What's new
Enterprise Security Content Updates v3.53.0 was released on November 16, 2022. It includes the following enhancements.
New analytic story
- OpenSSL CVE-2022-3602
Updated analytic story
- IcedID
- Remcos
- Qakbot
New analytics
- Azorult
- SSL Certificates with Punycode
- Windows App Layer Protocol Qakbot NamedPipe
- Zeek x509 Certificate with Punycode
Updated analytics
- Attempted Credential Dump From Registry via Reg exe
- AWS Detect Users with KMS keys performing encryption S3 (thank you Antony Bowesman)
- AWS ECR Container Upload Outside Business Hours (thank you Antony Bowesman)
- BITSAdmin Download File
- BITS Job Persistence
- Common Ransomware Extensions (thank you Steven Dick)
- Creation of Shadow Copy
- Detect Rare Executables (thank you Antony Bowesman)
- Dump LSASS via procdump
- Executables Or Script Creation In Suspicious Path
- Kubernetes AWS detect suspicious kubectl calls (thank you Antony Bowesman)
- O365 Disable MFA (thank you Jamie Windley)
- Office Document Executing Macro Code
- Office Product Spawn CMD Process
- Office Product Spawning Windows Script Host
- Process Creating LNK file in Suspicious Location
- RunDLL Loading DLL By Ordinal
- Suspicious Process File Path
Other updates
- The names of a few analytics tests were updated
- Added a CI check to validate NIST and CIS20 tags
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.53.0
Feedback submitted, thanks!