Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.3.0 and v5.4.0). With these releases, there are 42 new analytics and 14 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• New analytic stories and detections to enhance coverage for Apache Tomcat RCE (CVE-2025-24813) and Windows shortcut exploit abuse (ZDI-CAN-25373), expanded ransomware mappings to track emerging threats like Medusa and Salt Typhoon, and standardized detection output fields across the board to improve consistency, correlation, and analyst workflows.
• The Splunk Threat Research Team has partnered with Cisco Talos to release new analytic stories and detections that significantly improve TDIR efforts for Cisco Secure Firewall alerts. These new ESCU detections go beyond basic alert forwarding and simple string matching to enable advanced detection logic and richer story creation by integrating Snort-based and non-Snort telemetry. Additionally, this content strengthens the ability to detect vulnerability exploitation and track threat actor follow-up activity. This release marks the first in a series focused on expanding ESCU’s network detection coverage for Cisco products, driven through continued collaboration between the Splunk Threat Research Team and Cisco Talos team.
• Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.
• AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.
• Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.
• New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.

New Analytics (42)

• Detect Large ICMP Traffic
• Tomcat Session Deserialization Attempt
• Tomcat Session File Upload Attempt
• Windows AD Self DACL Assignment
• Windows ConsoleHost History File Deletion
• Windows Explorer LNK Exploit Process Launch With Padding (Contributor: @aj King, @jesse Hunter)
• Windows Explorer.exe Spawning PowerShell or Cmd (Contributor: @aj King, @jesse Hunter)
• Windows Firewall Rule Added
• Windows Firewall Rule Deletion
• Windows Firewall Rule Modification
• Windows MSTSC RDP Commandline
• Windows Powershell History File Deletion
• Windows Process Injection into Commonly Abused Processes (Contributor: @0xC0FFEEEE)
• Windows Remote Host Computer Management Access
• Windows SSH Proxy Command (Contributor: @aj King, @jesse Hunter)
• AWS Bedrock Delete GuardRails
• AWS Bedrock Delete Knowledge Base
• AWS Bedrock Delete Model Invocation Logging Configuration
• AWS Bedrock High Number List Foundation Model Failures
• AWS Bedrock Invoke Model Access Denied
• Cisco Secure Firewall - Binary File Type Download
• Cisco Secure Firewall - Bits Network Activity
• Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
• Cisco Secure Firewall - Blocked Connection
• Cisco Secure Firewall - Communication Over Suspicious Ports
• Cisco Secure Firewall - Connection to File Sharing Domain
• Cisco Secure Firewall - File Download Over Uncommon Port
• Cisco Secure Firewall - High EVE Threat Confidence
• Cisco Secure Firewall - High Volume of Intrusion Events Per Host
• Cisco Secure Firewall - Malware File Downloaded
• Cisco Secure Firewall - Potential Data Exfiltration
• Cisco Secure Firewall - Rare Snort Rule Triggered
• Cisco Secure Firewall - Repeated Blocked Connections
• Cisco Secure Firewall - Repeated Malware Downloads
• Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
• Cisco Secure Firewall - Wget or Curl Download
• CrushFTP Authentication Bypass Exploitation
• CrushFTP Max Simultaneous Users From IP
• Windows MSC EvilTwin Directory Path Manipulation
• Windows PowerShell Invoke-RestMethod IP Information Collection
• Windows Shell Process from CrushFTP
• Windows WMIC Shadowcopy Delete

New Analytic Stories (14)

• Apache Tomcat Session Deserialization Attacks
• Medusa Ransomware
• PHP-CGI RCE Attack on Japanese Organizations
• Salt Typhoon
• Seashell Blizzard
• Termite Ransomware
• VanHelsing Ransomware
• ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day (Contributor: @aj King, @jesse Hunter)
• AWS Bedrock Security
• Cactus Ransomware
• Cisco Secure Firewall Threat Defense Analytics
• Earth Alux
• Storm-2460 CLFS Zero Day Exploitation
• Water Gamayun

The team also published the following blogs:

•  Cloak and Firewall: Exposing Netsh’s Hidden Command Tricks

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team