What's new
Enterprise Security Content Updates v3.51.0 was released on October 18, 2022. It includes the following enhancements.
New analytic story
- CISA AA22-277A
- ProxyNotShell
New analytics
- AWS Console Login Failed During MFA Challenge
- AWS Multi-Factor Authentication Disabled
- AWS Multiple Failed MFA Requests For User
- AWS Successful Single-Factor Authentication
- Detect Exchange Web Shell
- ProxyShell ProxyNotShell Behavior Detected
- Windows Create Local Account
- Windows Exchange Autodiscover SSRF Abuse (Thank you Nathaniel Stearns!)
- Windows Mshta Execution In Registry
Updated analytics
- Detect SharpHound File Modifications
- Exchange PowerShell Abuse via SSRF
- Exchange PowerShell Module Usage
- Unified Messaging Service Spawning a Process
Other updates
- Added a new tool
lolbas_enrichment.py
when executed builds a csv of all the lolbas paths:./lolbas_file_path.csv
and auto generated the BA detection with the latest lolbas paths:./ssa___windows_lolbin_binary_in_non_standard_path.yml
and its required supporting testing artifacts. - Updated Attacker Tools lookup with Mimikatz and Advanced IP Scanner
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.51.0
Feedback submitted, thanks!