Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise Security Content Update (ESCU) app (v4.43.0). With this release, there are 2 new analytic stories and 9 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• Braodo Stealer analytics story: This includes detections to help identify the Braodo Stealer malware, which is designed to steal sensitive information like credentials, cookies, and system data. To learn more about Braodo Stealer and the detections included in this analytics story, check out the team’s blog ”Cracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader.”
• Enhanced drilldowns: In addition, all TTP or Anomaly and Correlation type detections have had two drilldowns added to their yaml files. The drilldowns let users view detection results for specific risk objects and access risk events from the past 7 days.

New Analytic Stories (2)

• Braodo Stealer
• Critical Alerts

New Analytics (9)

• Detect Critical Alerts from Security Tools
• High Volume of Bytes Out to Url
• Internal Horizontal Port Scan NMAP Top 20
• Plain HTTP POST Exfiltrated Data
• Windows Archived Collected Data In TEMP Folder
• Windows Credentials from Password Stores Chrome Copied in TEMP Dir
• Windows Credentials from Web Browsers Saved in TEMP Folder
• Windows Disable or Stop Browser Process
• Windows Screen Capture in TEMP folder

The team also published the following 4 blogs:

• Cracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader
• CosmicSting: A Critical XXE Vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
• Bypassing the Bypass: Detecting Okta Classic Application Sign-On Policy Evasion
• Splunk Security Content for Threat Detection & Response: Q3 Roundup

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team