What's new

Enterprise Security Content Updates v3.35.0 was released on February 16, 2022. It includes the following enhancements.

New analytics

• Windows Rasautou DLL Execution
• Linux pkexec Privilege Escalation
• Potentially malicious code on command line (MLTK-based detection that works with a pre-shipped model file)

Updated analytics

• Linux pkexec Privilege Escalation
• Windows Possible Credential Dumping
• Windows Remote Assistance Spawning Process
• Windows Schtasks Create Run As System
• RunDLL Loading DLL By Ordinal
• CertUtil Download With URLCache and Split Arguments
• CertUtil Download With VerifyCtl and Split Arguments
• O365 Added Service Principal (Bug fix contributed by @ionsor)
• O365 Bypass MFA via Trusted IP (Bug fix contributed by @ionsor)
• O365 Disable MFA (Bug fix contributed by @ionsor)
• Powershell Remove Windows Defender Directory (Bug fix contributed by @BlackB0lt)
• GetWmiObject Ds Computer with PowerShell Script Block (Bug fix contributed by @sanjay900)
• GetWmiObject Ds Group with PowerShell Script Block (Bug fix contributed by @sanjay900)

New playbooks

• TruSTAR Enrich Indicators
• Threat Intel Investigate
• Start Investigation
• AWS Disable User Accounts
• AWS Find Inactive Users

Other updates

• Updated 20+ detections based on Endpoint.Registry and tested with the latest Splunk Add-on for Sysmon
• Updated `Detect GCP Storage access from a new IP` based on customer reported bug.
• Updated deprecation note in `Detection of DNS Tunnels` with reference to new detection.
• Updated savedsearches.conf with a risk parameter that previously did not allow a search to be saved from the UI
• Updated generate.py to output correct UTF-8 rendered savedsearches.conf stanzas for `Malicious PowerShell Process - Encoded Command` and `PowerShell - Connect To Internet With Hidden Window`