Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security Content Update (ESCU) app (v5.1.1 and v5.2.0), which are now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new SQL Server Abuse analytic story includes detections covering malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and more. To learn more about SQL Server exploitation tactics and the detections included in this analytic story, check out the team’s blog Sinister SQL Queries and How to Catch Them.
• The new GitHub Malicious Activity analytic story includes detections to help identify potential security risks and policy violations in GitHub Enterprise and GitHub Organizations.
• Several existing detections have been mapped to analytic stories for specific malware families, including Black Basta Ransomware and SystemBC.

New Analytics

• Executables Or Script Creation In Temp Path
• GitHub Enterprise Delete Branch Ruleset
• GitHub Enterprise Disable 2FA Requirement
• GitHub Enterprise Disable Audit Log Event Stream
• GitHub Enterprise Disable Classic Branch Protection Rule
• GitHub Enterprise Disable Dependabot
• GitHub Enterprise Disable IP Allow List
• GitHub Enterprise Modify Audit Log Event Stream
• GitHub Enterprise Pause Audit Log Event Stream
• GitHub Enterprise Register Self Hosted Runner
• GitHub Enterprise Remove Organization
• GitHub Enterprise Repository Archived
• GitHub Enterprise Repository Deleted
• GitHub Organizations Delete Branch Ruleset
• GitHub Organizations Disable 2FA Requirement
• GitHub Organizations Disable Classic Branch Protection Rule
• GitHub Organizations Disable Dependabot
• GitHub Organizations Repository Archived
• GitHub Organizations Repository Deleted
• O365 BEC Email Hiding Rule Created (External Contributor: @0xC0FFEEEE)
• O365 Email Hard Delete Excessive Volume (External Contributor: @nterl0k)
• O365 Email New Inbox Rule Created (External Contributor: @nterl0k)
• O365 Email Password and Payroll Compromise Behavior
• O365 Email Receive and Hard Delete Takeover Behavior
• O365 Email Send Attachments Excessive Volume
• O365 Email Send and Hard Delete Exfiltration Behavior
• O365 Email Send and Hard Delete Suspicious Behavior
• O365 Email Suspicious Search Behavior
• Windows Anonymous Pipe Activity
• Windows PowerShell Invoke-Sqlcmd Execution
• Windows Process Execution From ProgramData
• Windows SQL Server Configuration Option Hunt
• Windows SQL Server Critical Procedures Enabled
• Windows SQL Server Extended Procedure DLL Loading Hunt
• Windows SQL Server Startup Procedure
• Windows SQL Server xp_cmdshell Config Change
• Windows SQLCMD Execution
• Windows Scheduled Task with Suspicious Command
• Windows Scheduled Task with Suspicious Name
• Windows SnappyBee Create Test Registry
• Windows Sqlservr Spawning Shell
• Windows Svchost.exe Parent Process Anomaly
• Windows Unusual SysWOW64 Process Run System32 Executable

New Analytic Stories

• Black Basta Ransomware
• GitHub Malicious Activity
• SQL Server Abuse
• SystemBC

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team