Splunk® Security Content

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

What's New

Enterprise Security Content Updates v3.28.0 was released on September 9, 2021. It includes the following enhancements.

New analytic stories include the following:

  • BlackMatter Ransomware
  • Active Directory Discovery
  • ProxyShell
  • PetitPotam NTLM Relay on Active Directory Certificate Services
  • Microsoft MSHTML Remote Code Execution CVE-2021-40444

Updated analytic stories include the following:

  • Dev Sec Ops

New analytics include the following:

  • Add DefaultUser And Password In Registry
  • Auto Admin Logon Registry Entry
  • Bcdedit Command Back To Normal Mode Boot
  • Change To Safe Mode With Network Config
  • SchCache Change By App Connect And Create ADSI Object
  • Circle CI Disable Security Job
  • Circle CI Disable Security Step
  • Github Commit In Develop
  • GitHub Dependabot Alert
  • GitHub Pull Request from Unknown User
  • Get ADDefaultDomainPasswordPolicy with Powershell
  • Get ADDefaultDomainPasswordPolicy with Powershell Script Block
  • Get ADUserResultantPasswordPolicy with Powershell
  • Get ADUserResultantPasswordPolicy with Powershell Script Block
  • Get DomainPolicy with Powershell
  • Get DomainPolicy with Powershell Script Block
  • Password Policy Discovery with Net
  • AdsiSearcher Account Discovery
  • Domain Account Discovery with Dsquery
  • Domain Account Discovery With Net App
  • Domain Account Discovery with Wmic
  • Get ADUser with PowerShell
  • Get ADUser with PowerShell Script Block
  • Get DomainUser with PowerShell
  • Get DomainUser with PowerShell Script Block
  • GetWmiObject DS User with PowerShell
  • GetWmiObject DS User with PowerShell Script Block
  • GetLocalUser with PowerShell
  • GetLocalUser with PowerShell Script Block
  • GetWmiObject User Account with PowerShell
  • GetWmiObject User Account with PowerShell Script Block
  • Local Account Discovery with Net
  • Local Account Discovery With Wmic
  • Exchange PowerShell Module Usage (Experimental)
  • Exchange PowerShell Abuse via SSRF (Experimental)
  • PetitPotam Network Share Access Request
  • Windows Kerberos Auth Ticket Request
  • Kubernetes Scanner Image Pulling
  • Gsuite Email Suspicious Subject With Attachment
  • Gsuite Email With Known Abuse Web Service Link
  • Gsuite Suspicious Shared File Name
  • AWS ECR Container Upload Outside Business Hours
  • AWS ECR Container Upload Unknown User
  • Github Commit Changes In Master
  • Esentutl SAM Copy
  • PowerShell 4104 Hunting
  • Gsuite Drive Share In External Email
  • GSuite Email Suspicious Attachment
  • Gsuite Outbound Email With Attachment To External Domain
  • Rundll32 Control_RunDLL World Writable Directory
  • Rundll32 Control_Rundll Hunt
  • Office Spawning Control
  • Control Loading from World Writable Directory
  • MSHTML Module Load in Office Product

Updated analytics include the following:

  • Create local admin accounts using net exe (Thank you for reporting this, @mschilt)
  • Create or delete windows shares using net exe (Thank you for reporting this, @thejanit0r)
  • Extraction of Registry Hives (Thank you for reporting this, @thejanit0r)
  • System Information Discovery Detection (Thank you for reporting this, @mschilt)
  • Registry Keys Used For Persistence (Thank you for reporting this, @mschilt)
  • Process Creating LNK file in Suspicious Location (Thank you for reporting this, @mschilt)

Other updates include the following:

  • Minor Readme updates
  • Added Missing risk scores
  • Update links to spec files

CI updates include the following:

  • Migrate CI from CircleCI to GitHub Actions
  • Reduce External Tool Dependencies
  • Increase Transparency and Portability of CI Pipeline
  • Prepare for future CI changes
Last modified on 28 September, 2021
 

This documentation applies to the following versions of Splunk® Security Content: 3.28.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters