Enterprise Security Content Update (ESCU) v3.52.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v.3.52.0, which contains 27 new detections and 4 new analytic stories to help you stay ahead of threats. These detections are now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE). 

Release highlights include: 

• An update to the Splunk Vulnerabilities analytic story that contains 6 new detections for the latest CVEs published by Splunk in the Quarterly Security Patch Updates on November 2nd, 2022. 
  
• Several new detection analytics that help you detect unusual activities that might relate to the Qakbot/QBot malware including parent-child process anomalies, persistence, initial access, recon and many more.
  
• A new story, CVE-2022-40684 Fortinet Appliance Auth bypass, to help detect the exploitation of a critical authentication bypass vulnerability recently patched by Fortinet in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.
• A new detection for Text4Shell (CVE-2022-42889), a new critical vulnerability similar to the old Spring4Shell and Log4Shell.
  
• Additional content for the Cloud Account Takeover use case with 6 new analytic stories to help detect GCP Account Takeover.
• New Detections: 
  • Exploit Public Facing Application via Apache Commons Text
  • Fortinet Appliance Auth Bypass
  • GCP Authentication Failed During MFA Challenge
  • GCP Multi-Factor Authentication Disabled
  • GCP Multiple Failed MFA Requests for User
  • GCP Multiple Users Failing to Authenticate from Ip
  • GCP Successful Single-Factor Authentication
  • GCP Unusual Number of Failed Authentications from Ip
  • Splunk Code Injection via Custom Dashboard Leading to RCE
  • Splunk Data exfiltration from Analytics Workspace Using Sid Query
  • Splunk RCE via Splunk Secure Gateway Splunk Mobile Alerts Feature
  • Splunk Reflected XSS in the Templates Lists Radio
  • Splunk Stored XSS via Data Model objectName Field
  • Splunk XSS in Save Table Dialog Header in Search Page
  • Windows App Layer Protocol Wermgr Connect to NamedPipe
  • Windows Command Shell Fetch Env Variables
  • Windows DLL Side-Loading in Calc
  • Windows DLL Side-Loading Process Child of Calc
  • Windows Masquerading Explorer as Child Process
  • Windows Modify Registry Qakbot Binary Data Registry
  • Windows Process Injection of Wermgr to Known Browser
  • Windows Process Injection Remote Thread
  • Windows Process Injection Wermgr Child Process
  • Windows Regsvr32 Renamed Binary
  • Windows System Discovery Using ldap Nslookup
  • Windows System Discovery Using Qwinsta
  • Windows WMI Impersonate Token
• New Analytic Stories: 
  • CVE-2022-40684 Fortinet Appliance Auth bypass
  • GCP Account Takeover
  • Qakbot
  • Text4Shell CVE-2022-42889

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team