Enterprise Security Content Update (ESCU) | New Releases

In July, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.35.0, v4.36.0 and v.37.0). With these releases, there are 36 new analytics, 6 new analytic stories, 6 updated analytics, and 20 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new AcidPour analytic story includes content to help detect and investigate activity that might relate to AcidPour Wiper malware. To learn more about this malware and the content in the related analytic story, check out this blog.
• The new Gozi Malware analytic story covers the detection and analysis of Gozi malware (also known as Ursnif or ISFB), one of the oldest and most persistent banking trojans.
• The new ShrinkLocker analytic story includes detections related to ShrinkLocker, a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions.

New Analytics (36)

• Splunk DoS via POST Request Datamodel Endpoint
• Splunk Information Disclosure on Account Login
• Splunk RCE PDFgen Render
• Splunk RCE via External Lookup Copybuckets
• Splunk Stored XSS conf-web Settings on Premises
• Splunk Stored XSS via Specially Crafted Bulletin Message
• Splunk Unauthenticated DoS via Null Pointer References
• Splunk Unauthenticated Path Traversal Modules Messaging
• Splunk Unauthorized Experimental Items Creation
• Splunk XSS Privilege Escalation via Custom Urls in Dashboard
• Splunk XSS Via External Urls in Dashboards SSRF
• Detect Distributed Password Spray Attempts
• Detect Password Spray Attempts
• Internal Horizontal Port Scan
• Internal Vertical Port Scan
• Windows AD add Self to Group
• Windows Increase in Group or Object Modification Activity
• Windows Increase in User Modification Activity
• Windows Network Share Interaction With Net
• Windows Vulnerable Driver Installed
• Ivanti EPM SQL Injection Remote Code Execution
• MOVEit Certificate Store Access Failure
• MOVEit Empty Key Fingerprint Authentication Attempt
• Windows ESX Admins Group Creation Security Event
• Windows ESX Admins Group Creation via Net
• Windows ESX Admins Group Creation via PowerShell
• Windows Known Abused DLL Loaded Suspiciously (External Contributor: @nterl0k)
• Windows LOLBAS Executed As Renamed File (External Contributor: @nterl0k)
• Windows LOLBAS Executed Outside Expected Path (External Contributor: @nterl0k)
• Windows Modify Registry Configure BitLocker
• Windows Modify Registry Delete Firewall Rules
• Windows Modify Registry Disable RDP
• Windows Modify Registry on Smart Card Group Policy
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Outlook WebView Registry Modification
• Windows Privileged Group Modification (External Contributor: @TheLawsOfChaos)

New Analytic Stories (6)

• AcidPour
• Gozi Malware
• Ivanti EPM Vulnerabilities
• MOVEit Transfer Authentication Bypass
• ShrinkLocker
• VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Updated Analytics (6)

• Splunk CSRF in the SSG kvstore Client Endpoint
• Splunk Enterprise Windows Deserialization File Partition
• Splunk Stored XSS via Data Model objectName Field
• Splunk XSS in Highlighted JSON Events
• Splunk XSS in Save table dialog header in search page
• Splunk risky Command Abuse disclosed february 2023

Updated Analytic Stories (20)

• Detect Remote Access Software Usage DNS (External Contributor: @nterl0k)
• Detect Remote Access Software Usage FileInfo (External Contributor: @nterl0k)
• Detect Remote Access Software Usage File (External Contributor: @nterl0k)
• Detect Remote Access Software Usage Process (External Contributor: @nterl0k)
• Detect Remote Access Software Usage Traffic (External Contributor: @nterl0k)
• Detect Remote Access Software Usage URL (External Contributor: @nterl0k)
• Possible Lateral Movement PowerShell Spawn
• Linux Obfuscated Files or Information Base64 Decode
• Linux Decode Base64 to Shell
• Windows Protocol Tunneling with Plink
• Malicious PowerShell Process - Encoded Command
• Windows Event Log Cleared
• Azure AD Admin Consent Bypassed by Service Principal (External Contributor: @dluxtron)
• Azure AD Global Administrator Role Assigned (External Contributor: @dluxtron)
• Azure AD Privileged Role Assigned (External Contributor: @dluxtron)
• Azure AD Service Principal New Client Credentials (External Contributor: @dluxtron)
• Detect New Local Admin account (External Contributor: @dluxtron)
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl (External Contributor: @dluxtron)
• Detect Renamed PSExec (External Contributor: Alex Oberkircher, Github)
• Scheduled Task Initiation on Remote Endpoint (External Contributor: @badoodish, Github)

The team also published the following blogs:

• Introducing ShellSweepPlus: Open-Source Web Shell Detection
• Breaking Down Linux.Gomir: Understanding this Backdoor’s TTPs
• Splunk Security Content for Impact Assessment of CrowdStrike Windows Outage
• AcidPour Wiper Malware: Threat Analysis and Detections

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team