Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's New

Enterprise Security Content Updates v3.24.0 was released on July 1, 2021. It includes the following enhancements.

Updated analytic stories include the following:

  • Malicious PowerShell
  • Data Exfiltration
  • Ransomware
  • Meterpreter

New analytic stories include the following:

  • Detect Empire with PowerShell Script Block Logging
  • Detect Mimikatz With PowerShell Script Block Logging
  • Powershell Fileless Process Injection via GetProcAddress
  • Powershell Fileless Script Contains Base64 Encoded Content
  • Unloading AMSI via Reflection
  • PowerShell Domain Enumeration
  • PowerShell Loading DotNET into Memory via System Reflection Assembly
  • Detect WMI Event Subscription Persistence
  • Suspicious Event Log Service Behavior
  • Powershell Creating Thread Mutex
  • Powershell Processing Stream Of Data
  • Powershell Using memory As Backing Store
  • Recon AVProduct Through Pwh or WMI
  • Recon Using WMI Class
  • WMI Recon Running Process Or Services
  • Start Up During Safe Mode Boot
  • Prevent Automatic Repair Mode using Bcdedit
  • Permission Modification using Takeown App
  • Disable Logs Using WevtUtil
  • Clear Unallocated Sector Using Cipher App
  • Allow Operation with Consent Admin
  • Excessive number of distinct processes created in Windows Temp folder
  • Excessive number of taskhost processes

Updated analytic stories include the following:

  • Remote WMI Command Attempt
  • Process Execution via WMI
  • WMI Permanent Event Subscription - Sysmon
  • Office Document Spawned Child Process To Download (Thank you @mschilt for reporting)
  • Suspicious MSBuild Rename(Thank you @mschilt for reporting)

Changes to deprecated detections include the following:

  • doc_gen.py will not longer include deprecated detections on Splunk Docs.
  • The correlation search label is updated to ESCU - Deprecated -<search_name> - Rule
  • The following note is added to the beginning of the description of the deprecated detection:

    #### WARNING, this detection has been marked deprecated by the Splunk Threat Research team, this means that it will no longer be maintained or supported. If you have any questions feel free to email us at: research@splunk.com.*

Last modified on 01 July, 2021

This documentation applies to the following versions of Splunk® Security Content: 3.24.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters