Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.33.0 and v4.34.0). With these releases, there are 3 new analytics, 2 new analytic stories, and 10 updated analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new CrushFTP Vulnerabilities analytic story includes content to help identify indicators of CVE-2024-4040 exploitation. To learn more about this vulnerability and how to use Splunk to identify and investigate CVE-2024-4040, check out this blog.
• The new Gomir analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware.
• The team also updated over 1,200 analytics descriptions for stylistic changes and improved readability.

New Analytics (3)

• CrushFTP Server Side Template Injection
• Windows Debugger Tool Execution
• Windows Unsigned DLL Side-Loading In Same Process Path

New Analytic Stories (2)

• CrushFTP Vulnerabilities
• Gomir

Updated Analytics (10)

• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Kubernetes Nginx Ingress LFI
• Windows AppLocker Block Events
• Windows Credential Access From Browser Password Store
• Windows Defender ASR Audit Events
• Windows Defender ASR Block Events
• Windows Defender ASR Registry Modification
• Windows Defender ASR Rule Disabled
• Windows Defender ASR Rules Stacking

The team also published the following 4 blogs:

• Security Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP
• Deploy, Test, Monitor: Mastering Microsoft AppLocker, Part 1
• Deploy, Test, Monitor: Mastering Microsoft AppLocker, Part 2
• LNK or Swim: Analysis & Simulation of Recent LNK Phishing

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team