In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.6.0 and v4.7.0). With these releases, there are 8 new detections, 16 updated detections and 7 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.
Content highlights include:
- New searches that focus on potential malicious activities related to suspicious registry modification of Windows and malicious command line behavior, including potential exploitation attempts against Citrix ADC
- A new analytic story for the detection and investigation of unusual activities that relate to BlackByte ransomware
- Detections for CVE-2023-36884, an unpatched zero-day vulnerability affecting Windows and Microsoft Office products, and CVE-2023-3519, a vulnerability in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway
- A new analytic story to detect task scheduling activities related to MITRE ATT&CK technique T1053
- New searches to detect activities related to Amadey, a type of malware that primarily operates as a banking Trojan
- Detections for potential exploitation attempts against VMware vRealize Network Insight that align with the characteristics of CVE-2023-20887
New Analytic Stories:
New Detections:
Updated Detections:
The team has also published the following blogs:
For all our tools and security content, please visit research.splunk.com.
— The Splunk Threat Research Team