Enterprise Security Content Updates (ESCU) - New Releases
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark Topic
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
cwopat
Splunk Employee
03-23-2023
11:29 AM
In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise Security Content Update (ESCU) app (v3.60.0, v3.61.0, v3.62.0). With these releases, there are 44 new detections and 6 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).
Content highlights include:
- Detections related to CVE-2023-23397, a critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows
- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files
- Detections related to Okta IM2 logs for detecting suspicious authentication-based security attacks
- Identifying the use of Silver, an OSS cross-platform adversary emulation/red team framework produced by BishopFox, that has gained more traction with adversaries as it is often seen as an alternative to Cobalt Strike
- An analytic story to hunt for and detect the presence of AwfulShred malware within Linux environments
- Detections related to Fortinet ForiNAC CVE-2022-39952
New Analytic Stories:
- CVE-2023-21716 Word RTF Heap Corruption
- CVE-2023-23397 Outlook Elevation of Privilege
- Sneaky Active Directory Persistence Tricks
- BishopFox Silver Adversary Emulation Framework
- AwfulShred
- Fortinet FortiNAC CVE-2022-39952
New Detections:
- Okta Mismatch Between Source and Response for Okta Verify Push Request
- Okta Multiple Failed Requests to Access Applications
- Okta Suspicious Use of a Session Cookie
- Okta Phishing Detection with FastPass Origin Check
- Okta ThreatInsight Login Failure with High Unknown users
- Okta ThreatInsight Suspected PasswordSpray Attack
- Windows Rundll32 WebDAV Request
- Windows Rundll32 WebDav With Network Connection
- Notepad with no Command Line Arguments
- Windows Process Injection into Notepad
- Windows AD Same Domain SID History Addition
- Windows AD Cross Domain SID History Addition
- Windows AD Replication Request Initiated by User Account
- Windows AD Replication Request Initiated from Unsanctioned Location
- Windows AD Domain Replication ACL Addition
- Windows AD DSRM Account Changes
- Windows AD DSRM Password Reset
- Windows AD Short Lived Domain Controller SPN Attribute
- Windows AD Short Lived Server Object
- Windows AD SID History Attribute Modified
- Windows AD AdminSDHolder ACL Modified
- Windows AD ServicePrincipalName Added To Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows AD Rogue Domain Controller Network Activity
- Windows AD Account SID History Addition
- Windows AD Replication Service Traffic
- Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
- Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
- Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
- Windows Unusual Count Of Users Fail To Auth With Explicit Credentials
- Windows Unusual Count Of Users Failed To Auth Using Kerberos
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Unusual Count Of Users Failed To Authenticate Using NTLM
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
- Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
- Linux Data Destruction Command
- Linux Hardware Addition SwapOff
- Linux Impair Defenses Process Kill
- Linux Indicator Removal Clear Cache
- Linux Indicator Removal Service File Deletion
- Linux System Reboot Via System Request Key
- Linux Unix Shell Enable All SysRq Functions
- Windows Steal Authentication Certificates CryptoAPI
- Windows Mimikatz Crypto Export File Extensions
For all our tools and security content, please visit research.splunk.com.
The Splunk Threat Research Team has also recently published the following blogs for a more in-depth research analysis of various threats:
- Breaking the Chain: Defending Against Certificate Services Abuse
- Threat Advisory: SwiftSlicer Wiper STRT-TA03
— The Splunk Threat Research Team
Labels
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
