Enterprise Security Content Update (ESCU) - New Releases

The Splunk Threat Research Team (STRT) has had 3 releases of the Enterprise Security Content Update (ESCU) app within the last month (v3.57.0, v3.58.0, and v3.59.0). With these releases, there are 46 new detections and 7 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).

Release highlights include:

• Detections that enable users to hunt for the presence of AsyncRAT
• Detections to identify compromised user accounts on Azure AD and AWS
• Detections to identify events and actions that could be attributed to the Chaos and LockBit ransomware

New Analytic Stories:

• AsyncRAT
• Compromised User Account
• Swift Slicer
• Windows Certificate Services
• Chaos Ransomware
• LockBit Ransomware
• Splunk Vulnerabilities

New Detections:

• AWS AD New MFA Method Registered For User
• AWS Concurrent Sessions From Different Ips
• AWS High Number Of Failed Authentications For User
• AWS High Number Of Failed Authentications From Ip
• AWS Password Policy Changes
• AWS Successful Console Authentication From Multiple IPs
• Azure AD Concurrent Sessions From Different Ips
• Azure AD High Number Of Failed Authentications For User
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD New MFA Method Registered For User
• Azure AD Successful Authentication From Different Ips
• Detect suspicious process names using a pre trained model in DSDL
• Driver Inventory
• LOLBAS With Network Traffic (External contributor - @nterl0k)
• Windows Data Destruction Recursive Exec Files Deletion
• Windows Export Certificate
• Windows Powershell Cryptography Namespace
• Windows PowerShell Export Certificate
• Windows PowerShell Export PfxCertificate
• Windows Scheduled Task with Highest Privileges
• Windows Spear Phishing Attachment Onenote Spawn Mshta
• Windows Spear Phishing Attachment Connect to None MS Office Domain
• Windows Steal Authentication Certificates Certificate Issued
• Windows Steal Authentication Certificates Certificate Request
• Windows Steal Authentication Certificates CertUtil Backup
• Windows Steal Authentication Certificates CS Backup
• Windows Steal Authentication Certificates Export Certificate
• Windows Steal Authentication Certificates Export PfxCertificate
• Detect suspicious DNS TXT records using pretrained model in DSDL
• Windows Boot or Logon Autostart Execution in Startup Folder
• Windows Modify Registry Default Icon Setting
• Windows Phishing PDF File Executes URL Link
• Windows Replication Through Removable Media
• Windows User Execution Malicious URL Shortcut File
• Windows Vulnerable Driver Loaded
• Linux Ngrok Reverse Proxy Usage
• Windows Server Software Component GACUtil Install to GAC
• Windows PowerShell Add Module to Global Assembly Cache
• Windows Credential Dumping LSASS Memory Createdump
• Splunk csrf in the ssg kvstore Client Endpoint
• Splunk Improperly Formatted Parameter Crashes splunkd
• Persistent XSS in RapidDiag through User Interface Views
• Splunk Risky Command Abuse Disclosed February 2023
• Splunk Unnecessary File Extensions Allowed by Lookup Table Uploads
• Splunk XSS via View
• Splunk List All Nonstandard Admin Accounts

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team