What's new

Enterprise Security Content Updates v3.31.0 was released on December 8, 2021. It includes the following enhancements.

New analytic story

• Signed Binary Proxy Execution InstallUtil

Updated analytic story

• Lateral Movement

New analytics

• Add or Set Windows Defender Exclusion
• Powershell Windows Defender Exclusion Commands
• Windows Defender Exclusion Registry Entry
• Impacket Lateral Movement Commandline Parameters
• Windows Service Created Within Public Path
• Wmiprsve LOLBAS Execution Process Spawn
• Services LOLBAS Execution Process Spawn
• Svchost LOLBAS Execution Process Spawn
• Wsmprovhost LOLBAS Execution Process Spawn
• Mmc LOLBAS Execution Process Spawn
• CSC Net On The Fly Compilation
• Firewall Allowed Program Enable
• High Frequency Copy Of Files In Network Share
• Loading Of Dynwrapx Module
• Network Discovery Using Route Windows App
• Runas Execution in CommandLine
• Suspicious Process DNS Query Known Abuse Web Services
• Remote Process Instantiation via WMI and PowerShell Script Block
• Remote Process Instantiation via WMI and PowerShell
• Remote Process Instantiation via DCOM and PowerShell Script Block
• Remote Process Instantiation via DCOM and PowerShell
• Remote Process Instantiation via WinRM and PowerShell
• Remote Process Instantiation via WinRM and PowerShell Script Block
• WMIC XSL Execution via URL
• Windows InstallUtil Remote Network Connection
• Windows InstallUtil URL in Command Line
• Windows InstallUtil Credential Theft
• Windows InstallUtil Uninstall Option
• Windows InstallUtil Uninstall Option with Network
• Windows DiskCryptor Usage
• Windows Service Creation on Remote Endpoint
• Windows Service Initiation on Remote Endpoint
• Scheduled Task Initiation on Remote Endpoint
• Scheduled Task Creation on Remote Endpoint using At
• Remote Process Instantiation via WinRM and Winrs

Updated analytics

• Detect RClone Command-Line Usage
• Detect HTML Help Renamed search
• Windows Service Created With Suspicious Service Path
• Possible Browser Pass View Parameter
• System Info Gathering Using Dxdiag Application
• ServicePrincipalNames Discovery with PowerShell
• ServicePrincipalNames Discovery with SetSPN
• WinEvent Scheduled Task Created Within Public Path
• Kerberoasting spn request with RC4 encryption
• Schtasks scheduling job on remote system
• Remote Process Instantiation via WMI
• Regsvr32 Silent and Install Param Dll Loading
• Regsvr32 with Known Silent Switch Cmdline
• Detect AWS Console Login by New User (thank you @jay-merry)
• Detect AWS Console Login by User from New City (thank you @jay-merry)
• Detect AWS Console Login by User from New Region (thank you @jay-merry)
• Detect AWS Console Login by User from New Country (thank you @jay-merry)
• AWS IAM AccessDenied Discovery Events (thank you @infosecB)
• Attacker Tools On Endpoint (thank you @huskersec)

Other updates

• Updated 20+ Endpoint Registry detections to leverage the correct field names mapped by Splunk Add-on for Sysmon
• Removed devsecops package from the repository

New analytics for Splunk Behavioral Analytics

• Anomalous usage of Archive Tools

Splunk Add-on for SysmonSdelete Application Execution

Updates for Splunk Behavioral Analytics

• Detect Prohibited Applications Spawning cmd exe (updated)
• Delete A Net User (updated)
• Potential Pass the Token or Hash Observed at the Destination Device (updated)
• Potential Pass the Token or Hash Observed by an Event Collecting Device (updated)
• Improved BA testing pipeline
• Updated metadata in several Splunk Behavioral Analytics detections