Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v4.44.0). With this release, there are 8 new analytics, 3 new analytic stories, and 261 updated analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new Lumma Stealer analytics story includes detections related to this information-stealing malware, which leverages several obfuscation techniques like base64 encoding and clipboard manipulation to evade detection.
• The new Meduza Stealer analytics story includes detections designed to help identify activity related to this stealer, a relatively new threat that was first identified in 2023 and targets sensitive information like login credentials and financial details.
• The new PAX Stealer analytics story features detections to help identify this data-stealing malware, which is especially stealthy as it’s able to evade antivirus software.

New Analytics (8)

• Microsoft Defender ATP Alerts
• Microsoft Defender Incident Alerts
• Windows BitLockerToGo Process Execution
• Windows BitLockerToGo with Network Activity
• Windows Credentials Access via VaultCli Module
• Windows RDP File Execution
• Windows RDPClient Connection Sequence Events
• Windows RunMRU Command Execution

New Analytic Stories (3)

• Lumma Stealer
• Meduza Stealer
• PXA Stealer

Updated Analytics (261)

A number of analytics have been updated to address minor typos in the description field, make use of macros, or capture equivalent variants of commands.

• 7zip CommandLine To SMB Share Path
• Active Setup Registry Autostart
• Add DefaultUser And Password In Registry
• Add or Set Windows Defender Exclusion
• Allow Inbound Traffic By Firewall Rule Registry
• Allow Operation with Consent Admin
• Any Powershell DownloadFile
• Attacker Tools On Endpoint
• Attempted Credential Dump From Registry via Reg exe
• Auto Admin Logon Registry Entry
• BCDEdit Failure Recovery Modification
• Batch File Write to System32
• CMD Echo Pipe - Escalation
• CertUtil Download With URLCache and Split Arguments
• CertUtil Download With VerifyCtl and Split Arguments
• Certutil exe certificate extraction
• Clear Unallocated Sector Using Cipher App
• Clop Common Exec Parameter
• Clop Ransomware Known Service Name
• ConnectWise ScreenConnect Path Traversal Windows SACL
• Conti Common Exec parameter
• Control Loading from World Writable Directory
• Create Remote Thread In Shell Application
• Create local admin accounts using net exe
• Creation of Shadow Copy with wmic and powershell
• Creation of Shadow Copy
• Credential Dumping via Copy Command from Shadow Copy
• Credential Dumping via Symlink to Shadow Copy
• Curl Download and Bash Execution
• DNS Exfiltration Using Nslookup App
• DSQuery Domain Discovery
• Deleting Shadow Copies
• Detect AzureHound Command-Line Arguments
• Detect Certify Command Line Arguments
• Detect Distributed Password Spray Attempts
• Detect Exchange Web Shell
• Detect HTML Help Spawn Child Process
• Detect HTML Help URL in Command Line
• Detect HTML Help Using InfoTech Storage Handlers
• Detect MSHTA Url in Command Line
• Detect Password Spray Attempts
• Detect Regasm Spawning a Process
• Detect Regsvcs Spawning a Process
• Detect Regsvr32 Application Control Bypass
• Detect Rundll32 Application Control Bypass - advpack
• Detect Rundll32 Application Control Bypass - setupapi
• Detect Rundll32 Application Control Bypass - syssetup
• Detect Webshell Exploit Behavior
• Detect mshta inline hta execution
• Disable AMSI Through Registry
• Disable Defender AntiVirus Registry
• Disable Defender BlockAtFirstSeen Feature
• Disable Defender Enhanced Notification
• Disable Defender MpEngine Registry
• Disable Defender Spynet Reporting
• Disable Defender Submit Samples Consent Feature
• Disable ETW Through Registry
• Disable Logs Using WevtUtil
• Disable Registry Tool
• Disable Security Logs Using MiniNt Registry
• Disable Show Hidden Files
• Disable UAC Remote Restriction
• Disable Windows App Hotkeys
• Disable Windows Behavior Monitoring
• Disable Windows SmartScreen Protection
• Disabling CMD Application
• Disabling ControlPanel
• Disabling Defender Services
• Disabling FolderOptions Windows Feature
• Disabling NoRun Windows App
• Disabling SystemRestore In Registry
• Disabling Task Manager
• Domain Controller Discovery with Nltest
• Domain Group Discovery With Net
• Domain Group Discovery With Wmic
• Dump LSASS via comsvcs DLL
• Dump LSASS via procdump
• ETW Registry Disabled
• Elevated Group Discovery With Net
• Enable RDP In Other Port Number
• Enable WDigest UseLogonCredential Registry
• Enumerate Users Local Group Using Telegram
• Excel Spawning PowerShell
• Excel Spawning Windows Script Host
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• FodHelper UAC Bypass
• GPUpdate with no Command Line Arguments with Network
• Hide User Account From Sign-In Screen
• Hiding Files And Directories With Attrib exe
• Icacls Deny Command
• Impacket Lateral Movement Commandline Parameters
• Impacket Lateral Movement WMIExec Commandline Parameters
• Impacket Lateral Movement smbexec CommandLine Parameters
• Kerberoasting spn request with RC4 encryption
• Known Services Killed by Ransomware
• Linux Auditd File Permission Modification Via Chmod
• Malicious PowerShell Process - Encoded Command
• Malicious Powershell Executed As A Service
• Monitor Registry Keys for Print Monitors
• Net Localgroup Discovery
• Network Connection Discovery With Net
• Office Application Drop Executable
• Office Application Spawn Regsvr32 process
• Office Application Spawn rundll32 process
• Office Product Spawning BITSAdmin
• Office Product Spawning CertUtil
• Office Product Spawning MSHTA
• Office Product Spawning Rundll32 with no DLL
• Office Product Spawning Windows Script Host
• Office Product Spawning Wmic
• Office Product Writing cab or inf
• Office Spawning Control
• Okta Mismatch Between Source and Response for Verify Push Request
• Password Policy Discovery with Net
• Ping Sleep Batch Command
• PowerShell 4104 Hunting
• Powershell Disable Security Monitoring
• Powershell Processing Stream Of Data
• Registry Keys Used For Privilege Escalation
• Registry Keys for Creating SHIM Databases
• Remote Process Instantiation via DCOM and PowerShell
• Remote Process Instantiation via WMI and PowerShell
• Remote System Discovery with Net
• Resize ShadowStorage volume
• Rundll32 Control RunDLL World Writable Directory
• Rundll32 Shimcache Flush
• Rundll32 with no Command Line Arguments with Network
• Ryuk Wake on LAN Command
• SLUI RunAs Elevated
• SLUI Spawning a Process
• Schedule Task with HTTP Command Arguments
• Schedule Task with Rundll32 Command Trigger
• Schtasks scheduling job on remote system
• SearchProtocolHost with no Command Line with Network
• SecretDumps Offline NTDS Dumping Tool
• ServicePrincipalNames Discovery with SetSPN
• Services Escalate Exe
• Shim Database Installation With Suspicious Parameters
• Short Lived Scheduled Task
• Short Lived Windows Accounts
• Single Letter Process On Endpoint
• Splunk Unauthenticated Log Injection Web Service Log
• Spoolsv Spawning Rundll32
• Spoolsv Writing a DLL
• Suspicious Computer Account Name Change
• Suspicious Copy on System32
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process File Path
• Suspicious Process With Discord DNS Query
• Suspicious mshta child process
• Time Provider Persistence Registry
• WBAdmin Delete System Backups
• WMIC XSL Execution via URL
• Wget Download and Bash Execution
• WinEvent Scheduled Task Created Within Public Path
• WinEvent Scheduled Task Created to Spawn Shell
• WinRAR Spawning Shell Application
• Windows AD Cross Domain SID History Addition
• Windows AD Domain Controller Promotion
• Windows AD Domain Replication ACL Addition
• Windows AD Privileged Account SID History Addition
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows AD Same Domain SID History Addition
• Windows AD Short Lived Domain Controller SPN Attribute
• Windows AD Short Lived Server Object
• Windows Access Token Manipulation SeDebugPrivilege
• Windows Alternate DataStream - Process Execution
• Windows COM Hijacking InprocServer32 Modification
• Windows Change Default File Association For No File Ext
• Windows Command Shell DCRat ForkBomb Payload
• Windows Command and Scripting Interpreter Path Traversal Exec
• Windows Computer Account With SPN
• Windows ConHost with Headless Argument
• Windows Credential Access From Browser Password Store
• Windows Credential Dumping LSASS Memory Createdump
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Credentials from Password Stores Creation
• Windows Credentials from Password Stores Deletion
• Windows Curl Download to Suspicious Path
• Windows Curl Upload to Remote Destination
• Windows DISM Remove Defender
• Windows DLL Search Order Hijacking with iscsicpl
• Windows Defender Exclusion Registry Entry
• Windows Disable Change Password Through Registry
• Windows Disable Lock Workstation Feature Through Registry
• Windows Disable LogOff Button Through Registry
• Windows Disable Notification Center
• Windows Disable Shutdown Button Through Registry
• Windows Disable Windows Event Logging Disable HTTP Logging
• Windows Disable or Modify Tools Via Taskkill
• Windows Domain Admin Impersonation Indicator
• Windows ESX Admins Group Creation via Net
• Windows Event Log Cleared
• Windows Excessive Disabled Services Event
• Windows Execute Arbitrary Commands with MSDT
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Hidden Schedule Task Settings
• Windows Hide Notification Features Through Registry
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Override SmartScreen Prompt
• Windows InstallUtil Remote Network Connection
• Windows InstallUtil URL in Command Line
• Windows InstallUtil Uninstall Option with Network
• Windows InstallUtil Uninstall Option
• Windows Kerberos Local Successful Logon
• Windows KrbRelayUp Service Creation
• Windows LSA Secrets NoLMhash Registry
• Windows MOF Event Triggered Execution via WMI
• Windows MSIExec Spawn Discovery Command
• Windows MSIExec Spawn WinDBG
• Windows Masquerading Explorer As Child Process
• Windows Masquerading Msdtc Process
• Windows Mimikatz Binary Execution
• Windows Modify Registry Disable Restricted Admin
• Windows Modify Registry EnableLinkedConnections
• Windows Modify Registry LongPathsEnabled
• Windows Modify Registry NoChangingWallPaper
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Modify Show Compress Color And Info Tip Registry
• Windows Modify System Firewall with Notable Process Path
• Windows Network Share Interaction With Net
• Windows Non Discord App Access Discord LevelDB
• Windows Office Product Spawning MSDT
• Windows PaperCut NG Spawn Shell
• Windows Parent PID Spoofing with Explorer
• Windows Privilege Escalation User Process Spawn System Process
• Windows Query Registry UnInstall Program List
• Windows Raccine Scheduled Task Deletion
• Windows Rasautou DLL Execution
• Windows Registry BootExecute Modification
• Windows Registry Certificate Added
• Windows Registry Delete Task SD
• Windows Registry Modification for Safe Mode Persistence
• Windows Regsvr32 Renamed Binary
• Windows Remote Assistance Spawning Process
• Windows Remote Service Rdpwinst Tool Execution
• Windows SOAPHound Binary Execution
• Windows Scheduled Task with Highest Privileges
• Windows Security Account Manager Stopped
• Windows Service Create SliverC2
• Windows Service Create with Tscon
• Windows Service Creation Using Registry Entry
• Windows Snake Malware Service Create
• Windows Spearphishing Attachment Onenote Spawn Mshta
• Windows Special Privileged Logon On Multiple Hosts
• Windows Steal Authentication Certificates - ESC1 Authentication
• Windows System Binary Proxy Execution Compiled HTML File Decompile
• Windows UAC Bypass Suspicious Escalation Behavior
• Windows Unsecured Outlook Credentials Access In Registry
• Windows Valid Account With Never Expires Password
• Windows WinDBG Spawning AutoIt3
• Winhlp32 Spawning a Process
• Winword Spawning Cmd
• Winword Spawning PowerShell
• Winword Spawning Windows Script Host
• Wscript Or Cscript Suspicious Child Process

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team