diff --git a/contentctl.yml b/contentctl.yml index dce3a77904..6b413d0e0e 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 5.19.0 + version: 5.20.0 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU diff --git a/detections/deprecated/curl_download_and_bash_execution.yml b/removed/detections/curl_download_and_bash_execution.yml similarity index 99% rename from detections/deprecated/curl_download_and_bash_execution.yml rename to removed/detections/curl_download_and_bash_execution.yml index 7bf1fae482..fdff7aeb56 100644 --- a/detections/deprecated/curl_download_and_bash_execution.yml +++ b/removed/detections/curl_download_and_bash_execution.yml @@ -3,7 +3,7 @@ id: 900bc324-59f3-11ec-9fb4-acde48001122 version: 10 date: '2025-10-16' author: Michael Haag, Splunk, DipsyTipsy -status: deprecated +status: removed type: TTP description: The following analytic detects the use of curl on Linux or MacOS systems to download a file from a remote source and pipe it directly to bash for execution. diff --git a/detections/deprecated/linux_java_spawning_shell.yml b/removed/detections/linux_java_spawning_shell.yml similarity index 99% rename from detections/deprecated/linux_java_spawning_shell.yml rename to removed/detections/linux_java_spawning_shell.yml index 5971a0e8c7..cefad5b6a7 100644 --- a/detections/deprecated/linux_java_spawning_shell.yml +++ b/removed/detections/linux_java_spawning_shell.yml @@ -3,7 +3,7 @@ id: 7b09db8a-5c20-11ec-9945-acde48001122 version: 10 date: '2025-10-25' author: Michael Haag, Splunk -status: deprecated +status: removed type: TTP description: The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as diff --git a/detections/deprecated/w3wp_spawning_shell.yml b/removed/detections/w3wp_spawning_shell.yml similarity index 99% rename from detections/deprecated/w3wp_spawning_shell.yml rename to removed/detections/w3wp_spawning_shell.yml index c97eb2e5ab..eafc7632db 100644 --- a/detections/deprecated/w3wp_spawning_shell.yml +++ b/removed/detections/w3wp_spawning_shell.yml @@ -3,7 +3,7 @@ id: 0f03423c-7c6a-11eb-bc47-acde48001122 version: 11 date: '2025-10-16' author: Michael Haag, Splunk -status: deprecated +status: removed type: TTP description: The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages diff --git a/detections/deprecated/wget_download_and_bash_execution.yml b/removed/detections/wget_download_and_bash_execution.yml similarity index 99% rename from detections/deprecated/wget_download_and_bash_execution.yml rename to removed/detections/wget_download_and_bash_execution.yml index 5c154abc15..907e15f1c1 100644 --- a/detections/deprecated/wget_download_and_bash_execution.yml +++ b/removed/detections/wget_download_and_bash_execution.yml @@ -3,7 +3,7 @@ id: 35682718-5a85-11ec-b8f7-acde48001122 version: 10 date: '2025-10-16' author: Michael Haag, Splunk, DipsyTipsy -status: deprecated +status: removed type: TTP description: The following analytic detects the use of wget on Windows, Linux or MacOS to download a file from a remote source and pipe it to bash. This detection leverages diff --git a/detections/deprecated/windows_default_rdp_file_creation.yml b/removed/detections/windows_default_rdp_file_creation.yml similarity index 99% rename from detections/deprecated/windows_default_rdp_file_creation.yml rename to removed/detections/windows_default_rdp_file_creation.yml index ce7a9491d8..30286da2d0 100644 --- a/detections/deprecated/windows_default_rdp_file_creation.yml +++ b/removed/detections/windows_default_rdp_file_creation.yml @@ -3,7 +3,7 @@ id: 00ab0805-4b0f-489f-8eda-ee3de5ed5b1c version: 2 date: '2025-10-27' author: Teoderick Contreras, Splunk -status: deprecated +status: removed type: Anomaly description: This detection monitors the creation or modification of the Default.rdp file, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions. data_source: diff --git a/detections/deprecated/windows_java_spawning_shells.yml b/removed/detections/windows_java_spawning_shells.yml similarity index 99% rename from detections/deprecated/windows_java_spawning_shells.yml rename to removed/detections/windows_java_spawning_shells.yml index 2700882cf6..df805b9038 100644 --- a/detections/deprecated/windows_java_spawning_shells.yml +++ b/removed/detections/windows_java_spawning_shells.yml @@ -3,7 +3,7 @@ id: 28c81306-5c47-11ec-bfea-acde48001122 version: 12 date: '2025-10-25' author: Michael Haag, Splunk -status: deprecated +status: removed type: TTP description: The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages diff --git a/detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml b/removed/detections/wmiprsve_lolbas_execution_process_spawn.yml similarity index 99% rename from detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml rename to removed/detections/wmiprsve_lolbas_execution_process_spawn.yml index cc0720b0e1..87c814ef23 100644 --- a/detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml +++ b/removed/detections/wmiprsve_lolbas_execution_process_spawn.yml @@ -3,7 +3,7 @@ id: 95a455f0-4c04-11ec-b8ac-3e22fbd008af version: 7 date: '2025-10-21' author: Mauricio Velazco, Splunk -status: deprecated +status: removed type: TTP description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing