Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.15.0 and v4.16.0). With these releases, there are 20 new detections, 4 new analytic stories, 7 updated analytics, 2 updated behavioral analytics detections, 3 new behavioral analytics detections, 2 updated analytic stories, and  2 deprecated analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• Malware story that groups 6 new analytics to help detect a new phishing-driven malware campaign distributing DarkGate malware, which utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks.
• A new zero-day vulnerability in SysAid On-Prem Software (CVE-2023-47246) that allows attackers to upload a WebShell and other payloads, gaining unauthorized access and control.
• A new analytic Risk Rule for Dev Sec Ops by Repository that detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated, to provide a comprehensive view of the risk landscape and helps to make informed decisions. Additionally, we released an updated Analytics Story, which groups 10 new analytics to help security operations teams identify the potential compromise of Azure Active Directory accounts.
• A critical security update, CVE-2023-4966, for the NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Along with "PlugX RAT" or "Kaba" known as the "silent infiltrator," it's the go-to tool for sophisticated hackers with one goal in mind: espionage. Additionally, we updated three existing analytics to identify suspicious file creation in the root drive observed in NjRAT, and two vulnerabilities privilege escalation flaws in Atlassian Confluence.

New Analytics (20)

• Azure AD Device Code Authentication
• Azure AD Tenant Wide Admin Consent Granted
• Azure AD Multiple AppIDs and UserAgents Authentication Spike
• Azure AD Block User Consent For Risky Apps Disabled
• Azure AD User Consent Blocked for Risky Application
• Azure AD OAuth Application Consent Granted By User
• Azure AD User Consent Denied for OAuth Application
• Azure AD New MFA Method Registered
• Azure AD Multiple Denied MFA Requests For User
• Azure AD Multi-Source Failed Authentications Spike
• Risk Rule for Dev Sec Ops by Repository
• Windows ConHost with Headless Argument
• Windows CAB File on Disk
• Windows WinDBG Spawning AutoIt3
• Windows MSIExec Spawn WinDBG
• Windows Modify Registry Default Icon Setting
• Windows AutoIt3 Execution
• Splunk App for Lookup File Editing RCE via User XSLT
• Splunk XSS in Highlighted JSON Events
• Citrix ADC and Gateway Unauthorized Data Disclosure

New Analytic Stories (4) 

• DarkGate Malware
• SysAid On-Prem Software CVE-2023-47246 Vulnerability
• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
• PlugX

Updated Analytics (7)

• AWS ECR Container Scanning Findings High
• AWS ECR Container Scanning Findings Medium
• AWS ECR Container Scanning Findings Low Informational Unknown
• AWS ECR Container Upload Outside Business Hours
•  Windows Admin Permission Discovery
• Confluence CVE-2023-22515 Trigger Vulnerability
• Confluence Data Center and Server Privilege Escalation

Updated Behavioral Analytics Detections (2)

• All BA detections updated to use IN command in SPLv2 instead of using multiple ORs in the detection analytic
• Added a new key detection_type = STREAMING in the generated BA yaml files

New Behavioral Analytics Detections (3)

• Detect Prohibited Applications Spawning cmd exe browsers (validation)
• Detect Prohibited Applications Spawning cmd exe office (validation)
• Detect Prohibited Applications Spawning cmd exe powershell (validation)

Updated Analytic Stories (2)

• Azure Active Directory Account Takeover

• Splunk Vulnerabilities

Deprecated Analytics (2)

• Correlation by Repository and Risk

• Correlation by User and Risk

The team has also published the following blogs:

•  More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities

For all our tools and security content, please visit research.splunk.com. 

— The Splunk Threat Research Team