Enterprise Security Content Update (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had three releases of new content via the Enterprise Security Content Update (ESCU) app (v3.63.0, v3.64.0, v4.0.0). With these releases, there are 21 new detections and 4 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE). Read on for a summary of what these entail!

Content highlights include: 

• Detections to look for 3CX applications and compromised network indicators
• Expanded privileged escalation detections to detect PowerShell-based malicious activity using New-CIMSession and Invoke-CIMMethod cmdlets
• Detection searches for Winter Vivern and Sandworm malware 
• Detections to identify suspicious bootloaders based on the diverse techniques employed by the BlackLotus bootkit 

New Analytic Stories: 

• Winter Vivern
• Sandworm Tools
• BlackLotus Campaign
• 3CX Supply Chain Attack

New Detections: 

• Windows Exfiltration Over C2 Via Invoke RestMethod
• Windows Exfiltration Over C2 Via PowerShell UploadString
• Windows Scheduled Task Created Via XML
• Windows Screen Capture Via PowerShell
• Windows DNS Gather Network Info
• Windows Impair Defenses Disable HVCI
• Windows BootLoader Inventory
• Windows RDP Connection Successful
• PowerShell Invoke-WmiExec Usage
• PowerShell Invoke CIMMethod CIMSession
• PowerShell Enable PowerShell Remoting
• PowerShell Start or Stop Service
• Windows PowerShell Get-CIMInstance Remote Computer
• Windows Enable Win32_ScheduledJob via Registry
• Windows PowerShell WMI Win32_ScheduledJob
• Windows Service Create with Tscon
• Windows Lateral Tool Transfer RemCom
• Windows Service Create RemComSvc
• Hunting 3CXDesktopApp Software
• Windows Vulnerable 3CX Software
• 3CX Supply Chain Attack Network Indicators

For all our tools and security content, please visit research.splunk.com. 

The Splunk Threat Research Team has also recently published the following blogs for a more in-depth research analysis of various threats:

• These are the Drivers You Are Looking For: Detect and Prevent Malicious Drivers
• Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise 
• AsyncRAT Crusade: Detections and Defense 

— The Splunk Threat Research Team