Br3akp0int
Br3akp0int
# PR Template for new Detections - [x] windows_gather_victim_host_information_camera.yml - [x] windows_ingress_tool_transfer_using_explorer_exe.yml # updated - [x] scheduled_task_deleted_or_created_via_cmd.yml - [x] suspicious_scheduled_task_from_public_directory.yml - [x] winevent_windows_task_scheduler_event_action_started.yml ### Details *_what does this PR have...
### Details - [x] registry_keys_used_for_persistence.yml - [x] windows_iso_lnk_file_creation.yml - [x] windows_phishing_recent_iso_exec_registry.yml - [x] powershell_loading_dotnet_into_memory_via_reflection.yml - [x] windows_file_transfer_protocol_in_non_common_process_path.yml - [x] windows_mail_protocol_in_non_common_process_path.yml - [x] windows_multi_hop_proxy_tor_website_query.yml _What does this PR have in it?...
### Modified Detections to include Agent Tesla story line - [x] detect_html_help_spawn_child_process.yml - [x] excessive_usage_of_taskkill.yml - [x] executables_or_script_creation_in_suspicious_path.yml - [x] non_chrome_process_accessing_chrome_default_dir.yml - [x] non_firefox_process_access_firefox_profile_dir.yml - [x] office_application_drop_executable.yml - [x] office_application_spawn_rundll32_process.yml...
### Details add new xml sourcetype in attack_data feature of contentctl.py - 'XmlWinEventLog:Security', - 'XmlWinEventLog:System', - 'XmlWinEventLog:Application', - 'XmlWinEventLog:Directory Service' _What does this PR have in it? Screenshots are worth...
as requested by patrick, here is the issue for the pytest failure after submit detection PR for security content.  https://github.com/splunk/security_content/runs/8132008116?check_suite_focus=true
### Details _What does this PR have in it? Screenshots are worth 1000 words 😄_ - [x] linux_auditd_add_user_account.yml - [x] linux_auditd_at_application_execution.yml - [x] linux_auditd_change_file_owner_to_root.yml - [x] linux_auditd_clipboard_data_copy.yml - [x] linux_auditd_data_destruction_command.yml...
### Details #### tag - [ ] any_powershell_downloadfile.yml - [ ] powershell_4104_hunting.yml - [ ] powershell_processing_stream_of_data.yml - [ ] registry_keys_used_for_persistence.yml - [ ] windows_credential_access_from_browser_password_store.yml - [ ] windows_credentials_from_password_stores_chrome_extension_access.yml - [...
### update sourcetype of auditd data sources base on [Splunk add-on for unix and linux]. modified: data_sources/linux_auditd_add_user.yml modified: data_sources/linux_auditd_execve.yml modified: data_sources/linux_auditd_path.yml modified: data_sources/linux_auditd_proctitle.yml modified: data_sources/linux_auditd_service_stop.yml modified: data_sources/linux_auditd_syscall.yml modified: macros/linux_auditd.yml #...
### Details Due to the STRT task to improved Splunk "JOIN" usage in some of the Splunk security content, some detections, especially the registry type still contains Splunk command remnants...