What's new
Enterprise Security Content Updates v3.31.0 was released on December 8, 2021. It includes the following enhancements.
New analytic story
- Signed Binary Proxy Execution InstallUtil
Updated analytic story
- Lateral Movement
New analytics
- Add or Set Windows Defender Exclusion
- Powershell Windows Defender Exclusion Commands
- Windows Defender Exclusion Registry Entry
- Impacket Lateral Movement Commandline Parameters
- Windows Service Created Within Public Path
- Wmiprsve LOLBAS Execution Process Spawn
- Services LOLBAS Execution Process Spawn
- Svchost LOLBAS Execution Process Spawn
- Wsmprovhost LOLBAS Execution Process Spawn
- Mmc LOLBAS Execution Process Spawn
- CSC Net On The Fly Compilation
- Firewall Allowed Program Enable
- High Frequency Copy Of Files In Network Share
- Loading Of Dynwrapx Module
- Network Discovery Using Route Windows App
- Runas Execution in CommandLine
- Suspicious Process DNS Query Known Abuse Web Services
- Remote Process Instantiation via WMI and PowerShell Script Block
- Remote Process Instantiation via WMI and PowerShell
- Remote Process Instantiation via DCOM and PowerShell Script Block
- Remote Process Instantiation via DCOM and PowerShell
- Remote Process Instantiation via WinRM and PowerShell
- Remote Process Instantiation via WinRM and PowerShell Script Block
- WMIC XSL Execution via URL
- Windows InstallUtil Remote Network Connection
- Windows InstallUtil URL in Command Line
- Windows InstallUtil Credential Theft
- Windows InstallUtil Uninstall Option
- Windows InstallUtil Uninstall Option with Network
- Windows DiskCryptor Usage
- Windows Service Creation on Remote Endpoint
- Windows Service Initiation on Remote Endpoint
- Scheduled Task Initiation on Remote Endpoint
- Scheduled Task Creation on Remote Endpoint using At
- Remote Process Instantiation via WinRM and Winrs
Updated analytics
- Detect RClone Command-Line Usage
- Detect HTML Help Renamed search
- Windows Service Created With Suspicious Service Path
- Possible Browser Pass View Parameter
- System Info Gathering Using Dxdiag Application
- ServicePrincipalNames Discovery with PowerShell
- ServicePrincipalNames Discovery with SetSPN
- WinEvent Scheduled Task Created Within Public Path
- Kerberoasting spn request with RC4 encryption
- Schtasks scheduling job on remote system
- Remote Process Instantiation via WMI
- Regsvr32 Silent and Install Param Dll Loading
- Regsvr32 with Known Silent Switch Cmdline
- Detect AWS Console Login by New User (thank you @jay-merry)
- Detect AWS Console Login by User from New City (thank you @jay-merry)
- Detect AWS Console Login by User from New Region (thank you @jay-merry)
- Detect AWS Console Login by User from New Country (thank you @jay-merry)
- AWS IAM AccessDenied Discovery Events (thank you @infosecB)
- Attacker Tools On Endpoint (thank you @huskersec)
Other updates
- Updated 20+ Endpoint Registry detections to leverage the correct field names mapped by Splunk Add-on for Sysmon
- Removed devsecops package from the repository
New analytics for Splunk Behavioral Analytics
- Anomalous usage of Archive Tools
Splunk Add-on for SysmonSdelete Application Execution
Updates for Splunk Behavioral Analytics
- Detect Prohibited Applications Spawning cmd exe (updated)
- Delete A Net User (updated)
- Potential Pass the Token or Hash Observed at the Destination Device (updated)
- Potential Pass the Token or Hash Observed by an Event Collecting Device (updated)
- Improved BA testing pipeline
- Updated metadata in several Splunk Behavioral Analytics detections
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.31.0
Feedback submitted, thanks!