v4.40.0

Key highlights

Key Highlights for Enterprise Security Content Update version 4.40.0:

Compromised Linux Host: This update introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.

Black Suit Ransomware: We have tagged existing analytics, aligning with tactics, techniques, and procedures (TTPs) associated with the Black Suit ransomware, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.

CISA Alert (CISA AA24-241A): In response to a joint advisory regarding Iran-based cyber actors exploiting U.S. and foreign organizations, this update includes new detections for identifying PowerShell Web Access installations and enabling activities, strengthening defenses against ransomware and espionage activities linked to these threats.

Total New and Updated Content: [133]

New Analytic Story - [3]

• BlackSuit Ransomware
• CISA AA24-241A
• Compromised Linux Host

Updated Analytic Story - [0]

New Analytics - [52]

• Linux Auditd Add User Account Type
• Linux Auditd Add User Account
• Linux Auditd At Application Execution
• Linux Auditd Auditd Service Stop
• Linux Auditd Base64 Decode Files
• Linux Auditd Change File Owner To Root
• Linux Auditd Clipboard Data Copy
• Linux Auditd Data Destruction Command
• Linux Auditd Data Transfer Size Limits Via Split Syscall
• Linux Auditd Data Transfer Size Limits Via Split
• Linux Auditd Database File And Directory Discovery
• Linux Auditd Dd File Overwrite
• Linux Auditd Disable Or Modify System Firewall
• Linux Auditd Doas Conf File Creation
• Linux Auditd Doas Tool Execution
• Linux Auditd Edit Cron Table Parameter
• Linux Auditd File And Directory Discovery
• Linux Auditd File Permission Modification Via Chmod
• Linux Auditd File Permissions Modification Via Chattr
• Linux Auditd Find Credentials From Password Managers
• Linux Auditd Find Credentials From Password Stores
• Linux Auditd Find Private Keys
• Linux Auditd Find Ssh Private Keys
• Linux Auditd Hardware Addition Swapoff
• Linux Auditd Hidden Files And Directories Creation
• Linux Auditd Insert Kernel Module Using Insmod Utility
• Linux Auditd Install Kernel Module Using Modprobe Utility
• Linux Auditd Kernel Module Enumeration
• Linux Auditd Kernel Module Using Rmmod Utility
• Linux Auditd Nopasswd Entry In Sudoers File
• Linux Auditd Osquery Service Stop
• Linux Auditd Possible Access Or Modification Of Sshd Config File
• Linux Auditd Possible Access To Credential Files
• Linux Auditd Possible Access To Sudoers File
• Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
• Linux Auditd Preload Hijack Library Calls
• Linux Auditd Preload Hijack Via Preload File
• Linux Auditd Service Restarted
• Linux Auditd Service Started
• Linux Auditd Setuid Using Chmod Utility
• Linux Auditd Setuid Using Setcap Utility
• Linux Auditd Shred Overwrite Command
• Linux Auditd Stop Services
• Linux Auditd Sudo Or Su Execution
• Linux Auditd Sysmon Service Stop
• Linux Auditd System Network Configuration Discovery
• Linux Auditd Unix Shell Configuration Modification
• Linux Auditd Unload Module Via Modprobe
• Linux Auditd Virtual Disk File And Directory Discovery
• Linux Auditd Whoami User Discovery
• Windows DISM Install PowerShell Web Access
• Windows Enable PowerShell Web Access

Updated Analytics - [72]

• ASL AWS Concurrent Sessions From Different Ips
• Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
• Anomalous usage of 7zip
• Citrix ADC Exploitation CVE-2023-3519
• Create Remote Thread into LSASS
• Create local admin accounts using net exe
• Detect Credential Dumping through LSASS access
• Detect New Local Admin account
• Detect Remote Access Software Usage DNS
• Detect Remote Access Software Usage File
• Detect Remote Access Software Usage Process
• Detect Remote Access Software Usage URL
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Disable Defender AntiVirus Registry
• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Domain Controller Discovery with Nltest
• [Elevated ...

v4.39.1

Release notes

• RMM Software Tracking Dashboard was missing in the 4.39.0 release. This has been resolved in Content Update 4.39.1.

v4.39.0

Key Highlights

Enterprise Security Content Update version 4.39.0 introduces critical detections aimed at addressing vulnerabilities in Ivanti Virtual Traffic Manager (CVE-2024-7593), with a particular focus on detecting SQL injection remote code execution and unauthorized account creation activities.This update also significantly enhances Office 365 security by incorporating advanced detections that monitor data loss prevention triggers, identify suspicious email behaviors, and track critical security feature changes across email and SharePoint environments, ensuring a more robust defense against potential threats. Additionally, a comprehensive set of new detections for Windows Active Directory is included, targeting potential threats related to privilege escalation, dangerous ACL modifications, GPO changes, and suspicious attribute modifications, thereby strengthening the overall identity and access management defenses within the enterprise. This release also introduces a new RMM Software Tracking Dashboard, designed to assist with the auditing and monitoring of Remote Monitoring and Management (RMM) software. This dashboard provides comprehensive visibility into RMM alert content, enabling more effective tracking and analysis of RMM-related activities and potential security risks within your environment.

New Analytic Story - [2]

• Ivanti Virtual Traffic Manager CVE-2024-7593
• MoonPeak

New Analytics - [29]

• Detect Password Spray Attack Behavior From Source (External Contributor: @nterl0k )
• Detect Password Spray Attack Behavior On User(External Contributor: @nterl0k )
• Ivanti EPM SQL Injection Remote Code Execution
• Ivanti VTM New Account Creation
• O365 DLP Rule Triggered(External Contributor: @nterl0k )
• O365 Email Access By Security Administrator(External Contributor: @nterl0k )
• O365 Email Reported By Admin Found Malicious(External Contributor: @nterl0k )
• O365 Email Reported By User Found Malicious(External Contributor: @nterl0k )
• O365 Email Security Feature Changed(External Contributor: @nterl0k )
• O365 Email Suspicious Behavior Alert(External Contributor: @nterl0k )
• O365 Safe Links Detection(External Contributor: @nterl0k )
• O365 SharePoint Allowed Domains Policy Changed(External Contributor: @nterl0k )
• O365 SharePoint Malware Detection(External Contributor: @nterl0k )
• O365 Threat Intelligence Suspicious Email Delivered(External Contributor: @nterl0k )
• O365 Threat Intelligence Suspicious File Detected(External Contributor: @nterl0k )
• O365 ZAP Activity Detection(External Contributor: @nterl0k )
• Windows AD DCShadow Privileges ACL Addition(External Contributor: @dluxtron)
• Windows AD Dangerous Deny ACL Modification(External Contributor: @dluxtron)
• Windows AD Dangerous Group ACL Modification(External Contributor: @dluxtron)
• Windows AD Dangerous User ACL Modification(External Contributor: @dluxtron)
• Windows AD Domain Root ACL Deletion(External Contributor: @dluxtron)
• Windows AD Domain Root ACL Modification(External Contributor: @dluxtron)
• Windows AD GPO Deleted(External Contributor: @dluxtron)
• Windows AD GPO Disabled(External Contributor: @dluxtron)
• Windows AD GPO New CSE Addition(External Contributor: @dluxtron)
• Windows AD Hidden OU Creation(External Contributor: @dluxtron)
• Windows AD Object Owner Updated(External Contributor: @dluxtron)
• Windows AD Self DACL Assignment(External Contributor: @dluxtron)
• Windows AD Suspicious Attribute Modification(External Contributor: @dluxtron)

Updated Analytics - [2]

• Azure AD Concurrent Sessions From Different Ips
• Azure AD High Number Of Failed Authentications From Ip

New Dashboards

• RMM Software Tracking: Utilize this dashboard to assist with auditing and monitoring of Remote Monitoring and Management (RMM) alert content. (External Contributor: @nterl0k )

Other Updates

• Updated observables for 300+ analytics to improve creation accuracy of risk and threat objects
• contentctl was updated to v4.3.3, expanding the validation of content which leverages risk-based alerting (RBA). All production ESCU content, which uses RBA is now tested to ensure that threat objects, risk objects, and risk messages are generated accurately. These additional validations have resulted in the improvement of over 300 pieces of content in ESCU 4.39.0.

v4.38.0

Key highlights

Enterprise Security Content Update version 4.38.0 introduces new detections focusing on Windows Endpoints and Office365 with specific attention to identity and access management vulnerabilities. This version also includes detections to identify unusual NTLM authentication patterns. A number of new detections are included for Crowdstrike environments to identify weak password policies, detect duplicate passwords among users and administrators, assess identity risk with various severity levels, and detect privilege escalation attempts in non-administrative accounts. For Office 365 environments, this update includes detections to monitor cross-tenant access changes, external guest invitations, changes in external identity policies, and privileged role assignments. Finally, two new analytic stores are included for help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.

New Analytic Story - [2]

• Compromised Windows Host
• Handala Wiper

Updated Analytic Story - [1]

• CISA AA23-347A

New Analytics - [20]

• Crowdstrike Admin Weak Password Policy
• Crowdstrike Admin With Duplicate Password
• Crowdstrike High Identity Risk Severity
• Crowdstrike Medium Identity Risk Severity
• Crowdstrike Medium Severity Alert
• Crowdstrike Multiple LOW Severity Alerts
• Crowdstrike Privilege Escalation For Non-Admin User
• Crowdstrike User Weak Password Policy
• Crowdstrike User with Duplicate Password
• O365 Application Available To Other Tenants(External Contributor: @nterl0k )
• O365 Cross-Tenant Access Change (External Contributor: @nterl0k )
• O365 External Guest User Invited (External Contributor: @nterl0k )
• O365 External Identity Policy Changed(External Contributor: @nterl0k )
• O365 Privileged Role Assigned To Service Principal(External Contributor: @nterl0k )
• O365 Privileged Role Assigned(External Contributor: @nterl0k )
• Windows Multiple NTLM Null Domain Authentications(External Contributor: @nterl0k )
• Windows Unusual NTLM Authentication Destinations By Source(External Contributor: @nterl0k )
• Windows Unusual NTLM Authentication Destinations By User(External Contributor: @nterl0k )
• Windows Unusual NTLM Authentication Users By Destination(External Contributor: @nterl0k )
• Windows Unusual NTLM Authentication Users By Source(External Contributor: @nterl0k )

Updated Analytics - [13]

• Detect Regasm Spawning a Process
• Detect Regasm with Network Connection
• Detect Regasm with no Command Line Arguments
• Executables Or Script Creation In Suspicious Path
• Internal Horizontal Port Scan
• Linux c99 Privilege Escalation
• Powershell Windows Defender Exclusion Commands
• Suspicious Process File Path
• Windows AutoIt3 Execution
• Windows Data Destruction Recursive Exec Files Deletion
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows High File Deletion Frequency
• Windows Vulnerable Driver Installed

Macros Added - [3]

• crowdstrike_identities
• crowdstrike_stream
• ntlm_audit

Macros Updated - [1]

• linux_hosts

Lookups Updated - [1]

• privileged_azure_ad_roles

Other Updates

• Added new data_source objects
• Changes TA names in data sources to match the name in Splunk
• Updated TA version to match the latest (new check in contentctl)
• Add configuration file to Sysmon and Windows Event Code 4688
• Update analytic story on detections for Handala Wiper

v4.37.0

Key Highlights

Enterprise Security Content Updates version 4.37.0 introduces new detections focused on emerging threats like AcidPour, Gozi Malware, and ShrinkLocker. These analytics identify sophisticated techniques used by these malware families to compromise Windows environments, primarily through registry modifications. The update includes detections for attempts to configure BitLocker, delete firewall rules, disable Remote Desktop Protocol (RDP), alter Smart Card Group Policy, modify firewall rules, and change Outlook WebView settings. By monitoring these critical registry changes, security teams can more effectively identify potential compromises and swiftly mitigate risks associated with these advanced malware variants.We have also published a detailed blog on Acid Pour Wiper Malware and the various TTPs used by this wiper malware.

This release also contains detections for identifying exploitation of the following vulnerabilities:

• CVE-2024-5806, published by Progress Software, describes an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass.
• CVE-2024-29824, published by ZDI and Ivanti, concerns an enterprise endpoint management solution and describes a SQL injection resulting in remote code execution with a CVSS score of 9.8.
• CVE-2024-37085, published by Broadcom, impacts VMware ESXi hypervisors. Successful exploitation of this flaw allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host configured to use AD for user management by re-creating the default 'ESXi Admins' group after it has been deleted from Active Directory.

New Analytic Story - [6]

• AcidPour
• Gozi Malware
• Ivanti EPM Vulnerabilities
• MOVEit Transfer Authentication Bypass
• ShrinkLocker
• VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

New Analytics - [16]

• Ivanti EPM SQL Injection Remote Code Execution
• MOVEit Certificate Store Access Failure
• MOVEit Empty Key Fingerprint Authentication Attempt
• Windows ESX Admins Group Creation Security Event
• Windows ESX Admins Group Creation via Net
• Windows ESX Admins Group Creation via PowerShell
• Windows Known Abused DLL Loaded Suspiciously (External Contributor: @nterl0k )
• Windows LOLBAS Executed As Renamed File (External Contributor: @nterl0k)
• Windows LOLBAS Executed Outside Expected Path (External Contributor: @nterl0k )
• Windows Modify Registry Configure BitLocker
• Windows Modify Registry Delete Firewall Rules
• Windows Modify Registry Disable RDP
• Windows Modify Registry on Smart Card Group Policy
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Outlook WebView Registry Modification
• Windows Privileged Group Modification (External Contributor: @TheLawsOfChaos )

Updated Analytics - [11]

• Detect Remote Access Software Usage DNS (External Contributor: @nterl0k )
• Detect Remote Access Software Usage FileInfo(External Contributor: @nterl0k )
• Detect Remote Access Software Usage File(External Contributor: @nterl0k )
• Detect Remote Access Software Usage Process(External Contributor: @nterl0k )
• Detect Remote Access Software Usage Traffic(External Contributor: @nterl0k )
• Detect Remote Access Software Usage URL(External Contributor: @nterl0k )
• Possible Lateral Movement PowerShell Spawn
• Linux Obfuscated Files or Information Base64 Decode
• Linux Decode Base64 to Shell
• Windows Protocol Tunneling with Plink
• Malicious PowerShell Process - Encoded Command
• Windows Event Log Cleared
• Azure AD Admin Consent Bypassed by Service Principal (External Contributor: @dluxtron)
• Azure AD Global Administrator Role Assigned (External Contributor: @dluxtron)
• Azure AD Privileged Role Assigned (External Contributor: @dluxtron)
• Azure AD Service Principal New Client Credentials (External Contributor: @dluxtron)
• Detect New Local Admin account (External Contributor: @dluxtron)
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl (External Contributor: @dluxtron)
• Detect Renamed PSExec (External Contributor: Alex Oberkircher, Github)
• Scheduled Task Initiation on Remote Endpoint(External Contributor: @Badoodish, Github)

Macros Added - [2]

• moveit_sftp_logs
• remote_access_software_usage_exceptions

Lookups Added - [1]

• remote_access_software_exceptions

Lookups Updated - [4]

• lolbas_file_path
• privileged_azure_ad_roles
• remote_access_software
• splunk_risky_command

Other Updates

• Remove usage_searches.conf from the ESCU app
• Update the yaml file structure for data_sources objects
• Remove dev/ directory from Github repo as we do not actively maintain Sigma supported detections in this directory
• Removed ransomware_extensions.csv from the repo and replaced it with an updated lookup - ransomware_extensions_20231219.csv
• Removed ransomware_notes.csv from the repo and replaced it with an updated lookup - ransomware_notes_20231219.csv
• Removed privileged_azure_ad_roles.csv from the repo and replaced it with an updated lookup - privileged_azure_ad_roles20240729.csv
• Removed remote_access_software.csv from the repo and replaced it with an updated lookup - remote_access_software20240726.csv

v4.36.0

Key highlights

Enterprise Security Content Updates version 4.36.0 introduces a comprehensive suite of new detections related to Sneaky Active Directory Persistence Tricks. These detections are designed to identify and alert on subtle techniques used by attackers to maintain unauthorized access within Active Directory environments. The update includes analytics for detecting distributed and localized password spray attempts, identifying internal horizontal and vertical port scans, and alerting on Windows AD self-group additions.

Additionally, this release incorporates detections for monitoring increases in group/object modification activity, tracking unusual spikes in user modification activity, detecting suspicious Windows network share interactions, and identifying installations of known vulnerable drivers. These new capabilities significantly enhance an organization's ability to spot and respond to sophisticated persistence techniques in Active Directory, improving overall security posture against advanced persistent threats.

ESCU 4.36.0

###Total New and Updated Content: [10]

New Analytics - [10]

• Detect Distributed Password Spray Attempts
• Detect Password Spray Attempts
• Internal Horizontal Port Scan
• Internal Vertical Port Scan
• Windows AD add Self to Group
• Windows Increase in Group or Object Modification Activity
• Windows Increase in User Modification Activity
• Windows Network Share Interaction With Net
• Windows Vulnerable Driver Installed

Other Updates

• Added new data_source objects

v4.35.0

Key Highlights

• Enterprise Security Content Updates version 4.35.0 contains 11 new analytics and 6 updated analytics that are specifically crafted to detect the Splunk Security Advisories that were published on July 1st, 2024 for Splunk Enterprise 9.2.2, 9.1.5, 9.0.10 and Splunk Cloud. These Splunk Enterprise updates address several critical vulnerabilities, including multiple instances of persistent cross-site scripting (XSS) in various endpoints, remote code execution (RCE) exploits, and denial of service (DoS) vulnerabilities. Additionally, in this ESCU build we have updated the analytics for detecting information disclosure of user names, path traversal, insecure file uploads, and risky command safeguards bypasses, ensuring a more secure environment for Splunk Enterprise users. Please refer to https://advisory.splunk.com/ for specific details about the vulnerabilities.

Total New and Updated Content: [19]

New Analytic Story - [0]

Updated Analytic Story - [0]

New Analytics - [11]

• Splunk DoS via POST Request Datamodel Endpoint
• Splunk Information Disclosure on Account Login
• Splunk RCE PDFgen Render
• Splunk RCE via External Lookup Copybuckets
• Splunk Stored XSS conf-web Settings on Premises
• Splunk Stored XSS via Specially Crafted Bulletin Message
• Splunk Unauthenticated DoS via Null Pointer References
• Splunk Unauthenticated Path Traversal Modules Messaging
• Splunk Unauthorized Experimental Items Creation
• Splunk XSS Privilege Escalation via Custom Urls in Dashboard
• Splunk XSS Via External Urls in Dashboards SSRF

Updated Analytics - [6]

• Splunk CSRF in the SSG kvstore Client Endpoint
• Splunk Enterprise Windows Deserialization File Partition
• Splunk Stored XSS via Data Model objectName Field
• Splunk XSS in Highlighted JSON Events
• Splunk XSS in Save table dialog header in search page
• Splunk risky Command Abuse disclosed february 2023

Macros Added - [1]

• splunkd_webs

Macros Updated - [0]

Lookups Added - [0]

Lookups Updated - [1]

• splunk_risky_command

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [0]

Other Updates

• Updated the ESCU Summary Dashboard to link directly to the Enterprise Security Use Case Library.

Full Changelog: v4.34.0...v4.35.0

v4.34.0

Release notes for ESCU release_v4.34.0

Total New and Updated Content: [1256]

New Analytic Story - [1]

• Gomir

Updated Analytic Story - [0]

New Analytics - [2]

• Windows Debugger Tool Execution
• Windows Unsigned DLL Side-Loading In Same Process Path

Updated Analytics - [1238]

Over 1200+ descriptions updated.

Macros Added - [3]

• fillnull_config
• oldsummaries_config
• summariesonly_config

Macros Updated - [2]

• prohibited_softwares
• security_content_summariesonly

Updated the security_content_summariesonly macro to use macros for each of the configuration settings that were previously hardcoded. There's no change in the values of those macros and the previous configuration of the security_content_summariesonly macro

Lookups Added - [0]

Lookups Updated - [0]

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [10]

• Clients Connecting to Multiple DNS Servers
• DNS Query Requests Resolved by Unauthorized DNS Servers
• First time seen command line argument
• GCP Kubernetes cluster scan detection
• Multiple Okta Users With Invalid Credentials From The Same IP
• Okta Failed SSO Attempts
• Prohibited Software On Endpoint
• Suspicious Changes to File Associations
• Uncommon Processes On Endpoint
• Unsigned Image Loaded by LSASS

Other Updates

• Updated descriptions and _filter macro for several analytics to have a consistent standard and formatting.
• Updated distsearch.conf to remove bias language.
• Updated testing to run against the official Splunk Sysmon for Linux Add-on.

Full Changelog: v4.33.0...v4.34.0

v4.33.0

Key highlights

Enterprise Security Content Updates version 4.33.0 adds a new detection, CrushFTP Server Side Template Injection. This detection highlights any attempts to exploit CVE-2024-4040, a critical vulnerability that allows unauthenticated remote attackers to run arbitrary code and bypass authentication in CrushFTP versions before 10.7.1 and 11.1.0.

Additionally, this release includes updates to the detection logic of some analytics that use lookups. This includes changing the order of operations in the SPL so that the lookup command is run after the stats command. Thus, in a distributed environment, lookups don't need to be replicated and the search performance improves slightly in all environments because it involves looking up values for fewer events.

New Analytic Story - [1]

• CrushFTP Vulnerabilities

New Analytics - [1]

• CrushFTP Server Side Template Injection

Updated Analytics - [12]

• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Kubernetes Nginx Ingress LFI
• Windows AppLocker Block Events
• Windows Credential Access From Browser Password Store
• Windows Defender ASR Audit Events
• Windows Defender ASR Block Events
• Windows Defender ASR Registry Modification
• Windows Defender ASR Rule Disabled
• Windows Defender ASR Rules Stacking
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows Domain Admin Impersonation Indicator

Other Updates

• Updated descriptions for 80+ analytics to have a consistent standard and formatting.

v4.32.0

What's new

Enterprise Security Content Updates v4.32.0 was released on May 22, 2024. It includes the following enhancements:

Key highlights

Splunk Threat Research team has added 6 new detections and updated 6 existing detection analytics focused on AWS, leveraging the Open Cybersecurity Schema Framework (OCSF) to support the recent GA release of Amazon Security Lake (ASL) and the Splunk Add-On for Amazon Web Services. Additionally, Enterprise Security Content Updates v4.32.0 updated 6 analytics based on testing on real-world data to enhance accuracy and effectiveness in identifying suspicious activities and potential threats.

Enterprise Security Content Updates v4.32.0 detects critical security events such as attempts to disable or modify CloudTrail logging, unauthorized container uploads to Amazon ECR, and suspicious IAM group deletions, ensuring comprehensive monitoring and rapid response to potential threats.

This release also introduced a new object called data_sources for each detection to improve mapping by associating detections with their corresponding Splunkbase TAs, sample events. In addition, this release lists fields extracted in the raw data.

New analytics

• ASL AWS Defense Evasion Stop Logging Cloudtrail
• ASL AWS Defense Evasion Update Cloudtrail
• ASL AWS ECR Container Upload Outside Business Hours
• ASL AWS ECR Container Upload Unknown User
• ASL AWS IAM Failure Group Deletion
• ASL AWS IAM Successful Group Deletion

Updated Analytics

• ASL AWS Concurrent Sessions From Different Ips
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Impair Security Services
• ASL AWS IAM Delete Policy
• ASL AWS Multi-Factor Authentication Disabled
• Detect Regasm Spawning a Process
• Possible Lateral Movement PowerShell Spawn
• Process Creating LNK file in Suspicious Location
• Process Execution via WMI
• Windows InstallUtil Uninstall Option
• Windows MOF Event Triggered Execution via WMI

Macros added

aws_ecr_users_asl

Macros updated

amazon_security_lake

Deprecated detection

Windows DLL Search Order Hijacking Hunt

Other updates

• Updates to several reference links that were no longer working.
• Added dist/ files to .gitignore and added them back in the release.yml CI job to keep generated dist/ files up to date.
• Added a new yml object called data_sources with information of each data source leveraged by the detection search.