Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.38.0, v4.39.0 and v4.39.1). With these releases, there are 49 new analytics, 4 new analytic stories, 15 updated analytics, and 1 updated analytic story now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• Detections aimed at addressing vulnerabilities in Ivanti Virtual Traffic Manager (CVE-2024-7593), with a particular focus on detecting SQL injection remote code execution and unauthorized account creation activities.
• A comprehensive set of new detections for Windows Active Directory, targeting potential threats related to privilege escalation, dangerous ACL modifications, GPO changes, and suspicious attribute modifications.
• New analytic stories to help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.

New Analytics (49)

• Detect Password Spray Attack Behavior From Source (External Contributor: @nterl0k)
• Detect Password Spray Attack Behavior On User (External Contributor: @nterl0k)
• Ivanti EPM SQL Injection Remote Code Execution
• Ivanti VTM New Account Creation
• O365 DLP Rule Triggered (External Contributor: @nterl0k)
• O365 Email Access By Security Administrator (External Contributor: @nterl0k)
• O365 Email Reported By Admin Found Malicious (External Contributor: @nterl0k)
• Email Reported By User Found Malicious (External Contributor: @nterl0k)
• O365 Email Security Feature Changed (External Contributor: @nterl0k)
• O365 Email Suspicious Behavior Alert (External Contributor: @nterl0k)
• O365 Safe Links Detection (External Contributor: @nterl0k)
• O365 SharePoint Allowed Domains Policy Changed (External Contributor: @nterl0k)
• O365 SharePoint Malware Detection (External Contributor: @nterl0k)
• O365 Threat Intelligence Suspicious Email Delivered (External Contributor: @nterl0k)
• O365 Threat Intelligence Suspicious File Detected (External Contributor: @nterl0k)
• O365 ZAP Activity Detection (External Contributor: @nterl0k)
• Windows AD DCShadow Privileges ACL Addition (External Contributor: @dluxtron)
• Windows AD Dangerous Deny ACL Modification (External Contributor: @dluxtron)
• Windows AD Dangerous Group ACL Modification (External Contributor: @dluxtron)
• Windows AD Dangerous User ACL Modification (External Contributor: @dluxtron)
• Windows AD Domain Root ACL Deletion (External Contributor: @dluxtron)
• Windows AD Domain Root ACL Modification (External Contributor: @dluxtron)
• Windows AD GPO Deleted (External Contributor: @dluxtron)
• Windows AD GPO Disabled (External Contributor: @dluxtron)
• Windows AD GPO New CSE Addition(External Contributor: @dluxtron)
• Windows AD Hidden OU Creation (External Contributor: @dluxtron)
• Windows AD Object Owner Updated (External Contributor: @dluxtron)
• Windows AD Self DACL Assignment (External Contributor: @dluxtron)
• Windows AD Suspicious Attribute Modification (External Contributor: @dluxtron)
• Crowdstrike Admin Weak Password Policy
• Crowdstrike Admin With Duplicate Password
• Crowdstrike High Identity Risk Severity
• Crowdstrike Medium Identity Risk Severity
• Crowdstrike Medium Severity Alert
• Crowdstrike Multiple Low Severity Alerts
• Crowdstrike Privilege Escalation For Non-Admin User
• Crowdstrike User Weak Password Policy
• Crowdstrike User with Duplicate Password
• O365 Application Available To Other Tenants
• O365 Cross-Tenant Access Change
• O365 External Guest User Invited
• O365 External Identity Policy Changed
• O365 Privileged Role Assigned To Service Principal
• O365 Privileged Role Assigned
• Windows Multiple NTLM Null Domain Authentications
• Windows Unusual NTLM Authentication Destinations By Source
• Windows Unusual NTLM Authentication Destinations By User
• Windows Unusual NTLM Authentication Users By Destination
• Windows Unusual NTLM Authentication Users By Source

New Analytic Stories (4)

• Ivanti Virtual Traffic Manager CVE-2024-7593
• MoonPeak
• Compromised Windows Host
• Handala Wiper

Updated Analytics (15)

• Azure AD Concurrent Sessions From Different IPs
• Azure AD High Number Of Failed Authentications From IP
• Detect Regasm Spawning a Process
• Detect Regasm with Network Connection
• Detect Regasm with no Command Line Arguments
• Executables Or Script Creation In Suspicious Path
• Internal Horizontal Port Scan
• Linux c99 Privilege Escalation
• Powershell Windows Defender Exclusion Commands
• Suspicious Process File Path
• Windows AutoIt3 Execution
• Windows Data Destruction Recursive Exec Files Deletion
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows High File Deletion Frequency
• Windows Vulnerable Driver Installed

Updated Analytic Stories (1)

• CISA AA23-347A

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team