Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v4.1.0 was released on May 4, 2023. It includes the following enhancements.

New analytic story

  • Active Directory Privilege Escalation
  • RedLine Stealer

New analytics

  • Active Directory Lateral Movement Identified
  • Impacket Lateral Movement smbexec CommandLine Parameters
  • Impacket Lateral Movement WMIExec CommandLine Parameters
  • Steal or Forge Authentication Certificates Behavior Identified
  • Windows Administrative Shares Accessed on Multiple Hosts
  • Windows Admon Default Group Policy Object Modified
  • Windows Admon Group Policy Object Created
  • Windows Credentials from Password Stores Chrome Extension Access
  • Windows Credentials from Password Stores Chrome Local State Access
  • Windows Credentials from Password Stores Chrome Login Data Access
  • Windows Default Group Policy Object Modified
  • Windows Default Group Policy Object Modified with GPME
  • Windows DnsAdmins New Member Added
  • Windows File Share Discovery with Powerview
  • Windows Findstr GPP Discovery
  • Windows Group Policy Object Created
  • Windows Large Number of Computer Service Tickets Requested
  • Windows Local Administrator Credential Stuffing
  • Windows Modify Registry Auto Minor Updates
  • Windows Modify Registry Auto Update Notifications
  • Windows Modify Registry Disable WinDefender Notifications
  • Windows Modify Registry Do Not Connect to Win Update
  • Windows Modify Registry No Auto Reboot with Logon User
  • Windows Modify Registry No Auto Update
  • Windows Modify Registry Tamper Protection
  • Windows Modify Registry UpdateServiceUrlAlternate
  • Windows Modify Registry UweWuServer
  • Windows Modify Registry WuServer
  • Windows Modify Registry WuStatusServer
  • Windows PowerSploit GPP Discovery
  • Windows PowerView AD Access Control List Enumeration
  • Windows Query Registry Browser List Application
  • Windows Query Registry UnInstall Program List
  • Windows Rapid Authentication on Multiple Hosts
  • Windows Service Stop Win Updates
  • Windows Special Privileged Logon on Multiple Hosts

Other updates

  • Added a new job for smoke testing experimental and deprecated detections
  • Several detections and yaml metadata fixed by @nterl0k and @TheLawsOfChaos
  • Deprecated detection Detect Mimikatz Using Loaded Images
Last modified on 04 May, 2023
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 4.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters