Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.13.0, v4.14.0.). With these releases, there are 22 new detections and 6 new analytic stories, and 3 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• An analytic story for a previously unknown vulnerability in the Cisco IOS XE software's Web User Interface (Web UI) feature that is currently being exploited and effectively grants full control of the compromised device. 
• An analytic story focused on Windows SIP WinVerifyTrust subversion and an analytic story for Microsoft SharePoint Server to detect a flaw in handling authentication tokens, which allows an attacker to escalate privileges and gain unauthorized access to the SharePoint environment. 
• A NjRat analytic story that contains 7 detections to detect attack techniques relating to NjRat, a notorious remote access trojan (RAT). The detections include tracking file write operations for dropped files, scrutinizing registry modifications to provide persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spreading itself via removable drive, and other potentially malicious actions.
• Additionally, we released new analytics to address Splunk CVEs that focus on attacker behavior targeting Splunk environments, along with 2 new analytics for CVEs related to Remote Code Execution (RCE) in WS_FTP and TeamCity On-Premises. 

New Analytics (22)

• Cisco IOS XE Implant Access
• Detect Certipy File Modifications (External Contributor: Steven Dick)
• Windows Domain Admin Impersonation Indicator
• Windows Registry SIP Provider Modification
• Microsoft SharePoint Server Elevation of Privilege
• Windows Steal Authentication Certificates - ESC1 Abuse (External Contributor: Steven Dick)
• Windows SIP Provider Inventory
• Windows SIP WinVerifyTrust Failed Trust Validation
• Confluence CVE-2023-22515 Trigger Vulnerability
• Windows Abused Web Services
• Windows Admin Permission Discovery
• JetBrains TeamCity RCE Attempt
• WS FTP Remote Code Execution
• Splunk Reflected XSS on App Search Table Endpoint
• Splunk RCE via Serialized Session Payload
• Splunk DoS Using Malformed SAML Request
• Splunk Absolute Path Traversal Using runshellscript
• Windows Modify Registry With MD5 Reg Key Name
• Windows Njrat Fileless Storage via Registry
• Windows Executable in Loaded Modules
• Windows Disable or Modify Tools Via Taskkill
• Windows Delete or Modify System Firewall

New Analytic Stories (6)

• Subvert Trust Controls SIP and Trust Provider Hijacking
• Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
• Cisco IOS XE Software Web Management User Interface vulnerability
• NjRat
• WS FTP Server Critical Vulnerabilities
• JetBrains TeamCity Unauthenticated RCE

Updated Analytics (3)

• Citrix ADC Exploitation CVE-2023-3519
• Windows Replication Through Removable Media
• TOR Traffic

For all our tools and security content, please visit research.splunk.com. 

— The Splunk Threat Research Team