In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, the...
See more...
In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, there are 44 new detections and 6 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE). Content highlights include: Detections related to CVE-2023-23397, a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files Detections related to Okta IM2 logs for detecting suspicious authentication-based security attacks Identifying the use of Silver, an OSS cross-platform adversary emulation/red team framework produced by BishopFox, that has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike An analytic story to hunt for and detect the presence of AwfulShred malware within Linux environments Detections related to Fortinet ForiNAC CVE-2022-39952 New Analytic Stories: CVE-2023-21716 Word RTF Heap Corruption CVE-2023-23397 Outlook Elevation of Privilege Sneaky Active Directory Persistence Tricks BishopFox Silver Adversary Emulation Framework AwfulShred Fortinet FortiNAC CVE-2022-39952 New Detections: Okta Mismatch Between Source and Response for Okta Verify Push Request Okta Multiple Failed Requests to Access Applications Okta Suspicious Use of a Session Cookie Okta Phishing Detection with FastPass Origin Check Okta ThreatInsight Login Failure with High Unknown users Okta ThreatInsight Suspected PasswordSpray Attack Windows Rundll32 WebDAV Request Windows Rundll32 WebDav With Network Connection Notepad with no Command Line Arguments Windows Process Injection into Notepad Windows AD Same Domain SID History Addition Windows AD Cross Domain SID History Addition Windows AD Replication Request Initiated by User Account Windows AD Replication Request Initiated from Unsanctioned Location Windows AD Domain Replication ACL Addition Windows AD DSRM Account Changes Windows AD DSRM Password Reset Windows AD Short Lived Domain Controller SPN Attribute Windows AD Short Lived Server Object Windows AD SID History Attribute Modified Windows AD AdminSDHolder ACL Modified Windows AD ServicePrincipalName Added To Domain Account Windows AD Short Lived Domain Account ServicePrincipalName Windows AD Rogue Domain Controller Network Activity Windows AD Account SID History Addition Windows AD Replication Service Traffic Windows Unusual Count of Disabled Users Failed Auth Using Kerberos Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows Unusual Count Of Users Fail To Auth With Explicit Credentials Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows Unusual Count Of Users Failed To Authenticate From Process Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows Unusual Count Of Users Remotely Failed To Auth From Host Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Linux Data Destruction Command Linux Hardware Addition SwapOff Linux Impair Defenses Process Kill Linux Indicator Removal Clear Cache Linux Indicator Removal Service File Deletion Linux System Reboot Via System Request Key Linux Unix Shell Enable All SysRq Functions Windows Steal Authentication Certificates CryptoAPI Windows Mimikatz Crypto Export File Extensions For all our tools and security content, please visit research.splunk.com. The Splunk Threat Research Team has also recently published the following blogs for a more in-depth research analysis of various threats: Breaking the Chain: Defending Against Certificate Services Abuse Threat Advisory: SwiftSlicer Wiper STRT-TA03 — The Splunk Threat Research Team