Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and v.53.0, which together contained 11 new detections and 4 new analytic stories to help you stay ahead of threats. These detections are now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).

Release Highlights Include:

• An analytic story for CVE-2022-3602 vulnerability in OpenSSL
• Qakbot (aka Qbot or Pinkslipbot) detections to proactively hunt and detect the presence of QBot infections and proliferation
• A new detection to identify Ngrok, which has been leveraged by threat actors in several campaigns used for tunneling, lateral movement, and data exfiltration.
• An analytic story for CISA Alert AA22-320A

New Detections:

• SSL Certificates with Punycode
• Zeek x509 Certificate with Punycode
• Windows App Layer Protocol Qakbot NamedPipe
• Azorult
• Ngrok Reverse Proxy on Network
• Powershell Load Module in Meterpreter
• Windows Apache Benchmark Binary
• Windows Mimikatz Binary Execution
• Windows MSExchange Management Mailbox Cmdlet Usage
• Windows Ngrok Reverse Proxy Usage
• Windows Service Created with Suspicious Service Path

New Analytic Stories :

• OpenSSL CVE-2022-3602
• CISA AA22-320A
• Reverse Network Proxy
• MetaSploit

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team