What's new
Enterprise Security Content Updates v3.32.0 was released on December 15, 2021. It includes the following enhancements.
New analytic story
- Log4Shell CVE-2021-44228
Updated analytic story
- Active Directory Lateral Movement
New analytics
- Curl Download and Bash Execution
- Wget Download and Bash Execution
- Linux Java Spawning Shell
- Windows Java Spawning Shell
- Java Class File download by Java User Agent
- Outbound Network Connection from Java Using Default Ports
- Log4Shell JNDI Payload Injection Attempt
- Log4Shell JNDI Payload Injection with Outbound Connection
- Detect Outbound LDAP Traffic
- Hunting for Log4Shell
- Possible Lateral Movement PowerShell Spawn
- Short Lived Scheduled Task
- Randomly Generated Windows Service Name
- Randomly Generated Scheduled Task Name
- Unusual Number of Computer Service Tickets Requested
- Unusual Number of Remote Endpoint Authentication Events
Updated analytics
- Any PowerShell DownloadFile
- CMD Carry Out String Command Parameter
- Malicious PowerShell Process - Connect To Internet With Hidden Window
New analytics for Splunk Behavioral Analytics
- Detect RClone Command-Line Usage
- Windows Curl Upload to Remote Destination
- DNS Exfiltration Using Nslookup App
- Fsutil Zeroing File
- BCDEdit Failure Recovery Modification
- WBAdmin Delete System Backups
- Excessive Number of Office Files Copied
- High File Deletion Frequency
Updated analytics for Splunk Behavioral Analytics
- Attempt To Delete Services
- Attempt To Disable Services
- Attempted Credential Dump From Registry via Reg exe
- Delete a net user
- Deny Permission using Cacls Utility
- Detect Dump LSASS Memory using comsvcs
- Disable Net User Account
- First time seen command line argument
- Grant Permission Using Cacls Utility
- Prohibited apps spawning cmdprompt
- Potential Pass the Token or Hash Observed at the Destination Device
- Rare Parent-Child Process Relationship
- ptt pth kerb ntlm origin device
- Resize Shadowstorage Volume
- sdelete application execution
New playbooks
- Log4Shell Investigate and Respond
- Internal Host Splunk Investigate
- Internal Host SSH Log4j Investigate
- Internal Host SSH Investigate
- Internal Host Winrm Log4j Investigate
- Internal Host Winrm Investigate
- Internal Host Winrm Log4j Respond
- Internal Host SSH Log4j Respond
Other updates
- Added Splunk Behavioral Analytics package
- Update docker CI testing logic
- Added rendering Playbook to docs
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.32.0
Feedback submitted, thanks!