From 6f32b554a0d34da386008190f1a159bab65357eb Mon Sep 17 00:00:00 2001 From: research bot Date: Mon, 1 Jun 2026 19:38:03 +0000 Subject: [PATCH 1/3] chore: bump contentctl.yml and build.yml to 6.1.0 --- build.yml | 2 +- contentctl.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.yml b/build.yml index f3708b3212..57d97a4949 100644 --- a/build.yml +++ b/build.yml @@ -9,7 +9,7 @@ author: Splunk Threat Research Team author_email: research@splunk.com content_prefix: ESCU label: ES Content Updates -app_version: 6.0.0 +app_version: 6.1.0 description: Explore the Analytic Stories included with ES Content Updates. id: DA-ESS-ContentUpdate external_app_content: diff --git a/contentctl.yml b/contentctl.yml index b40b943e4d..5db591c8f4 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 6.0.0 + version: 6.1.0 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU From 7b88a5936d261e4370b8602258d71fa7e509842b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Jun 2026 20:53:08 +0530 Subject: [PATCH 2/3] move to removed --- .../detections}/attempt_to_add_certificate_to_untrusted_store.yml | 0 .../deprecated => removed/detections}/chcp_command_execution.yml | 0 .../detections}/ivanti_sentry_authentication_bypass.yml | 0 .../detections}/processes_launching_netsh.yml | 0 .../detections}/sc_exe_manipulating_windows_services.yml | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename {detections/deprecated => removed/detections}/attempt_to_add_certificate_to_untrusted_store.yml (100%) rename {detections/deprecated => removed/detections}/chcp_command_execution.yml (100%) rename {detections/deprecated => removed/detections}/ivanti_sentry_authentication_bypass.yml (100%) rename {detections/deprecated => removed/detections}/processes_launching_netsh.yml (100%) rename {detections/deprecated => removed/detections}/sc_exe_manipulating_windows_services.yml (100%) diff --git a/detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml b/removed/detections/attempt_to_add_certificate_to_untrusted_store.yml similarity index 100% rename from detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml rename to removed/detections/attempt_to_add_certificate_to_untrusted_store.yml diff --git a/detections/deprecated/chcp_command_execution.yml b/removed/detections/chcp_command_execution.yml similarity index 100% rename from detections/deprecated/chcp_command_execution.yml rename to removed/detections/chcp_command_execution.yml diff --git a/detections/deprecated/ivanti_sentry_authentication_bypass.yml b/removed/detections/ivanti_sentry_authentication_bypass.yml similarity index 100% rename from detections/deprecated/ivanti_sentry_authentication_bypass.yml rename to removed/detections/ivanti_sentry_authentication_bypass.yml diff --git a/detections/deprecated/processes_launching_netsh.yml b/removed/detections/processes_launching_netsh.yml similarity index 100% rename from detections/deprecated/processes_launching_netsh.yml rename to removed/detections/processes_launching_netsh.yml diff --git a/detections/deprecated/sc_exe_manipulating_windows_services.yml b/removed/detections/sc_exe_manipulating_windows_services.yml similarity index 100% rename from detections/deprecated/sc_exe_manipulating_windows_services.yml rename to removed/detections/sc_exe_manipulating_windows_services.yml From a51fd18aa3f62eb3f1d2b22aec1864729cb4cbc1 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Jun 2026 22:40:55 +0530 Subject: [PATCH 3/3] status is removed --- .../attempt_to_add_certificate_to_untrusted_store.yml | 4 ++-- removed/detections/chcp_command_execution.yml | 6 +++--- removed/detections/ivanti_sentry_authentication_bypass.yml | 6 +++--- removed/detections/processes_launching_netsh.yml | 6 +++--- removed/detections/sc_exe_manipulating_windows_services.yml | 6 +++--- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/removed/detections/attempt_to_add_certificate_to_untrusted_store.yml b/removed/detections/attempt_to_add_certificate_to_untrusted_store.yml index 1b184ea45c..495c088c72 100644 --- a/removed/detections/attempt_to_add_certificate_to_untrusted_store.yml +++ b/removed/detections/attempt_to_add_certificate_to_untrusted_store.yml @@ -2,9 +2,9 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 version: 20 creation_date: '2020-04-29' -modification_date: '2026-05-13' +modification_date: '2026-06-03' author: Patrick Bareiss, Rico Valdez, Splunk -status: deprecated +status: removed deprecation_info: reason: Detection is deprecated as the usage of certutil and addstore by itself is not malicious. removed_in_version: 6.1.0 diff --git a/removed/detections/chcp_command_execution.yml b/removed/detections/chcp_command_execution.yml index 844bd171f3..cc968b34ab 100644 --- a/removed/detections/chcp_command_execution.yml +++ b/removed/detections/chcp_command_execution.yml @@ -1,10 +1,10 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 13 +version: 14 creation_date: '2021-08-05' -modification_date: '2026-05-13' +modification_date: '2026-06-03' author: Teoderick Contreras, Splunk -status: deprecated +status: removed deprecation_info: reason: Detection is deprecated as the usage of chcp.com by itself is not malicious. removed_in_version: 6.1.0 diff --git a/removed/detections/ivanti_sentry_authentication_bypass.yml b/removed/detections/ivanti_sentry_authentication_bypass.yml index 7addc27c5b..0eba871d3c 100644 --- a/removed/detections/ivanti_sentry_authentication_bypass.yml +++ b/removed/detections/ivanti_sentry_authentication_bypass.yml @@ -1,10 +1,10 @@ name: Ivanti Sentry Authentication Bypass id: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8 -version: 9 +version: 10 creation_date: '2023-08-24' -modification_date: '2026-05-13' +modification_date: '2026-06-03' author: Michael Haag, Splunk -status: deprecated +status: removed deprecation_info: reason: Detection is deprecated since it is not specific enough to identify the intended malicious activity and might produce false positives. removed_in_version: 6.1.0 diff --git a/removed/detections/processes_launching_netsh.yml b/removed/detections/processes_launching_netsh.yml index 9ccdac6518..d75d0db78d 100644 --- a/removed/detections/processes_launching_netsh.yml +++ b/removed/detections/processes_launching_netsh.yml @@ -1,10 +1,10 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 16 +version: 17 creation_date: '2020-04-29' -modification_date: '2026-05-13' +modification_date: '2026-06-03' author: Michael Haag, Josef Kuepker, Splunk -status: deprecated +status: removed deprecation_info: reason: Detection is deprecated as the usage of netsh.exe by itself is often used for legitimate purposes. removed_in_version: 6.1.0 diff --git a/removed/detections/sc_exe_manipulating_windows_services.yml b/removed/detections/sc_exe_manipulating_windows_services.yml index f8ca3fe75a..2a55816417 100644 --- a/removed/detections/sc_exe_manipulating_windows_services.yml +++ b/removed/detections/sc_exe_manipulating_windows_services.yml @@ -1,10 +1,10 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 16 +version: 17 creation_date: '2020-04-29' -modification_date: '2026-05-13' +modification_date: '2026-06-03' author: Rico Valdez, Splunk -status: deprecated +status: removed deprecation_info: reason: Detection is deprecated as the usage of sc.exe by itself is often used for legitimate purposes. removed_in_version: 6.1.0