In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.15.0 and v4.16.0). With these releases, there are 20 new detections, 4 new analytic stories, 7 updated analytics, 2 updated behavioral analytics detections, 3 new behavioral analytics detections, 2 updated analytic stories, and 2 deprecated analyticsnow available in Splunk Enterprise Security via theESCU application update process.
Content highlights include:
Malware story that groups 6 new analytics to help detect a new phishing-driven malware campaign distributing DarkGate malware, which utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks.
A new zero-day vulnerability in SysAid On-Prem Software (CVE-2023-47246) that allows attackers to upload a WebShell and other payloads, gaining unauthorized access and control.
A new analytic Risk Rule for Dev Sec Ops by Repository that detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated, to provide a comprehensive view of the risk landscape and helps to make informed decisions. Additionally, we released an updated Analytics Story, which groups 10 new analytics to help security operations teams identify the potential compromise of Azure Active Directory accounts.
A critical security update, CVE-2023-4966, for the NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Along with "PlugX RAT" or "Kaba" known as the "silent infiltrator," it's the go-to tool for sophisticated hackers with one goal in mind: espionage. Additionally, we updated three existing analytics to identify suspicious file creation in the root drive observed in NjRAT, and two vulnerabilities privilege escalation flaws in Atlassian Confluence.