Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise Security Content Update (ESCU) app (v4.42.0). With this release, there are 10 new analytics, 15 updated analytics, and 1 updated analytic story now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The CISA AA24-241A analytic story was updated with detections tailored to identify malicious usage of PowerShell Web Access in Windows environments. The new detections focus on monitoring PowerShell Web Access activity through the IIS application pool and web access logs, providing enhanced visibility into suspicious or unauthorized access.
• The Splunk Threat Research Team also updated the security content repository on research.splunk.com to better help security teams find the most relevant content for their organizations, understand how individual detections operate, and stay up-to-date on the latest releases. For more details, check out this blog: Fueling the SOC of the Future with Built-in Threat Research and Detections in Splunk Enterprise Secu....

New Analytics (10)

• Splunk Disable KVStore via CSRF Enabling Maintenance Mode
• Splunk Image File Disclosure via PDF Export in Classic Dashboard
• Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App
• Splunk Persistent XSS via Props Conf
• Splunk Persistent XSS via Scheduled Views
• Splunk RCE Through Arbitrary File Write to Windows System Root
• Splunk SG Information Disclosure for Low Privs User
• Splunk Sensitive Information Disclosure in DEBUG Logging Channels
• Windows IIS Server PSWA Console Access
• Windows Identify PowerShell Web Access IIS Pool

Updated Analytics (15)

• Create Remote Thread into LSASS
• Detect Regsvcs with Network Connection
• Linux Auditd Change File Owner To Root
• Possible Lateral Movement PowerShell Spawn
• Suspicious Process DNS Query Known Abuse Web Services
• Windows AdFind Exe
• Windows DISM Install PowerShell Web Access
• Windows Enable PowerShell Web Access
• Windows Impair Defenses Disable AV AutoStart via Registry
• Windows Modify Registry Utilize ProgIDs
• Windows Modify Registry ValleyRAT C2 Config
• Windows Modify Registry ValleyRat PWN Reg Entry
• Windows Privileged Group Modification
• Windows Scheduled Task DLL Module Loaded
• Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr

Updated Analytic Stories (1)

• CISA AA24-241A

The team also published the following 4 blogs:

• ValleyRAT Insights: Tactics, Techniques, and Detection Methods
• Introducing Splunk Attack Range v3.1
• PowerShell Web Access: Your Network's Backdoor in Plain Sight
• My CUPS Runneth Over (with CVEs)

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team