The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) app v3.55.0 and v3.56.0. With these releases, there are 25 new detections and 3 new analytic stories now available to help you stay ahead of threats. These detections are available now in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE). Release highlights include: Identifying mechanisms within Microsoft Internet Information Services (IIS) exploited by adversaries for malicious purposes  Detections to monitor unusual activities that are related to Prestige Ransomware activity  Detections to identify a variety of Windows post-exploitation tools such as winpeas.bat, winpeas.exe, WinPrivCheck.bat typically used to gain privileges and persistence across assets running the Windows Operating System. New Detections:  Windows Disable Windows Event Logging Disable HTTP Logging Windows IIS Components Add New Module Windows IIS Components Get-WebGlobalModule Module Query Windows IIS Components Module Failed to Load Windows IIS Components New Module Added Windows PowerShell Disable Windows Event Logging Disable HTTP Logging Windows PowerShell IIS Components WebGlobalModule Usage Windows Modify Registry Reg Restore Windows Query Registry Reg Save Windows System User Discovery Via Quser Windows WMI Process and Service List Windows Cached Domain Credentials Reg Query Windows ClipBoard Data via Get-ClipBoard Windows Credentials from Password Stores Query Windows Credentials in Registry Reg Query Windows Indirect Command Execution Via Series of Forfiles Windows Information Discovery Fsutil Windows Password Managers Discovery Windows Private Keys Discovery Windows Security Support Provider Reg Query Windows Steal or Forge Kerberos Tickets Klist Windows System Network Config Discovery Display DNS Windows System Network Connections Discovery Netsh Windows Change Default File Association for No File Ext Windows Service Stop Via Net and SC Application New Analytic Stories:  IIS Components Prestige Ransomware Windows Post-Exploitation For all our tools and security content, please visit  research.splunk.com . —  The Splunk Threat Research Team ... View more

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and v.53.0, which together contained 11 new detections and 4 new analytic stories to help you stay ahead of threats. These detections are now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE). Release Highlights Include: An analytic story for CVE-2022-3602 vulnerability in OpenSSL Qakbot (aka Qbot or Pinkslipbot) detections to proactively hunt and detect the presence of QBot infections and proliferation A new detection to identify Ngrok, which has been leveraged by threat actors in several campaigns used for tunneling, lateral movement, and data exfiltration. An analytic story for CISA Alert AA22-320A New Detections: SSL Certificates with Punycode Zeek x509 Certificate with Punycode Windows App Layer Protocol Qakbot NamedPipe Azorult Ngrok Reverse Proxy on Network Powershell Load Module in Meterpreter Windows Apache Benchmark Binary Windows Mimikatz Binary Execution Windows MSExchange Management Mailbox Cmdlet Usage Windows Ngrok Reverse Proxy Usage Windows Service Created with Suspicious Service Path New Analytic Stories : OpenSSL CVE-2022-3602 CISA AA22-320A Reverse Network Proxy MetaSploit For all our tools and security content, please visit research.splunk.com . — The Splunk Threat Research Team ... View more

The Splunk Threat Research Team (STRT) recently released   Enterprise Security Content Update (ESCU)   v.3.52.0, which contains 27 new detections and 4 new analytic stories to help you stay ahead of threats. These detections are now available in Splunk Enterprise Security via the   ESCU application update process   or via   Splunk Security Essentials (SSE).  Release highlights include:  An update to the Splunk Vulnerabilities analytic story that contains 6 new detections for the latest CVEs published by Splunk in the Quarterly Security Patch Updates on November 2nd, 2022.  Several new detection analytics that help you detect unusual activities that might relate to the Qakbot/QBot malware including parent-child process anomalies, persistence, initial access, recon and many more. A new story, CVE-2022-40684 Fortinet Appliance Auth bypass, to help detect the exploitation of a critical authentication bypass vulnerability recently patched by Fortinet in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684. A new detection for Text4Shell ( CVE-2022-42889 ), a new critical vulnerability similar to the old Spring4Shell and Log4Shell. Additional content for the Cloud Account Takeover use case with  6 new analytic stories to help detect GCP Account Takeover . New Detections:  Exploit Public Facing Application via Apache Commons Text Fortinet Appliance Auth Bypass GCP Authentication Failed During MFA Challenge GCP Multi-Factor Authentication Disabled GCP Multiple Failed MFA Requests for User GCP Multiple Users Failing to Authenticate from Ip GCP Successful Single-Factor Authentication GCP Unusual Number of Failed Authentications from Ip Splunk Code Injection via Custom Dashboard Leading to RCE Splunk Data exfiltration from Analytics Workspace Using Sid Query Splunk RCE via Splunk Secure Gateway Splunk Mobile Alerts Feature Splunk Reflected XSS in the Templates Lists Radio Splunk Stored XSS via Data Model objectName Field Splunk XSS in Save Table Dialog Header in Search Page Windows App Layer Protocol Wermgr Connect to NamedPipe Windows Command Shell Fetch Env Variables Windows DLL Side-Loading in Calc Windows DLL Side-Loading Process Child of Calc Windows Masquerading Explorer as Child Process Windows Modify Registry Qakbot Binary Data Registry Windows Process Injection of Wermgr to Known Browser Windows Process Injection Remote Thread Windows Process Injection Wermgr Child Process Windows Regsvr32 Renamed Binary Windows System Discovery Using ldap Nslookup Windows System Discovery Using Qwinsta Windows WMI Impersonate Token New Analytic Stories:  CVE-2022-40684 Fortinet Appliance Auth bypass GCP Account Takeover Qakbot Text4Shell CVE-2022-42889 For all our tools and security content, please visit  research.splunk.com . —  The Splunk Threat Research Team    ... View more

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v.3.51.0, which contains 9 new detections and 2 new analytic stories to help you stay ahead of threats. These detections are now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).  Release highlights include:  Advisory analytic story to assist defenders with  CISA AA22-277A , which  was recently released by the Cybersecurity and Infrastructure Security Agency (CISA) in response to an advanced persistent threat (APT) that utilized Impacket, an open-source toolkit, and other common techniques.  Updated content based on feedback and simulated attack data related to  ProxyNotShell , which  is a continuation of the ProxyShell saga but requires valid credentials.  Additional content for the Cloud Account Takeover use case with four new analytics that help detect attacks against Multi-factor Authentication (MFA) defense mechanisms for Amazon Web Services (AWS) console. New detections:  AWS Console Login Failed During MFA Challenge AWS Multi-Factor Authentication Disabled AWS Multiple Failed MFA Requests For User AWS Successful Single-Factor Authentication Detect Exchange Web Shell ProxyShell ProxyNotShell Behavior Detected Windows Create Local Account Windows Exchange Autodiscover SSRF Abuse   Windows Mshta Execution In Registry New Analytic Stories: CISA AA22-277A ProxyNotShell Updated Analytics: Detect SharpHound File Modifications Exchange PowerShell Abuse via SSRF Exchange PowerShell Module Usage Unified Messaging Service Spawning a Process For all our tools and security content, please visit  research.splunk.com . —  The Splunk Threat Research Team  ... View more