Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 5 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.19.0., v4.20.0, v4.21.0, v4.22.0, and v.4.23.0). With these releases, there are 74 new analytics, 5 new analytic stories, 14 updated analytics, and 3 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring" analytic story includes a range of detections that identify abnormal or unexpected container behavior in Kubernetes environments, using metrics from Splunk Observability Cloud.
• The new “CISA AA23-347A” analytic story includes a variety of detections that allow you to detect and investigate unusual activities that might be related to SVR cyber activity.
• The new “Ivanti Connect Secure VPN Vulnerabilities'' analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. The team also published a blog with additional information about these vulnerabilities and how to use this new threat detection content.

New Analytics (74)

• Kubernetes Anomalous Inbound Outbound Network IO
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio
• Kubernetes Previously Unseen Container Image Name
• Kubernetes Previously Unseen Process
• Kubernetes Process Running From New Path
• Kubernetes Process with Anomalous Resource Utilisation
• Kubernetes Process with Resource Ratio Anomalies
• Kubernetes Shell Running on Worker Node with CPU Activity
• Kubernetes Shell Running on Worker Node
• Windows Account Discovery For None Disable User Account
• Windows Lsa Secrets Nolmhash Registry
• Windows Modify Registry Disable Restricted Admin
• Windows Account Discovery For Sam Account Name
• Windows Account Discovery With Netuser PreauthNotRequire
• Windows Archive Collected Data Via Powershell
• Windows Domain Account Discovery Via Get Netcomputer
• Windows Known Graphicalproton Loaded Modules
• Windows Process Commandline Discovery
• Windows System User Privilege Discovery
• Windows Modify Registry Nochangingwallpaper
• Windows Rundll32 Apply User Settings Changes
• Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k)
• Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k)
• Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k)
• Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k)
• Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k)
• O365 Concurrent Sessions From Different Ips
• Splunk ES DoS Investigations Manager via Investigation Creation
• Splunk ES DoS Through Investigation Attachments
• Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
• Ivanti Connect Secure Command Injection Attempts
• Ivanti Connect Secure System Information Access via Auth Bypass
• Splunk Enterprise KV Store Incorrect Authorization
• Splunk Enterprise Windows Deserialization File Partition
• Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
• Splunk Information Disclosure in Splunk Add-on Builder
• Kubernetes Anomalous Inbound Network Activity from Process
• Kubernetes Anomalous Outbound Network Activity from Process
• Kubernetes Anomalous Traffic on Network Edge
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes newly seen TCP edge
• Kubernetes newly seen UDP edge
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Windows Impair Defense Change Win Defender Health Check Intervals
• Windows Impair Defense Change Win Defender Quick Scan Interval
• Windows Impair Defense Change Win Defender Throttle Rate
• Windows Impair Defense Change Win Defender Tracing Level
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Define Win Defender Threat Action
• Windows Impair Defense Disable Controlled Folder Access
• Windows Impair Defense Disable Defender Firewall And Network
• Windows Impair Defense Disable Defender Protocol Recognition
• Windows Impair Defense Disable PUA Protection
• Windows Impair Defense Disable Realtime Signature Delivery
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Disable Win Defender App Guard
• Windows Impair Defense Disable Win Defender Compute File Hashes
• Windows Impair Defense Disable Win Defender Gen reports
• Windows Impair Defense Disable Win Defender Network Protection
• Windows Impair Defense Disable Win Defender Report Infection
• Windows Impair Defense Disable Win Defender Scan On Update
• Windows Impair Defense Disable Win Defender Signature Retirement
• Windows Impair Defense Overide Win Defender Phishing Filter
• Windows Impair Defense Override SmartScreen Prompt
• Windows Impair Defense Set Win Defender Smart Screen Level To Warn
• Windows MsiExec HideWindow Rundll32 Execution
• Windows Process Injection In Non-Service SearchIndexer
• Jenkins Arbitrary File Read CVE-2024-23897

New Analytic Stories (5)

• CISA AA23-347A
• Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
• Ivanti Connect Secure VPN Vulnerabilities
• Confluence Data Center and Confluence Server Vulnerabilities
• Jenkins Server Vulnerabilities

Updated Analytics (14)

• GCP Authentication Failed During MFA Challenge
• GCP Multi-Factor Authentication Disabled
• GCP Successful Single-Factor Authentication
• Windows Steal Authentication Certificates - ESC1 Abuse
• Allow Network Discovery In Firewall
• Msmpeng Application DLL Side Loading
• Confluence Data Center and Server Privilege Escalation
• Confluence Unauthenticated Remote Code Execution CVE-2022-26134
• Kubernetes Access Scanning
• Kubernetes AWS detect suspicious kubectl calls
• Disable Windows SmartScreen Protection
• Linux Service Started Or Enabled
• Unknown Process Using The Kerberos Protocol
• Windows Excessive Disabled Services Event

Updated Analytic Stories (3)

• Office 365 Account Takeover
• Office 365 Persistence Mechanisms
• Splunk Vulnerabilities

The team also published the following 6 blogs:

• Security Insights: Jenkins CVE-2024-23897 RCE
• Security Insights: Tracking Confluence CVE-2023-22527
• Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE
• Enter the Gates: An Analysis of the DarkGate AutoIt Loader
• Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
• Ghost in the Web Shell: Introducing ShellSweep

For all our tools and security content, please visit research.splunk.com. 

— The Splunk Threat Research Team