Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.31.0, v4.31.1 and v4.32.0). With these releases, there are 7 new analytics and 23 updated analytics, now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new analytic Windows Process Writing File to World Writable Path detects a process writing a file, specifically a .txt, to a world-writable path. This technique has been used by APT29-related campaign adversaries.
• We added 6 new analytics and updated 6 existing analytics focused on AWS, detecting critical security events such as attempts to disable or modify CloudTrail logging, unauthorized container uploads to Amazon Elastic Container Service (ECR), and suspicious Identity & Access Management (IAM) group deletions.

New Analytics (7)

• Windows Process Writing File to World Writable Path
• ASL AWS Defense Evasion Stop Logging Cloudtrail
• ASL AWS Defense Evasion Update Cloudtrail
• ASL AWS ECR Container Upload Outside Business Hours
• ASL AWS ECR Container Upload Unknown User
• ASL AWS IAM Failure Group Deletion
• ASL AWS IAM Successful Group Deletion

Updated Analytics (23)

• Create Policy Version to allow all resources
• Detect Rare Executables
• Prohibited Network Traffic Allowed
• Remote Desktop Network Traffic
• Windows Masquerading Explorer As Child Process
• Recon AVProduct Through Pwh or WMI
• Detect Outbound SMB Traffic
• MSHTML Module Load in Office Product
• Office Document Creating Schedule Task
• Office Document Executing Macro Code
• Windows InstallUtil Credential Theft
• ASL AWS Concurrent Sessions From Different Ips
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Impair Security Services
• ASL AWS IAM Delete Policy
• ASL AWS Multi-Factor Authentication Disabled
• Detect Regasm Spawning a Process
• Possible Lateral Movement PowerShell Spawn
• Process Creating LNK file in Suspicious Location
• Process Execution via WMI
• Windows InstallUtil Uninstall Option
• Windows MOF Event Triggered Execution via WMI

The team also published the following 3 blogs:

• Hunting M365 Invaders: Dissecting Email Collection Techniques
• Splunk Tools & Analytics To Empower Threat Hunters
• Splunk Security Content for Threat Detection & Response: Q1 Roundup

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team