Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Product News & Announcements
All the latest news and announcements about Splunk products. Subscribe and never miss an update!
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- News & Events
- :
- Blog & Announcements
- :
- Product News & Announcements
- :
- Enterprise Security Content Updates (ESCU) - New R...
Enterprise Security Content Updates (ESCU) - New Releases
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark Topic
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
cwopat
Splunk Employee
03-23-2023
11:29 AM
In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, there are 44 new detections and 6 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).
Content highlights include:
- Detections related to CVE-2023-23397, a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows
- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files
- Detections related to Okta IM2 logs for detecting suspicious authentication-based security attacks
- Identifying the use of Silver, an OSS cross-platform adversary emulation/red team framework produced by BishopFox, that has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike
- An analytic story to hunt for and detect the presence of AwfulShred malware within Linux environments
- Detections related to Fortinet ForiNAC CVE-2022-39952
New Analytic Stories:
- CVE-2023-21716 Word RTF Heap Corruption
- CVE-2023-23397 Outlook Elevation of Privilege
- Sneaky Active Directory Persistence Tricks
- BishopFox Silver Adversary Emulation Framework
- AwfulShred
- Fortinet FortiNAC CVE-2022-39952
New Detections:
- Okta Mismatch Between Source and Response for Okta Verify Push Request
- Okta Multiple Failed Requests to Access Applications
- Okta Suspicious Use of a Session Cookie
- Okta Phishing Detection with FastPass Origin Check
- Okta ThreatInsight Login Failure with High Unknown users
- Okta ThreatInsight Suspected PasswordSpray Attack
- Windows Rundll32 WebDAV Request
- Windows Rundll32 WebDav With Network Connection
- Notepad with no Command Line Arguments
- Windows Process Injection into Notepad
- Windows AD Same Domain SID History Addition
- Windows AD Cross Domain SID History Addition
- Windows AD Replication Request Initiated by User Account
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows AD Domain Replication ACL Addition
- Windows AD DSRM Account Changes
- Windows AD DSRM Password Reset
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD Short Lived Server Object
- Windows AD SID History Attribute Modified
- Windows AD AdminSDHolder ACL Modified
- Windows AD ServicePrincipalName Added To Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows AD Rogue Domain Controller Network Activity
- Windows AD Account SID History Addition
- Windows AD Replication Service Traffic
- Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Windows Unusual Count Of Users Fail To Auth With Explicit Credentials
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
- Linux Data Destruction Command
- Linux Hardware Addition SwapOff
- Linux Impair Defenses Process Kill
- Linux Indicator Removal Clear Cache
- Linux Indicator Removal Service File Deletion
- Linux System Reboot Via System Request Key
- Linux Unix Shell Enable All SysRq Functions
- Windows Steal Authentication Certificates CryptoAPI
- Windows Mimikatz Crypto Export File Extensions
For all our tools and security content, please visit research.splunk.com.
The Splunk Threat Research Team has also recently published the following blogs for a more in-depth research analysis of various threats:
- Breaking the Chain: Defending Against Certificate Services Abuse
- Threat Advisory: SwiftSlicer Wiper STRT-TA03
— The Splunk Threat Research Team
Labels
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Labels
