From 6cdf69aa80e2fdd5b38e8a813c8daaf82f787f1d Mon Sep 17 00:00:00 2001 From: research bot Date: Wed, 10 Dec 2025 19:42:09 +0000 Subject: [PATCH 1/2] chore: bump contentctl.yml to 5.20.0 --- contentctl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contentctl.yml b/contentctl.yml index b03f0006f8..6fdff6233c 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 5.19.0 + version: 5.20.0 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU From 00f16de543196dfd25c46055ba6278b3c756bbe6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 15 Dec 2025 11:46:09 +0530 Subject: [PATCH 2/2] move removed detections --- .../detections}/curl_download_and_bash_execution.yml | 2 +- .../detections}/linux_java_spawning_shell.yml | 2 +- .../deprecated => removed/detections}/w3wp_spawning_shell.yml | 2 +- .../detections}/wget_download_and_bash_execution.yml | 2 +- .../detections}/windows_default_rdp_file_creation.yml | 2 +- .../detections}/windows_java_spawning_shells.yml | 2 +- .../detections}/wmiprsve_lolbas_execution_process_spawn.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) rename {detections/deprecated => removed/detections}/curl_download_and_bash_execution.yml (99%) rename {detections/deprecated => removed/detections}/linux_java_spawning_shell.yml (99%) rename {detections/deprecated => removed/detections}/w3wp_spawning_shell.yml (99%) rename {detections/deprecated => removed/detections}/wget_download_and_bash_execution.yml (99%) rename {detections/deprecated => removed/detections}/windows_default_rdp_file_creation.yml (99%) rename {detections/deprecated => removed/detections}/windows_java_spawning_shells.yml (99%) rename {detections/deprecated => removed/detections}/wmiprsve_lolbas_execution_process_spawn.yml (99%) diff --git a/detections/deprecated/curl_download_and_bash_execution.yml b/removed/detections/curl_download_and_bash_execution.yml similarity index 99% rename from detections/deprecated/curl_download_and_bash_execution.yml rename to removed/detections/curl_download_and_bash_execution.yml index 7bf1fae482..fdff7aeb56 100644 --- a/detections/deprecated/curl_download_and_bash_execution.yml +++ b/removed/detections/curl_download_and_bash_execution.yml @@ -3,7 +3,7 @@ id: 900bc324-59f3-11ec-9fb4-acde48001122 version: 10 date: '2025-10-16' author: Michael Haag, Splunk, DipsyTipsy -status: deprecated +status: removed type: TTP description: The following analytic detects the use of curl on Linux or MacOS systems to download a file from a remote source and pipe it directly to bash for execution. diff --git a/detections/deprecated/linux_java_spawning_shell.yml b/removed/detections/linux_java_spawning_shell.yml similarity index 99% rename from detections/deprecated/linux_java_spawning_shell.yml rename to removed/detections/linux_java_spawning_shell.yml index 5971a0e8c7..cefad5b6a7 100644 --- a/detections/deprecated/linux_java_spawning_shell.yml +++ b/removed/detections/linux_java_spawning_shell.yml @@ -3,7 +3,7 @@ id: 7b09db8a-5c20-11ec-9945-acde48001122 version: 10 date: '2025-10-25' author: Michael Haag, Splunk -status: deprecated +status: removed type: TTP description: The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as diff --git a/detections/deprecated/w3wp_spawning_shell.yml b/removed/detections/w3wp_spawning_shell.yml similarity index 99% rename from detections/deprecated/w3wp_spawning_shell.yml rename to removed/detections/w3wp_spawning_shell.yml index c97eb2e5ab..eafc7632db 100644 --- a/detections/deprecated/w3wp_spawning_shell.yml +++ b/removed/detections/w3wp_spawning_shell.yml @@ -3,7 +3,7 @@ id: 0f03423c-7c6a-11eb-bc47-acde48001122 version: 11 date: '2025-10-16' author: Michael Haag, Splunk -status: deprecated +status: removed type: TTP description: The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages diff --git a/detections/deprecated/wget_download_and_bash_execution.yml b/removed/detections/wget_download_and_bash_execution.yml similarity index 99% rename from detections/deprecated/wget_download_and_bash_execution.yml rename to removed/detections/wget_download_and_bash_execution.yml index 5c154abc15..907e15f1c1 100644 --- a/detections/deprecated/wget_download_and_bash_execution.yml +++ b/removed/detections/wget_download_and_bash_execution.yml @@ -3,7 +3,7 @@ id: 35682718-5a85-11ec-b8f7-acde48001122 version: 10 date: '2025-10-16' author: Michael Haag, Splunk, DipsyTipsy -status: deprecated +status: removed type: TTP description: The following analytic detects the use of wget on Windows, Linux or MacOS to download a file from a remote source and pipe it to bash. This detection leverages diff --git a/detections/deprecated/windows_default_rdp_file_creation.yml b/removed/detections/windows_default_rdp_file_creation.yml similarity index 99% rename from detections/deprecated/windows_default_rdp_file_creation.yml rename to removed/detections/windows_default_rdp_file_creation.yml index ce7a9491d8..30286da2d0 100644 --- a/detections/deprecated/windows_default_rdp_file_creation.yml +++ b/removed/detections/windows_default_rdp_file_creation.yml @@ -3,7 +3,7 @@ id: 00ab0805-4b0f-489f-8eda-ee3de5ed5b1c version: 2 date: '2025-10-27' author: Teoderick Contreras, Splunk -status: deprecated +status: removed type: Anomaly description: This detection monitors the creation or modification of the Default.rdp file, typically found in the user's Documents folder. This file is automatically generated or updated by the Remote Desktop Connection client (mstsc.exe) when a user initiates an RDP session. It stores connection settings such as the last-used hostname, screen size, and other preferences. The presence or update of this file strongly suggests that an RDP session has been launched from the system. Since this file is commonly overlooked, it can serve as a valuable artifact in identifying remote access activity, including potential lateral movement or attacker-controlled sessions. data_source: diff --git a/detections/deprecated/windows_java_spawning_shells.yml b/removed/detections/windows_java_spawning_shells.yml similarity index 99% rename from detections/deprecated/windows_java_spawning_shells.yml rename to removed/detections/windows_java_spawning_shells.yml index 2700882cf6..df805b9038 100644 --- a/detections/deprecated/windows_java_spawning_shells.yml +++ b/removed/detections/windows_java_spawning_shells.yml @@ -3,7 +3,7 @@ id: 28c81306-5c47-11ec-bfea-acde48001122 version: 12 date: '2025-10-25' author: Michael Haag, Splunk -status: deprecated +status: removed type: TTP description: The following analytic identifies instances where java.exe or w3wp.exe spawns a Windows shell, such as cmd.exe or powershell.exe. This detection leverages diff --git a/detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml b/removed/detections/wmiprsve_lolbas_execution_process_spawn.yml similarity index 99% rename from detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml rename to removed/detections/wmiprsve_lolbas_execution_process_spawn.yml index cc0720b0e1..87c814ef23 100644 --- a/detections/deprecated/wmiprsve_lolbas_execution_process_spawn.yml +++ b/removed/detections/wmiprsve_lolbas_execution_process_spawn.yml @@ -3,7 +3,7 @@ id: 95a455f0-4c04-11ec-b8ac-3e22fbd008af version: 7 date: '2025-10-21' author: Mauricio Velazco, Splunk -status: deprecated +status: removed type: TTP description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS execution process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing