Merge pull request #3514 from splunk/vignesh_fsutil

Add missing Processes.process="*setzerodata*"

Author: pyth0n1c

.github/workflows/appinspect.yml

@@ -46,4 +46,4 @@ jobs:
           name: content-latest
           path: |
             artifacts/DA-ESS-ContentUpdate-latest.tar.gz
-            artifacts/app_inspect_report
+            artifacts/app_inspect_report

.github/workflows/build.yml

@@ -19,13 +19,8 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
-            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
-            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
-          else
-            echo "Installing latest contentctl version"
-            pip install contentctl
-          fi
+          echo "- Contentctl version - $(cat requirements.txt)"
+          pip install -r requirements.txt
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/unit-testing.yml

@@ -69,4 +69,4 @@ jobs:
           run: |       
             echo "This job will fail if there are failures in unit-testing"  
             python .github/workflows/format_test_results.py >> $GITHUB_STEP_SUMMARY
-            echo "The Unit testing is completed. See details in the unit-testing job summary UI "
+            echo "The Unit testing is completed. See details in the unit-testing job summary UI "

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.5.0
+  version: 5.6.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

detections/endpoint/fsutil_zeroing_file.yml

@@ -1,7 +1,7 @@
 name: Fsutil Zeroing File
 id: 4e5e024e-fabb-11eb-8b8f-acde48001122
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-05-08'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -19,7 +19,7 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
-  max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe
+  max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe Processes.process="*setzerodata*"
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec

detections/deprecated/detect_large_outbound_icmp_packets.yml renamed to removed/detections/detect_large_outbound_icmp_packets.yml

@@ -3,7 +3,7 @@ id: e9c102de-4d43-42a7-b1c8-8062ea297419
 version: 12
 date: '2025-05-02'
 author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: This analytic has been deprecated in favour of a better named detection - Detect Large ICMP Traffic. The following analytic identifies outbound ICMP packets with a size larger
   than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually

detections/deprecated/windows_service_created_within_public_path.yml renamed to removed/detections/windows_service_created_within_public_path.yml

@@ -3,7 +3,7 @@ id: 3abb2eda-4bb8-11ec-9ae4-3e22fbd008af
 version: 9
 date: '2025-05-02'
 author: Mauricio Velazco, Splunk
-status: deprecated
+status: removed
 type: TTP
 description: This analytic is deprecated because it is a duplicate of - "Windows Service Created with Suspicious Service Path". 
   The following analytic detects the creation of a Windows Service with

requirements.txt

@@ -0,0 +1 @@
+contentctl==5.5.1