass
• Windows Modify Registry MaxConnectionPerServer
• Windows Unsigned DLL Side-Loading
• Detect Certify Command Line Arguments (External Contributor @nterl0k )
• Detect Certify With PowerShell Script Block Logging (External Contributor @nterl0k )
• Windows Steal Authentication Certificates - ESC1 Authentication (External Contributor @nterl0k )
• Windows Suspect Process With Authentication Traffic (External Contributor @nterl0k )

Updated Analytics

• Azure AD Global Administrator Role Assigned
• Azure AD Multiple Users Failing To Authenticate From Ip
• Azure AD Service Principal Owner Added
• Azure AD Unusual Number of Failed Authentications From Ip
• Azure AD Service Principal Created
• Azure AD Privileged Role Assigned
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Application Administrator Role Assigned
• Azure AD Multi-Factor Authentication Disabled
• Azure AD External Guest User Invited
• Azure AD User Enabled And Password Reset
• Azure AD Service Principal New Client Credentials
• Azure AD New Federated Domain Added
• Azure AD New Custom Domain Added
• Azure AD Successful Single-Factor Authentication
• Azure AD Authentication Failed During MFA Challenge
• Azure AD Successful PowerShell Authentication
• Azure AD Multiple Failed MFA Requests For User
• Azure AD User ImmutableId Attribute Updated
• Azure Active Directory High Risk Sign-in
• Unusually Long Command Line
• Suspicious Copy on System32

New Playbooks

• AD LDAP Account Unlocking
• AWS IAM Account Unlocking
• Azure AD Account Unlocking
• Active Directory Enable Account Dispatch

Updated Playbook

• Active Directory Disable Account Dispatch

Other Updates

• Updated several detections for better output and risk objects

v4.9.1

Merge pull request #2809 from splunk/ssa_escalation_Aug16

SSA Regex Bugfixes

v4.9.0

New Analytics

• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
• Citrix ShareFile Exploitation CVE-2023-24489
• Windows Powershell RemoteSigned File
• PowerShell Script Block With URL Chain (External Contributor @nterl0k )
• PowerShell WebRequest Using Memory Stream (External Contributor @nterl0k )
• Suspicious Process Executed From Container File (External Contributor @nterl0k )
• Windows Registry Payload Injection (External Contributor (External Contributor @nterl0k )
• Windows Scheduled Task Service Spawned Shell (External Contributor @nterl0k )

Updated Analytics

• Clop Common Exec Parameter (External Contributor @DipsyTipsy)
• O365 Added Service Principal
• O365 New Federated Domain Added
• O365 Excessive SSO logon errors

New Analytic Story

• Ivanti EPMM Remote Unauthenticated Access
• Citrix ShareFile RCE CVE-2023-24489

Other Updates

• Updated detections with test datasets
• Updated several observables in detections

v4.8.0

New Analytics

• Splunk Unauthenticated Log Injection Web Service Log