Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.40.0 and v4.41.0). With these releases, there are 58 new analytics, 4 new analytic stories, and 81 updated analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new analytic story “Compromised Linux Host” introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.
• We have tagged existing analytics related to Black Suit ransomware TTPs into a new “BlackSuit Ransomware” analytic story, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.
• The ValleyRAT analytic story includes new detections tailored to the ValleyRAT malware, providing enhanced monitoring and threat-hunting capabilities for adversarial activity on Windows systems. These detections improve visibility into malicious registry changes, task scheduling anomalies, and suspicious executable behavior.

New Analytics (58)

• Linux Auditd Add User Account Type
• Linux Auditd Add User Account
• Linux Auditd At Application Execution
• Linux Auditd Auditd Service Stop
• Linux Auditd Base64 Decode Files
• Linux Auditd Change File Owner To Root
• Linux Auditd Clipboard Data Copy
• Linux Auditd Data Destruction Command
• Linux Auditd Data Transfer Size Limits Via Split Syscall
• Linux Auditd Data Transfer Size Limits Via Split
• Linux Auditd Database File And Directory Discovery
• Linux Auditd Dd File Overwrite
• Linux Auditd Disable Or Modify System Firewall
• Linux Auditd Doas Conf File Creation
• Linux Auditd Doas Tool Execution
• Linux Auditd Edit Cron Table Parameter
• Linux Auditd File And Directory Discovery
• Linux Auditd File Permission Modification Via Chmod
• Linux Auditd File Permissions Modification Via Chattr
• Linux Auditd Find Credentials From Password Managers
• Linux Auditd Find Credentials From Password Stores
• Linux Auditd Find Private Keys
• Linux Auditd Find Ssh Private Keys
• Linux Auditd Hardware Addition Swapoff
• Linux Auditd Hidden Files And Directories Creation
• Linux Auditd Insert Kernel Module Using Insmod Utility
• Auditd Install Kernel Module Using Modprobe Utility
• Linux Auditd Kernel Module Enumeration
• Linux Auditd Kernel Module Using Rmmod Utility
• Linux Auditd Nopasswd Entry In Sudoers File
• Linux Auditd Osquery Service Stop
• Linux Auditd Possible Access Or Modification Of Sshd Config File
• Linux Auditd Possible Access To Credential Files
• Linux Auditd Possible Access To Sudoers File
• Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
• Linux Auditd Preload Hijack Library Calls
• Linux Auditd Preload Hijack Via Preload File
• Linux Auditd Service Restarted
• Linux Auditd Service Started
• Linux Auditd Setuid Using Chmod Utility
• Linux Auditd Setuid Using Setcap Utility
• Linux Auditd Shred Overwrite Command
• Linux Auditd Stop Services
• Linux Auditd Sudo Or Su Execution
• Linux Auditd Sysmon Service Stop
• Linux Auditd System Network Configuration Discovery
• Linux Auditd Unix Shell Configuration Modification
• Linux Auditd Unload Module Via Modprobe
• Linux Auditd Virtual Disk File And Directory Discovery
• Linux Auditd Whoami User Discovery
• Windows DISM Install PowerShell Web Access
• Windows Enable PowerShell Web Access
• Windows Impair Defenses Disable AV AutoStart via Registry
• Windows Modify Registry Utilize ProgIDs
• Windows Modify Registry ValleyRAT C2 Config
• Windows Modify Registry ValleyRat PWN Reg Entry
• Windows Schedule Task DLL Module Loaded
• Windows Schedule Tasks for CompMgmtLauncher or Eventvwr

New Analytic Stories (4)

• BlackSuit Ransomware
• CISA AA24-241A
• Compromised Linux Host
• ValleyRAT

Updated Analytics (81)

• ASL AWS Concurrent Sessions From Different Ips
• Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
• Anomalous usage of 7zip
• Citrix ADC Exploitation CVE-2023-3519
• Create Remote Thread into LSASS
• Create local admin accounts using net exe
• Detect Credential Dumping through LSASS access
• Detect New Local Admin account
• Detect Remote Access Software Usage DNS
• Detect Remote Access Software Usage File
• Detect Remote Access Software Usage Process
• Detect Remote Access Software Usage URL
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Disable Defender AntiVirus Registry
• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Domain Controller Discovery with Nltest
• Elevated Group Discovery With Net
• Excessive Usage Of Taskkill
• Executable File Written in Administrative SMB Share
• F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
• Ivanti Connect Secure Command Injection Attempts
• Ivanti Connect Secure System Information Access via Auth Bypass
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Abuse of Secret by Unusual User Agent
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Access Scanning
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Kubernetes Suspicious Image Pulling
• Kubernetes Unauthorized Access
• Ngrok Reverse Proxy on Network
• PowerShell 4104 Hunting
• Powershell Disable Security Monitoring
• Registry Keys Used For Persistence
• Rubeus Command Line Parameters
• Rubeus Kerberos Ticket Exports Through Winlogon Access
• Rundll32 with no Command Line Arguments with Network
• Scheduled Task Deleted Or Created via CMD
• Suspicious Scheduled Task from Public Directory
• System Information Discovery Detection
• Unknown Process Using The Kerberos Protocol
• WinEvent Windows Task Scheduler Event Action Started
• Windows AD Abnormal Object Access Activity
• Windows AD Privileged Object Access Activity
• Windows Abused Web Services
• Windows AdFind Exe
• Windows Alternate DataStream - Base64 Content
• Windows Alternate DataStream - Executable Content
• Windows Alternate DataStream - Process Execution
• Windows Create Local Account
• Windows Disable or Modify Tools Via Taskkill
• Windows Driver Load Non-Standard Path
• Windows Modify Registry Delete Firewall Rules
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Ngrok Reverse Proxy Usage
• Windows Privilege Escalation Suspicious Process Elevation
• Windows Privilege Escalation System Process Without System Parent
• Windows Privilege Escalation User Process Spawn System Process
• Windows Remote Create Service
• Windows Remote Services Rdp Enable
• Windows UAC Bypass Suspicious Child Process
• Windows UAC Bypass Suspicious Escalation Behavior
• Wsmprovhost LOLBAS Execution Process Spawn
• Add or Set Windows Defender Exclusion
• CMLUA Or CMSTPLUA UAC Bypass
• Eventvwr UAC Bypass
• Executables Or Script Creation In Suspicious Path
• FodHelper UAC Bypass
• Suspicious Process File Path
• WinEvent Windows Task Scheduler Event Action Started
• Windows Access Token Manipulation SeDebugPrivilege
• Windows Defender Exclusion Registry Entry

The team also published the following 4 blogs:

• Splunk Security Content for Threat Detection & Response: Q2 Roundup
• The Final Shell: Introducing ShellSweepX
• ShrinkLocker Malware: Abusing BitLocker to Lock Your Data
• Handala’s Wiper: Threat Analysis and Detections

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team