Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, there are 44 new detections and 6 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).

Content highlights include: 

• Detections related to CVE-2023-23397, a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows
• A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files
• Detections related to Okta IM2 logs for detecting suspicious authentication-based security attacks 
• Identifying the use of Silver, an OSS cross-platform adversary emulation/red team framework produced by BishopFox, that has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike
• An analytic story to hunt for and detect the presence of AwfulShred malware within Linux environments 
• Detections related to Fortinet ForiNAC CVE-2022-39952 

New Analytic Stories: 

• CVE-2023-21716 Word RTF Heap Corruption
• CVE-2023-23397 Outlook Elevation of Privilege
• Sneaky Active Directory Persistence Tricks 
• BishopFox Silver Adversary Emulation Framework
• AwfulShred
• Fortinet FortiNAC CVE-2022-39952

New Detections: 

• Okta Mismatch Between Source and Response for Okta Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta Suspicious Use of a Session Cookie
• Okta Phishing Detection with FastPass Origin Check
• Okta ThreatInsight Login Failure with High Unknown users
• Okta ThreatInsight Suspected PasswordSpray Attack
• Windows Rundll32 WebDAV Request
• Windows Rundll32 WebDav With Network Connection
• Notepad with no Command Line Arguments
• Windows Process Injection into Notepad
• Windows AD Same Domain SID History Addition
• Windows AD Cross Domain SID History Addition
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows AD Domain Replication ACL Addition
• Windows AD DSRM Account Changes
• Windows AD DSRM Password Reset
• Windows AD Short Lived Domain Controller SPN Attribute
• Windows AD Short Lived Server Object
• Windows AD SID History Attribute Modified
• Windows AD AdminSDHolder ACL Modified
• Windows AD ServicePrincipalName Added To Domain Account
• Windows AD Short Lived Domain Account ServicePrincipalName
• Windows AD Rogue Domain Controller Network Activity
• Windows AD Account SID History Addition
• Windows AD Replication Service Traffic
• Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
• Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
• Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
• Windows Unusual Count Of Users Fail To Auth With Explicit Credentials
• Windows Unusual Count Of Users Failed To Auth Using Kerberos
• Windows Unusual Count Of Users Failed To Authenticate From Process
• Windows Unusual Count Of Users Failed To Authenticate Using NTLM
• Windows Unusual Count Of Users Remotely Failed To Auth From Host
• Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
• Linux Data Destruction Command
• Linux Hardware Addition SwapOff
• Linux Impair Defenses Process Kill
• Linux Indicator Removal Clear Cache
• Linux Indicator Removal Service File Deletion
• Linux System Reboot Via System Request Key
• Linux Unix Shell Enable All SysRq Functions
• Windows Steal Authentication Certificates CryptoAPI
• Windows Mimikatz Crypto Export File Extensions

For all our tools and security content, please visit research.splunk.com. 

The Splunk Threat Research Team has also recently published the following blogs for a more in-depth research analysis of various threats:

• Breaking the Chain: Defending Against Certificate Services Abuse
• Threat Advisory: SwiftSlicer Wiper STRT-TA03

— The Splunk Threat Research Team