Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 4 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.8.0, v4.9.0, v4.10.0 and v4.11.1). With these releases, there are 24 new detections, 27 updated detections and 8 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include: 

• An analytic story with detections related to known activities of the group Flax Typhoon
• Detections for organizations using Adobe ColdFusion related to critical vulnerabilities CVE-2023-29298 and CVE-2023-26360
• Detection for critical vulnerability Ivanti Sentry (CVE-2023-38035)
• An analytic story to detect suspicious activities potentially related to Ave Maria (aka Warzone) RAT
• Updated detections related to Azure Active Directory 
• New detections for Windows Certificate Services and Active Directory Discovery 
• Updated detections for Clop ransomware variants 
• An analytic story related Citrix ShareFile RCE CVE-2023-24489
• Detections for zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) CVE-2023-35078 and CVE-2023-35082.
• A new analytic for hunting events associated with Splunk Vulnerability Disclosure SVD-2023-0606 in which an attacker can use a specially crafted web URL in their browser to cause log file injection. The attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to execute successfully. 

New Analytic Stories: 

• Juniper JunOS Remote Code Execution
• Flax Typhoon
• Windows Error Reporting Service Elevation of Privilege Vulnerability
• Ivanti Sentry Authentication Bypass CVE-2023-38035
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 & CVE-2023-26360
• Warzone RAT
• Ivanti EPMM Remote Unauthenticated Access
• Citrix ShareFile RCE CVE-2023-24489

New Detections: 

• Juniper Networks Remote Code Execution Exploit Detection
• Windows SQL Spawning CertUtil
• Ivanti Sentry Authentication Bypass
• Adobe ColdFusion Access Control Bypass
• Adobe ColdFusion Unauthenticated Arbitrary File Read
• Splunk DOS via printf search function
• Windows Bypass UAC via Pkgmgr Tool
• Windows Mark of The Web Bypass
• Windows Modify Registry MaxConnectionPerServer
• Windows Unsigned DLL Side-Loading
• Detect Certify Command Line Arguments (External Contributor @nterl0k)
• Detect Certify with PowerShell Script Block Logging (External Contributor @nterl0k)
• Windows Steal Authentication Certificates - ESC1 Authentication (External Contributor @nterl0k)
• Windows Suspect Process with Authentication Traffic (External Contributor @nterl0k)
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
• Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
• Citrix ShareFile Exploitation CVE-2023-24489
• Windows Powershell RemoteSigned File
• PowerShell Script Block With URL Chain (External contributor: Steven Dick)
• PowerShell WebRequest Using Memory Stream (External contributor: Steven Dick)
• Suspicious Process Executed From Container File (External contributor: Steven Dick)
• Windows Registry Payload Injection (External contributor: Steven Dick)
• Windows Scheduled Task Service Spawned Shell (External contributor: Steven Dick
• Splunk Unauthenticated Log Injection Web Service Log
  

Updated Detections: 

• Azure AD Global Administrator Role Assigned
• Azure AD Multiple Users Failing to Authenticate from IP
• Azure AD Service Principal Owner Added
• Azure AD Unusual Number of Failed Authentications from IP
• Azure AD Service Principal Created
• Azure AD Privileged Role Assigned
• Azure AD Privileged Authentication Administrator Role Assigned
• Azure AD Application Administrator Role Assigned
• Azure AD Multi-Factor Authentication Disabled
• Azure AD External Guest User Invited
• Azure AD User Enabled and Password Reset
• Azure AD Service Principal New Client Credentials
• Azure AD New Federated Domain Added
• Azure AD New Custom Domain Added
• Azure AD Successful Single-Factor Authentication
• Azure AD Authentication Failed During MFA Challenge
• Azure AD Successful PowerShell Authentication
• Azure AD Multiple Failed MFA Requests for User
• Azure AD User Immutable ID Attribute Updated
• Azure Active Directory High Risk Sign-in
• Unusually Long Command Line
• Suspicious Copy on System32
• Clop Common Exec Parameter (External contributor: DipsyTipsy)
• O365 Added Service Principal
• O365 New Federated Domain Added
• O365 Excessive SSO logon errors
• Splunk risky Command Abuse disclosed February 2023

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team