What's new
Enterprise Security Content Updates v3.48.0 was released on August 30, 2022. It includes the following enhancements.
Updated analytic story
- Azure Active Directory Account Takeover
- Linux Living Off The Land
- Linux Privilege Escalation
- Windows Registry Abuse
- Windows Defense Evasion Tactics
New analytics
- Azure AD Multi-Factor Authentication Disabled
- Linux apt-get Privilege Escalation
- Linux Busybox Privilege Escalation
- Linux c89 Privilege Escalation
- Linux c99 Privilege Escalation
- Linux Composer Privilege Escalation
- Linux Cpulimit Privilege Escalation
- Linux Csvtool Privilege Escalation
- Linux Emacs Privilege Escalation
- Linux Find Privilege Escalation
- Linux GDB Privilege Escalation
- Linux Gem Privilege Escalation
- Linux GNU awk Privilege Escalation
- Linux Make Privilege Escalation
- Linux MySQL Privilege Escalation
- Linux Octave Privilege Escalation
- Linux OpenVPN Privilege Escalation
- Linux Persistence and Privilege Escalation Risk Behavior
- Linux PHP Privilege Escalation
- Linux Puppet Privilege Escalation
- Linux RPM Privilege Escalation
- Linux Ruby Privilege Escalation
- Linux Sqlite3 Privilege Escalation
- Windows Autostart Execution LSASS Driver Registry Modification
- Windows DLL Search Order Hijacking Hunt
- Windows DLL Search Order Hijacking Hunt with Sysmon
- Windows Remote Access Software Hunt
Updated analytics
- AWS ECR Container Scanning Findings Low Informational Unknown
- Detect AWS Console Login by User from New City
- Detect AWS Console Login by User from New Country
- Detect AWS Console Login by User from New Region
- Detect Excessive Account Lockouts From Endpoint
- Detect Excessive User Account Lockouts
- Log4Shell CVE-2021-44228 Exploitation
- MSHTML Module Load in Office Product
- Office Document Creating Schedule Task
- Powershell Remote Thread to Known Windows Process
- Windows InstallUtil Credential Theft
- Windows Possible Credential Dumping
Other updates
- Minor text update to
research.splunk.com
(thanks to @yaleman) - Added
fillnull_value=null
tosecurity_content_summariesonly
macro - Consolidated
requirements.txt
file forcontentctl
and docker detection testing, and updated GitHub actions workflow to run detection testing based on the code in the pull request.
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.48.0
Feedback submitted, thanks!