Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.3.0, v4.4.0, and v4.5.0). With these releases, there are 27 new detections and 2 new analytic stories, and 1 updated analytic story now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).

Content highlights include: 

• Detections to help address the vulnerability in MOVEit Transfer software that is being actively exploited in the wild 
• An advanced pre-trained deep learning model specifically engineered to discern and pinpoint instances of DNS-based exfiltration to accurately detect and flag potential data breaches or unauthorized information transfers
• New and updated searches to detect living-off-the-land techniques being utilized by the threat actor group Volt Typhoon 

New Analytic Stories: 

• MOVEit Transfer Critical Vulnerability
• Volt Typhoon

New Detections: 

• ASL AWS Concurrent Sessions From Different Ips
• ASL AWS CreateAccessKey
• ASL AWS Defense Evasion Delete Cloudtrail
• ASL AWS Defense Evasion Delete CloudWatch Log Group
• ASL AWS Defense Evasion Impair Security Services
• ASL AWS Excessive Security Scanning
• ASL AWS IAM Delete Policy
• ASL AWS Multi-Factor Authentication Disabled
• ASL AWS New MFA Method Registered For User
• ASL AWS Password Policy Changes
• Detect DNS Data Exfiltration using pretrained model in DSDL
• Detect RTLO In File Name 
• Detect RTLO In Process 
• Detect Webshell Exploit Behavior 
• Windows MOVEit Transfer Writing ASPX
• Splunk DOS Via Dump SPL Command
• Splunk Edit User Privilege Escalation
• Splunk HTTP Response Splitting Via Rest SPL Command
• Splunk Low Privilege User Can View Hashed Splunk Password
• Splunk Path Traversal In Splunk App For Lookup File Editing
• Splunk Persistent XSS Via URL Validation Bypass W Dashboard
• Splunk RBAC Bypass On Indexing Preview REST Endpoint
• Network Share Discovery Via Dir Command
• Active Directory Privilege Escalation Identified
• Windows Ldifde Directory Object Behavior
• Windows Proxy Via Netsh
• Windows Proxy Via Registry

Updated Analytic Story: Splunk Vulnerabilities

For all our tools and security content, please visit research.splunk.com. 

The team has also published the following blogs in the last month:

• Don’t Get a PaperCut: Analyzing CVE-2023-27350
• Do Not Cross the ‘RedLine’ Stealer: Detections and Analysis 
• Splunk Security Content for Threat Detection & Response - Q1 Roundup
• Security Content from the Splunk Threat Research Team

— The Splunk Threat Research Team