What's new
Enterprise Security Content Updates v3.61.0 was released on March 9, 2023. It includes the following enhancements.
New analytic story
- Sneaky Active Directory Persistence Tricks (Huge thanks and shoutout to Dean Luxton and Steven Dick for contributing detections)
- BishopFox Sliver Adversary Emulation Framework
New analytics
- Notepad with No Command-Line Arguments
- Windows Process Injection into Notepad
- Windows AD Same Domain SID History Addition
- Windows AD Cross Domain SID History Addition
- Windows AD Replication Request Initiated by User Account
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows AD Domain Replication ACL Addition
- Windows AD DSRM Account Changes
- Windows AD DSRM Password Reset
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD Short Lived Server Object
- Windows AD SID History Attribute Modified
- Windows AD AdminSDHolder ACL Modified
- Windows AD ServicePrincipalName Added to Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows AD Rogue Domain Controller Network Activity
- Windows AD Account SID History Addition
- Windows AD Replication Service Traffic
- Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
- Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
- Windows Unusual Count of Invalid Users Fail to Auth Using Kerberos
- Windows Unusual Count of Invalid Users Failed to Auth Using NTLM
- Windows Unusual Count of Users Fail to Auth with Explicit Credentials
- Windows Unusual Count of Users Failed to Auth Using Kerberos
- Windows Unusual Count of Users Failed to Authenticate from Process
- Windows Unusual Count of Users Failed to Authenticate Using NTLM
- Windows Unusual Count of Users Remotely Failed to Auth from Host
Updated analytics
- Impacket Lateral Movement Command-line Parameters (Thank you Chris Chantrey)
- Suspicious Regsvr32 Register Suspicious Path (Thank you DipsyTipsy)
- Suspicious
Reg.exe
Process (Thank you DipsyTipsy) - Linux SSH Remote Services Script Execute (Thank you DipsyTipsy)
Other updates
- Removed Experimental/Deprecated Behavioral Analytics detections from the
develop
branch in the security_content GitHub repository and research.splunk.com - Migrated Password Spraying to XML
- Updated all of the Splunkbase apps that are used for our automated testing framework
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.61.0
Feedback submitted, thanks!