updating research.splunk.com site bits [ci skip]

splunk · Mar 7, 2024 · 66def90 · 66def90
1 parent a284a5b
commit 66def90
Show file tree

Hide file tree

Showing 542 changed files with 3,776 additions and 1,694 deletions.
diff --git a/_data/navigation.yml b/_data/navigation.yml
@@ -168,6 +168,8 @@ playbooks:
         url: /playbooks/jira/
       - title: LDAP
         url: /playbooks/ldap/
+      - title: MS Graph for Office 365
+        url: /playbooks/ms_graph_for_office_365/
       - title: Palo Alto Networks Firewall
         url: /playbooks/palo_alto_networks_firewall/
       - title: Panorama

diff --git a/_pages/adversary_tactics.md b/_pages/adversary_tactics.md
@@ -72,6 +72,7 @@ sidebar:
 | [Ivanti Sentry Authentication Bypass CVE-2023-38035](/stories/ivanti_sentry_authentication_bypass_cve-2023-38035/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [Initial Access](/tags/#initial-access) |
 | [Jenkins Server Vulnerabilities](/stories/jenkins_server_vulnerabilities/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [Initial Access](/tags/#initial-access) |
 | [JetBrains TeamCity Unauthenticated RCE](/stories/jetbrains_teamcity_unauthenticated_rce/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [Initial Access](/tags/#initial-access) |
+| [JetBrains TeamCity Vulnerabilities](/stories/jetbrains_teamcity_vulnerabilities/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application) | [Initial Access](/tags/#initial-access) |
 | [Juniper JunOS Remote Code Execution](/stories/juniper_junos_remote_code_execution/) | [Exploit Public-Facing Application](/tags/#exploit-public-facing-application), [Ingress Tool Transfer](/tags/#ingress-tool-transfer), [Command and Scripting Interpreter](/tags/#command-and-scripting-interpreter) | [Initial Access](/tags/#initial-access) |
 | [Linux Living Off The Land](/stories/linux_living_off_the_land/) | [Ingress Tool Transfer](/tags/#ingress-tool-transfer) | [Command And Control](/tags/#command-and-control) |
 | [Linux Persistence Techniques](/stories/linux_persistence_techniques/) | [Sudo and Sudo Caching](/tags/#sudo-and-sudo-caching), [Abuse Elevation Control Mechanism](/tags/#abuse-elevation-control-mechanism) | [Privilege Escalation](/tags/#privilege-escalation) |

diff --git a/_pages/cloud_security.md b/_pages/cloud_security.md
@@ -19,7 +19,7 @@ sidebar:
 | [AWS User Monitoring](/stories/aws_user_monitoring/) | [Cloud Accounts](/tags/#cloud-accounts) | [Defense Evasion](/tags/#defense-evasion) |
 | [Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring](/stories/abnormal_kubernetes_behavior_using_splunk_infrastructure_monitoring/) | [User Execution](/tags/#user-execution) | [Execution](/tags/#execution) |
 | [Azure Active Directory Account Takeover](/stories/azure_active_directory_account_takeover/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Brute Force](/tags/#brute-force), [Password Spraying](/tags/#password-spraying) | [Resource Development](/tags/#resource-development) |
-| [Azure Active Directory Persistence](/stories/azure_active_directory_persistence/) | [Valid Accounts](/tags/#valid-accounts), [Cloud Accounts](/tags/#cloud-accounts) | [Defense Evasion](/tags/#defense-evasion) |
+| [Azure Active Directory Persistence](/stories/azure_active_directory_persistence/) | [Account Manipulation](/tags/#account-manipulation), [Valid Accounts](/tags/#valid-accounts) | [Persistence](/tags/#persistence) |
 | [Azure Active Directory Privilege Escalation](/stories/azure_active_directory_privilege_escalation/) | [Account Manipulation](/tags/#account-manipulation) | [Persistence](/tags/#persistence) |
 | [Cloud Cryptomining](/stories/cloud_cryptomining/) | [Unused/Unsupported Cloud Regions](/tags/#unused/unsupported-cloud-regions) | [Defense Evasion](/tags/#defense-evasion) |
 | [Cloud Federated Credential Abuse](/stories/cloud_federated_credential_abuse/) | [Image File Execution Options Injection](/tags/#image-file-execution-options-injection), [Event Triggered Execution](/tags/#event-triggered-execution) | [Privilege Escalation](/tags/#privilege-escalation) |
@@ -37,5 +37,5 @@ sidebar:
 | [Suspicious Cloud Authentication Activities](/stories/suspicious_cloud_authentication_activities/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Unused/Unsupported Cloud Regions](/tags/#unused/unsupported-cloud-regions) | [Resource Development](/tags/#resource-development) |
 | [Suspicious Cloud Instance Activities](/stories/suspicious_cloud_instance_activities/) | [Cloud Accounts](/tags/#cloud-accounts), [Valid Accounts](/tags/#valid-accounts) | [Defense Evasion](/tags/#defense-evasion) |
 | [Suspicious Cloud Provisioning Activities](/stories/suspicious_cloud_provisioning_activities/) | [Valid Accounts](/tags/#valid-accounts) | [Defense Evasion](/tags/#defense-evasion) |
-| [Suspicious Cloud User Activities](/stories/suspicious_cloud_user_activities/) | [Valid Accounts](/tags/#valid-accounts) | [Defense Evasion](/tags/#defense-evasion) |
+| [Suspicious Cloud User Activities](/stories/suspicious_cloud_user_activities/) | [Modify Cloud Compute Configurations](/tags/#modify-cloud-compute-configurations) | [Defense Evasion](/tags/#defense-evasion) |
 | [Suspicious GCP Storage Activities](/stories/suspicious_gcp_storage_activities/) | [Data from Cloud Storage](/tags/#data-from-cloud-storage) | [Collection](/tags/#collection) |
diff --git a/_pages/cloud_type.md b/_pages/cloud_type.md
@@ -20,7 +20,7 @@ sidebar:
 | [ASL AWS Multi-Factor Authentication Disabled](/cloud/4d2df5e0-1092-4817-88a8-79c7fa054668/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Multi-Factor Authentication Request Generation](/tags/#multi-factor-authentication-request-generation), [Modify Authentication Process](/tags/#modify-authentication-process), [Multi-Factor Authentication](/tags/#multi-factor-authentication) |  None |
 | [ASL AWS New MFA Method Registered For User](/cloud/33ae0931-2a03-456b-b1d7-b016c5557fbd/) | [Modify Authentication Process](/tags/#modify-authentication-process), [Multi-Factor Authentication](/tags/#multi-factor-authentication) |  None |
 | [ASL AWS Password Policy Changes](/cloud/5ade5937-11a2-4363-ba6b-39a3ee8d5b1a/) | [Password Policy Discovery](/tags/#password-policy-discovery) |  None |
-| [AWS AMI Atttribute Modification for Exfiltration](/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/) | [Transfer Data to Cloud Account](/tags/#transfer-data-to-cloud-account) |  None |
+| [AWS AMI Attribute Modification for Exfiltration](/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/) | [Transfer Data to Cloud Account](/tags/#transfer-data-to-cloud-account) |  None |
 | [AWS Concurrent Sessions From Different Ips](/cloud/51c04fdb-2746-465a-b86e-b413a09c9085/) | [Browser Session Hijacking](/tags/#browser-session-hijacking) |  None |
 | [AWS Console Login Failed During MFA Challenge](/cloud/55349868-5583-466f-98ab-d3beb321961e/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Multi-Factor Authentication Request Generation](/tags/#multi-factor-authentication-request-generation) |  None |
 | [AWS Create Policy Version to allow all resources](/cloud/2a9b80d3-6340-4345-b5ad-212bf3d0dac4/) | [Cloud Accounts](/tags/#cloud-accounts), [Valid Accounts](/tags/#valid-accounts) |  None |
@@ -139,6 +139,7 @@ sidebar:
 | [Cloud Provisioning Activity From Previously Unseen Country](/cloud/94994255-3acf-4213-9b3f-0494df03bb31/) | [Valid Accounts](/tags/#valid-accounts) | [Change](https://docs.splunk.com/Documentation/CIM/latest/User/Change) |
 | [Cloud Provisioning Activity From Previously Unseen IP Address](/cloud/f86a8ec9-b042-45eb-92f4-e9ed1d781078/) | [Valid Accounts](/tags/#valid-accounts) | [Change](https://docs.splunk.com/Documentation/CIM/latest/User/Change) |
 | [Cloud Provisioning Activity From Previously Unseen Region](/cloud/5aba1860-9617-4af9-b19d-aecac16fe4f2/) | [Valid Accounts](/tags/#valid-accounts) | [Change](https://docs.splunk.com/Documentation/CIM/latest/User/Change) |
+| [Cloud Security Groups Modifications by User](/cloud/cfe7cca7-2746-4bdf-b712-b01ed819b9de/) | [Modify Cloud Compute Configurations](/tags/#modify-cloud-compute-configurations) | [Change](https://docs.splunk.com/Documentation/CIM/latest/User/Change) |
 | [Detect AWS Console Login by New User](/cloud/bc91a8cd-35e7-4bb2-6140-e756cc46fd71/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Unsecured Credentials](/tags/#unsecured-credentials) | [Authentication](https://docs.splunk.com/Documentation/CIM/latest/User/Authentication) |
 | [Detect AWS Console Login by User from New City](/cloud/121b0b11-f8ac-4ed6-a132-3800ca4fc07a/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Unused/Unsupported Cloud Regions](/tags/#unused/unsupported-cloud-regions) | [Authentication](https://docs.splunk.com/Documentation/CIM/latest/User/Authentication) |
 | [Detect AWS Console Login by User from New Country](/cloud/67bd3def-c41c-4bf6-837b-ae196b4257c6/) | [Compromise Accounts](/tags/#compromise-accounts), [Cloud Accounts](/tags/#cloud-accounts), [Unused/Unsupported Cloud Regions](/tags/#unused/unsupported-cloud-regions) | [Authentication](https://docs.splunk.com/Documentation/CIM/latest/User/Authentication) |