v4.31.0

New Analytic Story

Updated Analytic Story

New Analytics

• Windows Process Writing File to World Writable Path

Updated Analytics

• AWS Create Policy Version to allow all resources
• Detect Outbound SMB Traffic
• Detect Rare Executables
• Prohibited Network Traffic Allowed
• Remote Desktop Network Traffic
• Windows Masquerading Explorer As Child Process
• Recon AVProduct Through Pwh or WMI
• Detect Outbound SMB Traffic
• MSHTML Module Load in Office Product
• Office Document Creating Schedule Task
• Office Document Executing Macro Code
• Windows InstallUtil Credential Theft

Deprecated Analytics

• Windows DLL Search Order Hijacking Hunt with Sysmon

Other Updates

• Updated risk and threat related configurations for several detections
• Added Victims to missing detections to create correct risk_objects
• Converted 50+ Windows detections to leverage the XML log format

Upcoming Changes (ONLY INCLUDE IN announcements)

IMPORTANT NOTE : In the upcoming v4.34.0 release, changes will be made to the security_content_summariesonly macro. Its current definition will change to wrap the existing values into another set of macros. This will allow each environment to customize each setting without changing the base macro. If this macro has already been modified in your environment, it will not be affected.

v4.30.0

Release notes

New Analytics Story

• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats

Updated Analytics Story

• Azure Active Directory Account Takeover
• Compromised User Account
• GCP Account Takeover

New Analytics

• Okta Authentication Failed During MFA Challenge
• Okta IDP Lifecycle Modifications
• Okta Multi-Factor Authentication Disabled
• Okta Multiple Accounts Locked Out
• Okta Multiple Failed MFA Requests For User
• Okta Multiple Users Failing To Authenticate From Ip
• Okta Successful Single Factor Authentication
• Okta Unauthorized Access to Application
• O365 Compliance Content Search Exported
• O365 Compliance Content Search Started
• O365 Elevated Mailbox Permission Assigned
• O365 Mailbox Email Forwarding Enabled
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 New Email Forwarding Rule Created
• O365 New Email Forwarding Rule Enabled
• O365 New Forwarding Mailflow Rule Created
• O365 Security And Compliance Alert Triggered
• Okta User Logins From Multiple Cities
• Windows AppLocker Block Events
• Windows AppLocker Execution from Uncommon Locations
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows AppLocker Rare Application Launch Detection
• Windows Unsigned MS DLL Side-Loading
• Zscaler Adware Activities Threat Blocked
• Zscaler Behavior Analysis Threat Blocked
• Zscaler CryptoMiner Downloaded Threat Blocked
• Zscaler Employment Search Web Activity
• Zscaler Exploit Threat Blocked
• Zscaler Legal Liability Threat Blocked
• Zscaler Malware Activity Threat Blocked
• Zscaler Phishing Activity Threat Blocked
• Zscaler Potentially Abused File Download
• Zscaler Privacy Risk Destinations Threat Blocked
• Zscaler Scam Destinations Threat Blocked
• Zscaler Virus Download threat blocked

Updated Analytics

• Email Attachments With Lots Of Spaces
• Okta MFA Exhaustion Hunt
• Okta Mismatch Between Source and Response for Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Phishing Detection with FastPass Origin Check
• Okta Risk Threshold Exceeded
• Okta Suspicious Activity Reported
• Okta Suspicious Use of a Session Cookie
• Okta ThreatInsight Threat Detected
• Suspicious Email Attachment Extensions
• O365 Admin Consent Bypassed by Service Principal
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 PST export alert
• Prohibited Software On Endpoint
• Detect Use of cmd exe to Launch Script Interpreters
• Detection of tools built by NirSoft
• Excessive File Deletion In WinDefender Folder(External Contributor : @nterl0k )
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion of SSL Certificate
• Malicious Powershell Executed As A Service
• Registry Keys Used For Persistence
• SchCache Change By App Connect And Create ADSI Object
• Suspicious Regsvr32 Register Suspicious Path
• Windows Data Destruction Recursive Exec Files Deletion (External Contributor : @nterl0k )
• Windows High File Deletion Frequency External Contributor : @nterl0k )
• Windows MSHTA Writing to World Writable Path
• Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
• SMB Traffic Spike
• SMB Traffic Spike - MLTK
• Web Remote ShellServlet Access

Macros Added

• applocker
• zscaler_proxy

Macros Updated

• okta

Lookups Added

• applockereventcodes

Other Updates

• Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)

v4.29.0

Release notes

New Analytics Story

• APT29 Diplomatic Deceptions with WINELOADER
• Outlook RCE CVE-2024-21378

Updated Analytics Story

New Analytics

• Windows InProcServer32 New Outlook Form
• Windows MSHTA Writing to World Writable Path
• Windows New InProcServer32 Added
• Windows Phishing Outlook Drop Dll In FORM Dir
• Windows SqlWriter SQLDumper DLL Sideload

Updated Analytics

• CertUtil With Decode Argument

v4.28.0

New Analytics

• Splunk Authentication Token Exposure in Debug Log

Updated Analytics

• Splunk Command and Scripting Interpreter Risky Commands
• ASL AWS Concurrent Sessions From Different Ips
• Gsuite Outbound Email With Attachment To External Domain
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Short Lived Windows Accounts
• Windows Create Local Account

Playbooks Updated

• Active Directory Enable Account Dispatch

v4.27.0

Updated Analytics Story

• Cyclops Blink
• Sneaky Active Directory Persistence Tricks

New Analytics

• Windows Credential Access From Browser Password Store
• Windows Known Abused DLL Created (External Contributor : @nterl0k )

Updated Analytics

• Okta User Logins From Multiple Cities
• Path traversal SPL injection
• Splunk User Enumeration Attempt
• AWS Concurrent Sessions From Different Ips
• AWS Credential Access RDS Password reset
• Kubernetes Nginx Ingress LFI
• Kubernetes Nginx Ingress RFI
• Kubernetes Previously Unseen Process
• O365 Multiple Users Failing To Authenticate From Ip
• Detect AzureHound Command-Line Arguments
• Detect AzureHound File Modifications
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Disabling Windows Local Security Authority Defences via Registry
• Linux Iptables Firewall Modification
• Linux Kworker Process In Writable Process Path
• Linux Stdout Redirection To Dev Null File
• Network Traffic to Active Directory Web Services Protocol
• System Information Discovery Detection
• Windows SOAPHound Binary Execution

Lookups Added

• browser_app_list
• hijacklibs_loaded (External Contributor : @nterl0k )

Playbooks Updated

• All playbook yamls updated to use a list of D3FEND IDs

v4.26.0

New Analytics Story

• JetBrains TeamCity Vulnerabilities

Updated Analytics Story

New Analytics

• Cloud Security Groups Modifications by User
• Detect Remote Access Software Usage File(External Contributor : @nterl0k )
• Detect Remote Access Software Usage FileInfo(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Process(External Contributor : @nterl0k )
• Windows Multiple Account Passwords Changed
• Windows Multiple Accounts Deleted
• Windows Multiple Accounts Disabled
• Detect Remote Access Software Usage DNS(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Traffic(External Contributor : @nterl0k )
• High Volume of Bytes Out to Url
• Detect Remote Access Software Usage URL(External Contributor : @nterl0k )
• JetBrains TeamCity Authentication Bypass CVE-2024-27198
• JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
• JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
• Nginx ConnectWise ScreenConnect Authentication Bypass

Updated Analytics

• AWS IAM Delete Policy (External Contributor: @ep3p )
• O365 Multiple Users Failing To Authenticate From Ip
• ConnectWise ScreenConnect Authentication Bypass
• JetBrains TeamCity RCE Attempt

Macros Added

• nginx_access_logs
• suricata

Macros Updated

Lookups Added

Lookups Updated

• remote_access_software

Playbooks Added

• G Suite for Gmail Message Eviction
• G Suite for Gmail Search and Purge
• MS Graph for Office 365 Message Eviction
• MS Graph for Office 365 Message Identifier Activity Analysis
• MS Graph for Office 365 Message Restore
• MS Graph for Office365 Search and Purge
• MS Graph for Office365 Search and Restore

Playbooks Updated

Other Updates

• Added a new script and a CI job to automatically upload the package to Splunkbase using a service account
• Create SSA-Content-latest.tar.gz in the generate_ba CI job

v4.25.0

Release notes for ESCU v4.25.0

New Analytics Story

• ConnectWise ScreenConnect Vulnerabilities
• Snake Keylogger
• WordPress Vulnerabilities

Updated Analytics Story

New Analytics

• ConnectWise ScreenConnect Path Traversal
• ConnectWise ScreenConnect Path Traversal Windows SACL
• Windows Non Discord App Access Discord LevelDB
• Windows Time Based Evasion via Choice Exec
• Windows Unsecured Outlook Credentials Access In Registry
• ConnectWise ScreenConnect Authentication Bypass
• WordPress Bricks Builder plugin RCE

Updated Analytics

• Detect Regasm Spawning a Process
• Download Files Using Telegram
• Executables Or Script Creation In Suspicious Path
• High Process Termination Frequency
• Linux Edit Cron Table Parameter
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Processes launching netsh
• Registry Keys Used For Persistence
• Suspicious Driver Loaded Path
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process Executed From Container File
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows File Transfer Protocol In Non-Common Process Path
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Phishing PDF File Executes URL Link
• Windows System Network Connections Discovery Netsh
• Windows User Execution Malicious URL Shortcut File
• WinEvent Scheduled Task Created Within Public Path

Other Updates

• Updated contentctl to output accurate providing technologies in savedsearches.conf

v4.24.0

Release notes for ESCUv4.24.0

New Analytics Story

• Office 365 Collection Techniques
• Phemedrone Stealer

Updated Analytics Story

• NOBELIUM Group

New Analytics

• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Multiple Service Principals Created by SP
• Azure AD Multiple Service Principals Created by User
• Azure AD Privileged Graph API Permission Assigned
• Azure AD Service Principal Authentication
• O365 Admin Consent Bypassed by Service Principal
• O365 FullAccessAsApp Permission Assigned
• O365 Multiple Mailboxes Accessed via API
• O365 Multiple Service Principals Created by SP
• O365 Multiple Service Principals Created by User
• O365 OAuth App Mailbox Access via EWS
• O365 OAuth App Mailbox Access via Graph API
• O365 Privileged Graph API Permission Assigned
• Network Traffic to Active Directory Web Services Protocol
• Windows Privilege Escalation Suspicious Process Elevation (External Contributor : @nterl0k )
• Windows Privilege Escalation System Process Without System Parent(External Contributor : @nterl0k )
• Windows Privilege Escalation User Process Spawn System Process(External Contributor : @nterl0k )
• Windows SOAPHound Binary Execution
• Ivanti Connect Secure SSRF in SAML Component

Updated Analytics

• Splunk unnecessary file extensions allowed by lookup table uploads
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD Multi-Source Failed Authentications Spike
• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Created
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Tenant Wide Admin Consent Granted
• O365 Added Service Principal
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Mailbox Read Access Granted to Application
• O365 Multi-Source Failed Authentications Spike
• O365 Multiple Users Failing To Authenticate From Ip
• O365 Service Principal New Client Credentials
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• O365 Tenant Wide Admin Consent Granted
• Correlation by Repository and Risk
• Correlation by User and Risk
• Any Powershell DownloadFile
• Any Powershell DownloadString
• Attacker Tools On Endpoint
• Create local admin accounts using net exe
• Create Remote Thread In Shell Application
• Creation of Shadow Copy
• Detect Certify Command Line Arguments
• Detect Certify With PowerShell Script Block Logging
• Detect Excessive Account Lockouts From Endpoint
• Detect New Local Admin account
• Detect Regasm with Network Connection
• Detect Regsvcs with Network Connection
• Detect Use of cmd exe to Launch Script Interpreters
• Disable Show Hidden Files
• Disable Windows SmartScreen Protection
• Disabling ControlPanel
• Disabling SystemRestore In Registry
• Download Files Using Telegram
• Elevated Group Discovery with PowerView
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• Execute Javascript With Jscript COM CLSID
• Execution of File with Multiple Extensions
• Extraction of Registry Hives
• Hiding Files And Directories With Attrib exe
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• MacOS LOLbin
• MacOS plutil
• Network Discovery Using Route Windows App
• [Non Chrome Process Accessing Chrome Default Dir](https://research.splunk.com/endpo...

v4.23.0

Release notes for ESCU v4.23.0

New Analytics Story

• Jenkins Server Vulnerabilities

Updated Analytics Story

New Analytics

• Splunk Information Disclosure in Splunk Add-on Builder
• Kubernetes Anomalous Inbound Network Activity from Process
• Kubernetes Anomalous Outbound Network Activity from Process
• Kubernetes Anomalous Traffic on Network Edge
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes newly seen TCP edge
• Kubernetes newly seen UDP edge
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Windows Impair Defense Change Win Defender Health Check Intervals
• Windows Impair Defense Change Win Defender Quick Scan Interval
• Windows Impair Defense Change Win Defender Throttle Rate
• Windows Impair Defense Change Win Defender Tracing Level
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Define Win Defender Threat Action
• Windows Impair Defense Disable Controlled Folder Access
• Windows Impair Defense Disable Defender Firewall And Network
• Windows Impair Defense Disable Defender Protocol Recognition
• Windows Impair Defense Disable PUA Protection
• Windows Impair Defense Disable Realtime Signature Delivery
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Disable Win Defender App Guard
• Windows Impair Defense Disable Win Defender Compute File Hashes
• Windows Impair Defense Disable Win Defender Gen reports
• Windows Impair Defense Disable Win Defender Network Protection
• Windows Impair Defense Disable Win Defender Report Infection
• Windows Impair Defense Disable Win Defender Scan On Update
• Windows Impair Defense Disable Win Defender Signature Retirement
• Windows Impair Defense Overide Win Defender Phishing Filter
• Windows Impair Defense Override SmartScreen Prompt
• Windows Impair Defense Set Win Defender Smart Screen Level To Warn
• Windows MsiExec HideWindow Rundll32 Execution
• Windows Process Injection In Non-Service SearchIndexer
• Jenkins Arbitrary File Read CVE-2024-23897

Updated Analytics

• Kubernetes Access Scanning
• Kubernetes Anomalous Inbound Outbound Network IO
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio
• Kubernetes AWS detect suspicious kubectl calls
• Kubernetes Previously Unseen Container Image Name
• Kubernetes Previously Unseen Process
• Kubernetes Process Running From New Path
• Kubernetes Process with Anomalous Resource Utilisation
• Kubernetes Process with Resource Ratio Anomalies
• Kubernetes Shell Running on Worker Node
• Kubernetes Shell Running on Worker Node with CPU Activity
• Disable Windows SmartScreen Protection
• Linux Service Started Or Enabled
• Unknown Process Using The Kerberos Protocol
• Windows Excessive Disabled Services Event

Other Updates

• Added a new input macro sourcetype="kube:container:falco"

Playbook Updates

• Splunk Attack Analyzer Dynamic Analysis
• Splunk Automated Email Investigation
• Splunk Identifier Activity Analysis
• Splunk Message Identifier Activity Analysis

v4.22.0

New Analytics Story

• Confluence Data Center and Confluence Server Vulnerabilities

New Analytics

• Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527

Updated Analytics

• Confluence Data Center and Server Privilege Escalation
• Confluence Unauthenticated Remote Code Execution CVE-2022-26134
• Ivanti Connect Secure Command Injection Attempts