Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.1.0 and v4.2.0). With these releases, there are 61 new detections and 6 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).

Content highlights include: 

• Azure Active Directory Privilege Escalation and AWS Exfiltration detections that help detect various new techniques used to gain higher-level permissions or exfiltrate data on systems
• Detections to search for Snake Malware, a sophisticated espionage tool from Russia’s Federal Security Service (FSB), and its variants
• Active Directory Privilege Escalations detections to detect techniques that adversaries use to gain higher-level permissions on a system or network that leverage Active Directory
• Detections to search for adversaries leveraging RedLine Stealer malware
• Windows Registry bootkit detections 
• Remote Code Execution (RCE) detections in a commonly used printing software called PaperCut

New Analytic Stories: 

• Azure Active Directory Privilege Escalation

• PaperCut MF NG Vulnerability

• Snake Malware

• Windows BootKits

• Active Directory Privilege Escalation

• RedLine Stealer

New Detections: 

• AWS AMI Attribute Modification for Exfiltration

• AWS Disable Bucket Versioning

• AWS EC2 Snapshot Shared Externally

• AWS Exfiltration via Anomalous GetObject API Activity

• AWS Exfiltration via Batch Service

• AWS Exfiltration via Bucket Replication

• AWS Exfiltration via DataSync Task

• AWS Exfiltration via EC2 Snapshot

• AWS S3 Exfiltration Behavior Identified

• Azure AD Application Administrator Role Assigned

• Azure AD Global Administrator Role Assigned

• Azure AD PIM Role Assigned

• Azure AD PIM Role Assignment Activated

• Azure AD Privileged Authentication Administrator Role Assigned

• Azure AD Privileged Role Assigned to Service Principal

• Azure AD Service Principal Owner Added

• PaperCut Remote Web Access Attempt

• PaperCut Suspicious Behavior Debug Log

• Windows PaperCutNG Spawn Shell

• Windows Registry Bootexecute Modification

• Windows Snake Malware File Modification Crmlog

• Windows Snake Malware Kernel Driver Comadmin

• Windows Snake Malware Registry Modification Wav OpenWithProgids

• Windows Snake Malware Service Create

• Windows Winlogon with Public Network Connection

• Active Directory Lateral Movement Identified

• Impacket Lateral Movement smbexec CommandLine Parameters

• Impacket Lateral Movement WMIExec CommandLine Parameters

• Steal or Forge Authentication Certificates Behavior Identified

• Windows Administrative Shares Accessed on Multiple Hosts

• Windows Admon Default Group Policy Object Modified

• Windows Admon Group Policy Object Created

• Windows Credentials from Password Stores Chrome Extension Access

• Windows Credentials from Password Stores Chrome Local State Access

• Windows Credentials from Password Stores Chrome Login Data Access

• Windows Default Group Policy Object Modified

• Windows Default Group Policy Object Modified with GPME

• Windows DnsAdmins New Member Added

• Windows File Share Discovery with Powerview

• Windows Findstr GPP Discovery

• Windows Group Policy Object Created

• Windows Large Number of Computer Service Tickets Requested

• Windows Local Administrator Credential Stuffing

• Windows Modify Registry Auto Minor Updates

• Windows Modify Registry Auto Update Notif

• Windows Modify Registry Disable WinDefender Notifications

• Windows Modify Registry Do Not Connect to Win Update

• Windows Modify Registry No Auto Reboot with Logon User

• Windows Modify Registry No Auto Update

• Windows Modify Registry Tamper Protection

• Windows Modify Registry UpdateServiceUrlAlternate

• Windows Modify Registry UseWuServer

• Windows Modify Registry WuServer

• Windows Modify Registry WuStatusServer

• Windows PowerSploit GPP Discovery

• Windows PowerView AD Access Control List Enumeration

• Windows Query Registry Browser List Application

• Windows Query Registry UnInstall Program List

• Windows Rapid Authentication on Multiple Hosts

• Windows Service Stop Win Updates
• Windows Special Privileged Logon on Multiple Hosts

The team has also published the following blogs in the last month:

• Threat Update: AwfulShred Script Wiper
• Security Content from the Splunk Threat Research Team
• Detecting Threats with Splunk Security Content - Q4 Roundup

For all our tools and security content, please visit research.splunk.com. 

— The Splunk Threat Research Team