Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.17.0 and v4.18.0). With these releases, there are 51 new analytics, 5 new analytic stories, 18 updated analytics, and 4 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The "Office 365 Persistence Mechanisms" analytic story includes a group of detections that delve into attackers' tactics and techniques to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to adversaries' methods to keep their foothold after an initial compromise.
• The "Windows Attack Surface Reduction" analytic story includes a group of detections for Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. When an action is blocked by an ASR rule, an event is generated.
• The "Kubernetes Security" analytic story encompasses a range of detections that highlight the escalating challenges when securing containerized environments. Key detections include Kubernetes Abuse of Secret by Unusual Location, User Agent, User Group, and Username, which pinpoints attempts to exploit secrets via anomalous parameters.
• Four new analytics delve into the intricacies of MFA security in the PingID environment. These detections, contributed by @nterl0k, cover scenarios like Mismatch Auth Source and Verification Response, Multiple Failed MFA Requests, New MFA Method Post-Credential Reset, and Registration of New MFA Methods, highlighting the evolving landscape of digital authentication security.

New Analytics (51)

• O365 Service Principal New Client Credentials
• O365 Mailbox Read Access Granted to Application
• O365 Tenant Wide Admin Consent Granted
• O365 Application Registration Owner Added
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Advanced Audit Disabled
• O365 High Number Of Failed Authentications for User
• O365 Multiple Users Failing To Authenticate From Ip
• O365 User Consent Blocked for Risky Application
• O365 User Consent Denied for OAuth Application
• O365 Mail Permissioned Application Consent Granted by User
• O365 ApplicationImpersonation Role Assigned
• O365 File Permissioned Application Consent Granted by User
• O365 Multiple Failed MFA Requests For User
• O365 High Privilege Role Granted
• O365 New MFA Method Registered
• O365 Multiple AppIDs and UserAgents Authentication Spike
• O365 Block User Consent For Risky Apps Disabled
• O365 Multi-Source Failed Authentications Spike
• Powershell Remote Services Add TrustedHost
• Windows Modify Registry AuthenticationLevelOverride
• Windows Modify Registry DisableRemoteDesktopAntiAlias
• Windows Modify Registry DisableSecuritySettings
• Windows Modify Registry DontShowUI
• Windows Modify Registry ProxyEnable
• Windows Modify Registry ProxyServer
• Windows Archive Collected Data via Rar
• Windows Indicator Removal Via Rmdir
• Windows Credentials from Password Stores Creation
• Windows Credentials from Password Stores Deletion
• Windows Defender ASR Rules Stacking
• Windows Defender ASR Rule Disabled
• Windows Defender ASR Registry Modification
• Windows Defender ASR Block Events
• Windows Defender ASR Audit Events
• Windows Masquerading Msdtc Process
• Windows Parent PID Spoofing with Explorer
• Web Remote ShellServlet Access
• Splunk RCE via User XSLT
• PingID Mismatch Auth Source and Verification Response (External Contributor: @nterl0k)
• PingID Multiple Failed MFA Requests For User  (External Contributor: @nterl0k)
• PingID New MFA Method After Credential Reset (External Contributor: @nterl0k)
• PingID New MFA Method Registered For User (External Contributor: @nterl0k)
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Abuse of Secret by Unusual User Agent
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Access Scanning
• Kubernetes Suspicious Image Pulling
• Kubernetes Unauthorized Access
• Windows Modify System Firewall with Notable Process Path

New Analytic Stories (5)

• Office 365 Account Takeover
• Office 365 Persistence Mechanisms
• Windows Attack Surface Reduction
• Rhysida Ransomware
• Kubernetes Security

Updated Analytics (18)

• High Number of Login Failures from a single source
• O365 Add App Role Assignment Grant User
• O365 Added Service Principal
• O365 Bypass MFA via Trusted IP
• O365 Disable MFA
• O365 Excessive Authentication Failures Alert
• O365 Excessive SSO logon errors
• O365 New Federated Domain Added
• O365 PST export alert
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• Splunk App for Lookup File Editing RCE via User XSLT
• Allow File And Printing Sharing In Firewall
• Azure AD PIM Role Assigned
• CMD Carry Out String Command Parameter
• Detect Use of cmd exe to Launch Script Interpreters
• Modification Of Wallpaper

Updated Analytic Stories (4)

• DarkGate Malware
• NjRAT
• RedLine Stealer
• Amadey

The team has also published the following blogs:

• Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk
• Unmasking the Enigma: A Historical Dive into the World of PlugX Malware
• Splunk Security Content for Threat Detection & Response: Q3 Roundup
• Previous Security Content Roundups from the Splunk Threat Research Team

For all our tools and security content, please visit research.splunk.com. 

— The Splunk Threat Research Team