Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v4.12.0.). With this release, there are 8 new detections and 1 new analytic story now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• A Forest Blizzard analytic story that contains detections to detect “Living Off The Land” attack techniques using headless web browsers to exfiltrate data files through legitimate platforms like Mockbin via ZIP archives containing LNK files. These techniques were observed in the cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails to steal NTLMv2 hashes by various advanced persistent threat (APT) groups.
• Six new detections related to Windows Active Directory enumeration, specifically to detect activity related to the usage of a popular red team tool such as Powerview, which are typically used for reconnaissance by attackers. 

New Analytic Story: 

• Forest Blizzard

New Detections:

• Windows Find Domain Organizational Units with GetDomainOU
• Headless Browser Usage
• Headless Browser Mockbin or Mocky Request
• Windows Get Local Admin with FindLocalAdminAccess
• Windows Forest Discovery with GetForestDomain
• Windows Find Interesting ACL with FindInterestingDomainAcl
• Windows AD Privileged Object Access Activity (External Contributor: Steven Dick)
• Windows AD Abnormal Object Access Activity (External Contributor: Steven Dick)

The team has also published the following blogs:

• Sharing is Not Caring: Hunting for Network Share Discovery
• Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT
• Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs

For all our tools and security content, please visit research.splunk.com. 

— The Splunk Threat Research Team