What's new
Enterprise Security Content Updates v4.1.0 was released on May 4, 2023. It includes the following enhancements.
New analytic story
- Active Directory Privilege Escalation
- RedLine Stealer
New analytics
- Active Directory Lateral Movement Identified
- Impacket Lateral Movement smbexec CommandLine Parameters
- Impacket Lateral Movement WMIExec CommandLine Parameters
- Steal or Forge Authentication Certificates Behavior Identified
- Windows Administrative Shares Accessed on Multiple Hosts
- Windows Admon Default Group Policy Object Modified
- Windows Admon Group Policy Object Created
- Windows Credentials from Password Stores Chrome Extension Access
- Windows Credentials from Password Stores Chrome Local State Access
- Windows Credentials from Password Stores Chrome Login Data Access
- Windows Default Group Policy Object Modified
- Windows Default Group Policy Object Modified with GPME
- Windows DnsAdmins New Member Added
- Windows File Share Discovery with Powerview
- Windows Findstr GPP Discovery
- Windows Group Policy Object Created
- Windows Large Number of Computer Service Tickets Requested
- Windows Local Administrator Credential Stuffing
- Windows Modify Registry Auto Minor Updates
- Windows Modify Registry Auto Update Notifications
- Windows Modify Registry Disable WinDefender Notifications
- Windows Modify Registry Do Not Connect to Win Update
- Windows Modify Registry No Auto Reboot with Logon User
- Windows Modify Registry No Auto Update
- Windows Modify Registry Tamper Protection
- Windows Modify Registry UpdateServiceUrlAlternate
- Windows Modify Registry UweWuServer
- Windows Modify Registry WuServer
- Windows Modify Registry WuStatusServer
- Windows PowerSploit GPP Discovery
- Windows PowerView AD Access Control List Enumeration
- Windows Query Registry Browser List Application
- Windows Query Registry UnInstall Program List
- Windows Rapid Authentication on Multiple Hosts
- Windows Service Stop Win Updates
- Windows Special Privileged Logon on Multiple Hosts
Other updates
- Added a new job for smoke testing experimental and deprecated detections
- Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
- Deprecated detection
Detect Mimikatz Using Loaded Images
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.1.0
Feedback submitted, thanks!