In the last month, the Splunk Threat Research Team has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.17.0 and v4.18.0). With these releases, there are 51 new analytics, 5 new analytic stories, 18 updated analytics, and 4 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.
Content highlights include:
The "Office 365 Persistence Mechanisms" analytic story includes a group of detections that delve into attackers' tactics and techniques to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to adversaries' methods to keep their foothold after an initial compromise.
The "Windows Attack Surface Reduction" analytic story includes a group of detections for Attack Surface Reduction (ASR) events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. When an action is blocked by an ASR rule, an event is generated.
The "Kubernetes Security" analytic story encompasses a range of detections that highlight the escalating challenges when securing containerized environments. Key detections include Kubernetes Abuse of Secret by Unusual Location, User Agent, User Group, and Username, which pinpoints attempts to exploit secrets via anomalous parameters.
Four new analytics delve into the intricacies of MFA security in the PingID environment. These detections, contributed by @nterl0k, cover scenarios like Mismatch Auth Source and Verification Response, Multiple Failed MFA Requests, New MFA Method Post-Credential Reset, and Registration of New MFA Methods, highlighting the evolving landscape of digital authentication security.
New Analytics (51)
O365 Service Principal New Client Credentials
O365 Mailbox Read Access Granted to Application
O365 Tenant Wide Admin Consent Granted
O365 Application Registration Owner Added
O365 Mailbox Inbox Folder Shared with All Users
O365 Advanced Audit Disabled
O365 High Number Of Failed Authentications for User
O365 Multiple Users Failing To Authenticate From Ip
O365 User Consent Blocked for Risky Application
O365 User Consent Denied for OAuth Application
O365 Mail Permissioned Application Consent Granted by User
O365 ApplicationImpersonation Role Assigned
O365 File Permissioned Application Consent Granted by User
O365 Multiple Failed MFA Requests For User
O365 High Privilege Role Granted
O365 New MFA Method Registered
O365 Multiple AppIDs and UserAgents Authentication Spike
O365 Block User Consent For Risky Apps Disabled
O365 Multi-Source Failed Authentications Spike
Powershell Remote Services Add TrustedHost
Windows Modify Registry AuthenticationLevelOverride
Windows Modify Registry DisableRemoteDesktopAntiAlias
Windows Modify Registry DisableSecuritySettings
Windows Modify Registry DontShowUI
Windows Modify Registry ProxyEnable
Windows Modify Registry ProxyServer
Windows Archive Collected Data via Rar
Windows Indicator Removal Via Rmdir
Windows Credentials from Password Stores Creation
Windows Credentials from Password Stores Deletion
Windows Defender ASR Rules Stacking
Windows Defender ASR Rule Disabled
Windows Defender ASR Registry Modification
Windows Defender ASR Block Events
Windows Defender ASR Audit Events
Windows Masquerading Msdtc Process
Windows Parent PID Spoofing with Explorer
Web Remote ShellServlet Access
Splunk RCE via User XSLT
PingID Mismatch Auth Source and Verification Response (External Contributor: @nterl0k)
PingID Multiple Failed MFA Requests For User (External Contributor: @nterl0k)
PingID New MFA Method After Credential Reset (External Contributor: @nterl0k)
PingID New MFA Method Registered For User (External Contributor: @nterl0k)
Kubernetes Abuse of Secret by Unusual Location
Kubernetes Abuse of Secret by Unusual User Agent
Kubernetes Abuse of Secret by Unusual User Group
Kubernetes Abuse of Secret by Unusual User Name
Kubernetes Access Scanning
Kubernetes Suspicious Image Pulling
Kubernetes Unauthorized Access
Windows Modify System Firewall with Notable Process Path
New Analytic Stories (5)
Office 365 Account Takeover
Office 365 Persistence Mechanisms
Windows Attack Surface Reduction
Rhysida Ransomware
Kubernetes Security
Updated Analytics (18)
High Number of Login Failures from a single source
O365 Add App Role Assignment Grant User
O365 Added Service Principal
O365 Bypass MFA via Trusted IP
O365 Disable MFA
O365 Excessive Authentication Failures Alert
O365 Excessive SSO logon errors
O365 New Federated Domain Added
O365 PST export alert
O365 Suspicious Admin Email Forwarding
O365 Suspicious Rights Delegation
O365 Suspicious User Email Forwarding
Splunk App for Lookup File Editing RCE via User XSLT
Allow File And Printing Sharing In Firewall
Azure AD PIM Role Assigned
CMD Carry Out String Command Parameter
Detect Use of cmd exe to Launch Script Interpreters
Modification Of Wallpaper
Updated Analytic Stories (4)
DarkGate Malware
NjRAT
RedLine Stealer
Amadey
The team has also published the following blogs:
Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk
Unmasking the Enigma: A Historical Dive into the World of PlugX Malware
Splunk Security Content for Threat Detection & Response: Q3 Roundup
Previous Security Content Roundups from the Splunk Threat Research Team
For all our tools and security content, please visit research.splunk.com.
— The Splunk Threat Research Team
... View more