updating research.splunk.com site bits [ci skip]

_pages/account_compromise.md

@@ -17,5 +17,6 @@ sidebar:
 | [Insider Threat](/stories/insider_threat/) | [Password Spraying](/tags/#password-spraying), [Brute Force](/tags/#brute-force) | [Credential Access](/tags/#credential-access) |
 | [Office 365 Account Takeover](/stories/office_365_account_takeover/) | [Steal Application Access Token](/tags/#steal-application-access-token) | [Credential Access](/tags/#credential-access) |
 | [Office 365 Persistence Mechanisms](/stories/office_365_persistence_mechanisms/) | [Account Manipulation](/tags/#account-manipulation), [Additional Cloud Roles](/tags/#additional-cloud-roles) | [Persistence](/tags/#persistence) |
+| [Snake Keylogger](/stories/snake_keylogger/) | [Malicious File](/tags/#malicious-file), [User Execution](/tags/#user-execution) | [Execution](/tags/#execution) |
 | [Snake Malware](/stories/snake_malware/) | [Kernel Modules and Extensions](/tags/#kernel-modules-and-extensions), [Service Execution](/tags/#service-execution) | [Persistence](/tags/#persistence) |
 | [Sneaky Active Directory Persistence Tricks](/stories/sneaky_active_directory_persistence_tricks/) | [Security Support Provider](/tags/#security-support-provider), [Boot or Logon Autostart Execution](/tags/#boot-or-logon-autostart-execution) | [Persistence](/tags/#persistence) |

_pages/adversary_tactics.md

@@ -45,6 +45,7 @@ sidebar:
 | [Command And Control](/stories/command_and_control/) | [Remote Access Software](/tags/#remote-access-software) | [Command And Control](/tags/#command-and-control) |
 | [Compromised User Account](/stories/compromised_user_account/) | [Multi-Factor Authentication Request Generation](/tags/#multi-factor-authentication-request-generation), [Multi-Factor Authentication](/tags/#multi-factor-authentication), [Device Registration](/tags/#device-registration) | [Credential Access](/tags/#credential-access) |
 | [Confluence Data Center and Confluence Server Vulnerabilities](/stories/confluence_data_center_and_confluence_server_vulnerabilities/) | [Server Software Component](/tags/#server-software-component), [Exploit Public-Facing Application](/tags/#exploit-public-facing-application), [External Remote Services](/tags/#external-remote-services) | [Persistence](/tags/#persistence) |
+| [ConnectWise ScreenConnect Vulnerabilities](/stories/connectwise_screenconnect_vulnerabilities/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [Initial Access](/tags/#initial-access) |
 | [Credential Dumping](/stories/credential_dumping/) | [NTDS](/tags/#ntds), [OS Credential Dumping](/tags/#os-credential-dumping) | [Credential Access](/tags/#credential-access) |
 | [DNS Hijacking](/stories/dns_hijacking/) | [Domain Generation Algorithms](/tags/#domain-generation-algorithms) | [Command And Control](/tags/#command-and-control) |
 | [DarkGate Malware](/stories/darkgate_malware/) | [Command and Scripting Interpreter](/tags/#command-and-scripting-interpreter) | [Execution](/tags/#execution) |
@@ -105,6 +106,7 @@ sidebar:
 | [Scheduled Tasks](/stories/scheduled_tasks/) | [Scheduled Task](/tags/#scheduled-task), [Scheduled Task/Job](/tags/#scheduled-task/job) | [Execution](/tags/#execution) |
 | [Signed Binary Proxy Execution InstallUtil](/stories/signed_binary_proxy_execution_installutil/) | [Masquerading](/tags/#masquerading), [Rename System Utilities](/tags/#rename-system-utilities), [System Binary Proxy Execution](/tags/#system-binary-proxy-execution), [InstallUtil](/tags/#installutil) | [Defense Evasion](/tags/#defense-evasion) |
 | [Silver Sparrow](/stories/silver_sparrow/) | [Data Staged](/tags/#data-staged) | [Collection](/tags/#collection) |
+| [Snake Keylogger](/stories/snake_keylogger/) | [Malicious File](/tags/#malicious-file), [User Execution](/tags/#user-execution) | [Execution](/tags/#execution) |
 | [Snake Malware](/stories/snake_malware/) | [Kernel Modules and Extensions](/tags/#kernel-modules-and-extensions), [Service Execution](/tags/#service-execution) | [Persistence](/tags/#persistence) |
 | [Sneaky Active Directory Persistence Tricks](/stories/sneaky_active_directory_persistence_tricks/) | [Security Support Provider](/tags/#security-support-provider), [Boot or Logon Autostart Execution](/tags/#boot-or-logon-autostart-execution) | [Persistence](/tags/#persistence) |
 | [Spearphishing Attachments](/stories/spearphishing_attachments/) | [Phishing](/tags/#phishing), [Spearphishing Attachment](/tags/#spearphishing-attachment) | [Initial Access](/tags/#initial-access) |
@@ -145,4 +147,5 @@ sidebar:
 | [Windows Persistence Techniques](/stories/windows_persistence_techniques/) | [Services Registry Permissions Weakness](/tags/#services-registry-permissions-weakness) | [Persistence](/tags/#persistence) |
 | [Windows Post-Exploitation](/stories/windows_post-exploitation/) | [Windows Management Instrumentation](/tags/#windows-management-instrumentation) | [Execution](/tags/#execution) |
 | [Windows Privilege Escalation](/stories/windows_privilege_escalation/) | [Exploitation for Privilege Escalation](/tags/#exploitation-for-privilege-escalation), [Abuse Elevation Control Mechanism](/tags/#abuse-elevation-control-mechanism), [Access Token Manipulation](/tags/#access-token-manipulation) | [Privilege Escalation](/tags/#privilege-escalation) |
-| [Windows System Binary Proxy Execution MSIExec](/stories/windows_system_binary_proxy_execution_msiexec/) | [Msiexec](/tags/#msiexec) | [Defense Evasion](/tags/#defense-evasion) |
+| [Windows System Binary Proxy Execution MSIExec](/stories/windows_system_binary_proxy_execution_msiexec/) | [Msiexec](/tags/#msiexec) | [Defense Evasion](/tags/#defense-evasion) |
+| [WordPress Vulnerabilities](/stories/wordpress_vulnerabilities/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [Initial Access](/tags/#initial-access) |

_pages/aws_iam.md

@@ -1,5 +1,5 @@
 ---
-title: aws_iam
+title: AWS IAM
 layout: tag
 author_profile: false
 classes: wide
@@ -10,4 +10,7 @@ sidebar:
 
 | Name    | SOAR App   | D3FEND      | Use Case    |
 | --------| ---------- | ----------- | ----------- |
-| [Active Directory Enable Account Dispatch](/playbooks/active_directory_enable_account_dispatch/)| [microsoft_ad_ldap](https://splunkbase.splunk.com/apps?keyword=microsoft_ad_ldap&filters=product%3Asoar), [azure_ad_graph](https://splunkbase.splunk.com/apps?keyword=azure_ad_graph&filters=product%3Asoar), [aws_iam](https://splunkbase.splunk.com/apps?keyword=aws_iam&filters=product%3Asoar)| | |
+| [AWS Disable User Accounts](/playbooks/aws_disable_user_accounts/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar)| | |
+| [AWS Find Inactive Users](/playbooks/aws_find_inactive_users/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar), [Phantom](https://splunkbase.splunk.com/apps?keyword=phantom&filters=product%3Asoar)| | |
+| [AWS IAM Account Locking](/playbooks/aws_iam_account_locking/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar)| [Account Locking](https://d3fend.mitre.org/technique/d3f:AccountLocking)| [Phishing](/playbooks/phishing), [Endpoint](/playbooks/endpoint)|
+| [AWS IAM Account Unlocking](/playbooks/aws_iam_account_unlocking/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar)| | |

_pages/detections.md

@@ -215,6 +215,9 @@ sidebar:
 | [Confluence Data Center and Server Privilege Escalation](/web/115bebac-0976-4f7d-a3ec-d1fb45a39a11/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527](/web/f56936c0-ae6f-4eeb-91ff-ecc1448c6105/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Confluence Unauthenticated Remote Code Execution CVE-2022-26134](/web/fcf4bd3f-a79f-4b7a-83bf-2692d60b859c/) | [Server Software Component](/tags/#server-software-component), [Exploit Public-Facing Application](/tags/#exploit-public-facing-application), [External Remote Services](/tags/#external-remote-services) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [ConnectWise ScreenConnect Authentication Bypass](/web/d3f7a803-e802-448b-8eb2-e796b223bfff/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [ConnectWise ScreenConnect Path Traversal](/endpoint/56a3ac65-e747-41f7-b014-dff7423c1dda/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [ConnectWise ScreenConnect Path Traversal Windows SACL](/endpoint/4e127857-1fc9-4c95-9d69-ba24c91d52d7/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Conti Common Exec parameter](/endpoint/624919bc-c382-11eb-adcc-acde48001122/) | [User Execution](/tags/#user-execution) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Control Loading from World Writable Directory](/endpoint/10423ac4-10c9-11ec-8dc4-acde48001122/) | [System Binary Proxy Execution](/tags/#system-binary-proxy-execution), [Control Panel](/tags/#control-panel) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Correlation by Repository and Risk](/deprecated/8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687/) | [Malicious Image](/tags/#malicious-image), [User Execution](/tags/#user-execution) | [Correlation](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
@@ -1435,6 +1438,7 @@ sidebar:
 | [Windows NirSoft AdvancedRun](/endpoint/bb4f3090-7ae4-11ec-897f-acde48001122/) | [Tool](/tags/#tool) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows NirSoft Utilities](/endpoint/5b2f4596-7d4c-11ec-88a7-acde48001122/) | [Tool](/tags/#tool) | [Hunting](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Njrat Fileless Storage via Registry](/endpoint/a5fffbbd-271f-4980-94ed-4fbf17f0af1c/) | [Fileless Storage](/tags/#fileless-storage), [Obfuscated Files or Information](/tags/#obfuscated-files-or-information) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [Windows Non Discord App Access Discord LevelDB](/endpoint/1166360c-d495-45ac-87a6-8948aac1fa07/) | [Query Registry](/tags/#query-registry) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Non-System Account Targeting Lsass](/endpoint/b1ce9a72-73cf-11ec-981b-acde48001122/) | [LSASS Memory](/tags/#lsass-memory), [OS Credential Dumping](/tags/#os-credential-dumping) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows OS Credential Dumping with Ntdsutil Export NTDS](/endpoint/dad9ddec-a72a-47be-87b6-a0f7ba98ed6e/) | [NTDS](/tags/#ntds), [OS Credential Dumping](/tags/#os-credential-dumping) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows OS Credential Dumping with Procdump](/endpoint/e102e297-dbe6-4a19-b319-5c08f4c19a06/) | [LSASS Memory](/tags/#lsass-memory), [OS Credential Dumping](/tags/#os-credential-dumping) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
@@ -1596,8 +1600,10 @@ sidebar:
 | [Windows System User Privilege Discovery](/endpoint/8c9a06bc-9939-4425-9bb9-be2371f7fb7e/) | [System Owner/User Discovery](/tags/#system-owner/user-discovery) | [Hunting](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Terminating Lsass Process](/endpoint/7ab3c319-a4e7-4211-9e8c-40a049d0dba6/) | [Disable or Modify Tools](/tags/#disable-or-modify-tools), [Impair Defenses](/tags/#impair-defenses) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Time Based Evasion](/endpoint/34502357-deb1-499a-8261-ffe144abf561/) | [Virtualization/Sandbox Evasion](/tags/#virtualization/sandbox-evasion), [Time Based Evasion](/tags/#time-based-evasion) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [Windows Time Based Evasion via Choice Exec](/endpoint/d5f54b38-10bf-4b3a-b6fc-85949862ed50/) | [Time Based Evasion](/tags/#time-based-evasion), [Virtualization/Sandbox Evasion](/tags/#virtualization/sandbox-evasion) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows UAC Bypass Suspicious Child Process](/endpoint/453a6b0f-b0ea-48fa-9cf4-20537ffdd22c/) | [Abuse Elevation Control Mechanism](/tags/#abuse-elevation-control-mechanism), [Bypass User Account Control](/tags/#bypass-user-account-control) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows UAC Bypass Suspicious Escalation Behavior](/endpoint/00d050d3-a5b4-4565-a6a5-a31f69681dc3/) | [Abuse Elevation Control Mechanism](/tags/#abuse-elevation-control-mechanism), [Bypass User Account Control](/tags/#bypass-user-account-control) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [Windows Unsecured Outlook Credentials Access In Registry](/endpoint/36334123-077d-47a2-b70c-6c7b3cc85049/) | [Unsecured Credentials](/tags/#unsecured-credentials) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Unsigned DLL Side-Loading](/endpoint/5a83ce44-8e0f-4786-a775-8249a525c879/) | [DLL Side-Loading](/tags/#dll-side-loading) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos](/endpoint/f65aa026-b811-42ab-b4b9-d9088137648f/) | [Password Spraying](/tags/#password-spraying), [Brute Force](/tags/#brute-force) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos](/endpoint/f122cb2e-d773-4f11-8399-62a3572d8dd7/) | [Password Spraying](/tags/#password-spraying), [Brute Force](/tags/#brute-force) | [Anomaly](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
@@ -1626,6 +1632,7 @@ sidebar:
 | [Wmic Group Discovery](/endpoint/83317b08-155b-11ec-8e00-acde48001122/) | [Permission Groups Discovery](/tags/#permission-groups-discovery), [Local Groups](/tags/#local-groups) | [Hunting](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Wmic NonInteractive App Uninstallation](/endpoint/bff0e7a0-317f-11ec-ab4e-acde48001122/) | [Disable or Modify Tools](/tags/#disable-or-modify-tools), [Impair Defenses](/tags/#impair-defenses) | [Hunting](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Wmiprsve LOLBAS Execution Process Spawn](/endpoint/95a455f0-4c04-11ec-b8ac-3e22fbd008af/) | [Windows Management Instrumentation](/tags/#windows-management-instrumentation) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
+| [WordPress Bricks Builder plugin RCE](/web/56a8771a-3fda-4959-b81d-2f266e2f679f/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Wscript Or Cscript Suspicious Child Process](/endpoint/1f35e1da-267b-11ec-90a9-acde48001122/) | [Process Injection](/tags/#process-injection), [Create or Modify System Process](/tags/#create-or-modify-system-process), [Parent PID Spoofing](/tags/#parent-pid-spoofing), [Access Token Manipulation](/tags/#access-token-manipulation) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [Wsmprovhost LOLBAS Execution Process Spawn](/endpoint/2eed004c-4c0d-11ec-93e8-3e22fbd008af/) | [Remote Services](/tags/#remote-services), [Windows Remote Management](/tags/#windows-remote-management) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |
 | [XMRIG Driver Loaded](/endpoint/90080fa6-a8df-11eb-91e4-acde48001122/) | [Windows Service](/tags/#windows-service), [Create or Modify System Process](/tags/#create-or-modify-system-process) | [TTP](https://github.com/splunk/security_content/wiki/Detection-Analytic-Types) |