What's new
Enterprise Security Content Updates v3.33.0 was released on January 18, 2022. It includes the following enhancements.
New analytic story
- Linux Privilege Escalation
- Linux Persistence Techniques
- sAMAccountName Spoofing and Domain Controller Impersonation
Updated analytic story
- Log4Shell CVE-2021-44228
New analytics
- Windows Hunting System Account Targeting Lsass
- Windows Non-System Account Targeting Lsass
- Suspicious Computer Account Name Change
- Suspicious Kerberos Service Ticket Request
- Suspicious Ticket Granting Ticket Request
- Linux NOPASSWD Entry In Sudoers File
- Linux Possible Access Or Modification Of sshd Config File
- Linux Possible Append Command To Profile Config File
- Linux Possible Ssh Key File Creation
- Linux Add User Account
- Linux Common Process For Elevation Control
- Linux Doas Conf File Creation
- Linux Doas Tool Execution
- Linux Possible Access To Credential Files
- Linux Possible Access To Sudoers File
- Linux Sudo OR Su Execution
- Linux Change File Owner To Root
- Linux File Created In Kernel Driver Directory
- Linux Insert Kernel Module Using Insmod Utility
- Linux Install Kernel Module Using Modprobe Utility
- Linux Preload Hijack Library Calls
- Linux Sudoers Tmp File Creation
- Linux Visudo Utility Execution
- Linux File Creation In Init Boot Directory
- Linux File Creation In Profile Directory
- Linux Service File Created In Systemd Directory
- Linux Service Restarted
- Linux Service Started Or Enabled
- Linux Setuid Using Chmod Utility
- Linux Setuid Using Setcap Utility
- Linux Add Files In Known Crontab Directories
- Linux At Allow Config File Creation
- Linux At Application Execution
- Linux Edit Cron Table Parameter
- Linux Possible Append Command To At Allow Config File
- Linux Possible Append Cronjob Entry on Existing Cronjob File
- Linux Possible Cronjob Modification With Editor
- Linux Java Spawning Shell
Updated analytics
- Outbound Network Connection from Java Using Default Ports
- Hunting for Log4Shell
New playbooks
- Block Indicators
- Email Notification for Malware
- Malware Hunt and Contain
Other updates
- Deprecated SAAWS (
DA-ESS_AmazonWebServices_Content) package from dist/
- Renamed
Malicious PowerShell Process - Connect To Internet With Hidden Window
toPowerShell - Connect To Internet With Hidden Window
- Added a warning message to experimental detections. These detections are not supported.
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.33.0
Feedback submitted, thanks!