Splunk® Security Content

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

What's New

Enterprise Security Content Updates v3.16.0 was released on March 8, 2021. It includes the following enhancements.

New stories include the following:

  • Silver Sparrow
  • HAFNIUM Group

New detections include the following:

  • Cobalt Strike Named Pipes
  • Suspicious DLLHost no Command Line Arguments
  • Suspicious GPUpdate no Command Line Arguments
  • Suspicious SearchProtocolHost no Command Line Arguments
  • Suspicious PlistBuddy Usage
  • Suspicious SQLite3 LSAQuarantine Behavior
  • Suspicious Curl Network Connection
  • Ryuk Wake on LAN Command
  • Suspicious Scheduled Task from Public Directory
  • Fodhelper UAC Bypass
  • Eventvwr UAC Bypass
  • Any PowerShell DownloadString
  • Any PowerShell DownloadFile
  • Unified Messaging Service Spawning a Process
  • Suspicious Unified Messaging Service File Writes
  • Nishang PowershellTCPOneLine
  • W3WP Spawning Shells

Updated analytic stories include the following:

  • Cobalt Strike
  • Suspicious MSHTA Activity (formatting issues)

Updated detections include the following:

  • NTdsutil Export NTDS
  • Suspicious MSBuild Path
  • Suspicious MSBuild Rename
  • Suspicious Microsoft Workflow Compiler Rename
  • Detect Regsvr32 Application Control Bypass
  • Windows DisableAntiSpyware Registry
Last modified on 08 March, 2021
  NEXT
Fixed Issues

This documentation applies to the following versions of Splunk® Security Content: 3.16.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters