Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content Update (ESCU) app (v5.0). With this release, there are 52 new analytics and 9 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process — plus several new exciting enhancements.

Highlights include:

• The team released new analytic stories designed to help identify activity related to various types of malware (i.e., Backdoor Pingpong, Crypto Stealer, Derusbi, WinDealer RAT, and XorDDos), specific threat actors (i.e., Earth Estries, Nexus), and other threats.
• ESCU 5.0 introduces several enhancements designed to help further security operations. These include:
• A revamped user interface and home page
• A new Analytic Story Onboarding Assistant to help accelerate the enablement of detections
• A new dashboard to help identify detections that are marked as Deprecated by the Splunk Threat Research Team that are currently enabled in your environment
• And more!

Check out the blog “Now Available: Splunk Enterprise Security Content Update App 5.0” for more details.

New Analytics (52)

• ASL AWS Create Access Key

• ASL AWS Create Policy Version to allow all resources

• ASL AWS Credential Access GetPasswordData

• ASL AWS Credential Access RDS Password reset

• ASL AWS Defense Evasion PutBucketLifecycle

• ASL AWS Detect Users creating keys with encrypt policy without MFA

• ASL AWS Disable Bucket Versioning

• ASL AWS EC2 Snapshot Shared Externally

• ASL AWS IAM AccessDenied Discovery Events

• ASL AWS IAM Assume Role Policy Brute Force

• ASL AWS Network Access Control List Created with All Open Ports

• ASL AWS Network Access Control List Deleted

• ASL AWS SAML Update identity provider

• ASL AWS UpdateLoginProfile

• Azure AD AzureHound UserAgent Detected

• Azure AD Service Principal Enumeration

• Azure AD Service Principal Privilege Escalation

• Detect Remote Access Software Usage Registry

• Microsoft Intune Device Health Scripts

• Microsoft Intune DeviceManagementConfigurationPolicies

• Microsoft Intune Manual Device Management

• O365 Service Principal Privilege Escalation

• Windows Account Access Removal via Logoff Exec

• Windows CertUtil Download With URL Argument

• Windows DNS Query Request by Telegram Bot API

• Windows Detect Network Scanner Behavior

• Windows File and Directory Enable ReadOnly Permissions

• Windows File and Directory Permissions Enable Inheritance

• Windows File and Directory Permissions Remove Inheritance

• Windows Impair Defenses Disable Auto Logger Session

• Windows New Custom Security Descriptor Set On EventLog Channel

• Windows New Deny Permission Set On Service SD Via Sc.EXE

• Windows New EventLog ChannelAccess Registry Value Set

• Windows New Service Security Descriptor Set Via Sc.EXE

• Windows Obfuscated Files or Information via RAR SFX

• Windows Office Product Dropped Cab or Inf File

• Windows Office Product Dropped Uncommon File

• Windows Office Product Spawned Control

• Windows Office Product Spawned MSDT

• Windows Office Product Spawned Rundll32 With No DLL

• Windows Office Product Spawned Uncommon Process

• Windows Powershell Logoff User via Quser

• Windows Process With NetExec Command Line Parameters

• Windows Registry Dotnet ETW Disabled Via ENV Variable

• Windows Remote Management Execute Shell

• Windows ScManager Security Descriptor Tampering Via Sc.EXE

• Windows Service Execution RemCom

• Windows Service Stop Attempt

• Windows Set Account Password Policy To Unlimited Via Net

• Windows SubInAcl Execution

• Windows Suspicious Child Process Spawned From WebServer

• Windows User Discovery Via Net

New Analytic Stories (9)

• Backdoor Pingpong
• Cleo File Transfer Software
• Crypto Stealer
• Defense Evasion or Unauthorized Access Via SDDL Tampering
• Derusbi
• Earth Estries
• Nexus APT Threat Activity
• WinDealer RAT
• XorDDos

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team