v4.27.0

Updated Analytics Story

• Cyclops Blink
• Sneaky Active Directory Persistence Tricks

New Analytics

• Windows Credential Access From Browser Password Store
• Windows Known Abused DLL Created (External Contributor : @nterl0k )

Updated Analytics

• Okta User Logins From Multiple Cities
• Path traversal SPL injection
• Splunk User Enumeration Attempt
• AWS Concurrent Sessions From Different Ips
• AWS Credential Access RDS Password reset
• Kubernetes Nginx Ingress LFI
• Kubernetes Nginx Ingress RFI
• Kubernetes Previously Unseen Process
• O365 Multiple Users Failing To Authenticate From Ip
• Detect AzureHound Command-Line Arguments
• Detect AzureHound File Modifications
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Disabling Windows Local Security Authority Defences via Registry
• Linux Iptables Firewall Modification
• Linux Kworker Process In Writable Process Path
• Linux Stdout Redirection To Dev Null File
• Network Traffic to Active Directory Web Services Protocol
• System Information Discovery Detection
• Windows SOAPHound Binary Execution

Lookups Added

• browser_app_list
• hijacklibs_loaded (External Contributor : @nterl0k )

Playbooks Updated

• All playbook yamls updated to use a list of D3FEND IDs

v4.26.0

New Analytics Story

• JetBrains TeamCity Vulnerabilities

Updated Analytics Story

New Analytics

• Cloud Security Groups Modifications by User
• Detect Remote Access Software Usage File(External Contributor : @nterl0k )
• Detect Remote Access Software Usage FileInfo(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Process(External Contributor : @nterl0k )
• Windows Multiple Account Passwords Changed
• Windows Multiple Accounts Deleted
• Windows Multiple Accounts Disabled
• Detect Remote Access Software Usage DNS(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Traffic(External Contributor : @nterl0k )
• High Volume of Bytes Out to Url
• Detect Remote Access Software Usage URL(External Contributor : @nterl0k )
• JetBrains TeamCity Authentication Bypass CVE-2024-27198
• JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
• JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
• Nginx ConnectWise ScreenConnect Authentication Bypass

Updated Analytics

• AWS IAM Delete Policy (External Contributor: @ep3p )
• O365 Multiple Users Failing To Authenticate From Ip
• ConnectWise ScreenConnect Authentication Bypass
• JetBrains TeamCity RCE Attempt

Macros Added

• nginx_access_logs
• suricata

Macros Updated

Lookups Added

Lookups Updated

• remote_access_software

Playbooks Added

• G Suite for Gmail Message Eviction
• G Suite for Gmail Search and Purge
• MS Graph for Office 365 Message Eviction
• MS Graph for Office 365 Message Identifier Activity Analysis
• MS Graph for Office 365 Message Restore
• MS Graph for Office365 Search and Purge
• MS Graph for Office365 Search and Restore

Playbooks Updated

Other Updates

• Added a new script and a CI job to automatically upload the package to Splunkbase using a service account
• Create SSA-Content-latest.tar.gz in the generate_ba CI job

v4.25.0

Release notes for ESCU v4.25.0

New Analytics Story

• ConnectWise ScreenConnect Vulnerabilities
• Snake Keylogger
• WordPress Vulnerabilities

Updated Analytics Story

New Analytics

• ConnectWise ScreenConnect Path Traversal
• ConnectWise ScreenConnect Path Traversal Windows SACL
• Windows Non Discord App Access Discord LevelDB
• Windows Time Based Evasion via Choice Exec
• Windows Unsecured Outlook Credentials Access In Registry
• ConnectWise ScreenConnect Authentication Bypass
• WordPress Bricks Builder plugin RCE

Updated Analytics

• Detect Regasm Spawning a Process
• Download Files Using Telegram
• Executables Or Script Creation In Suspicious Path
• High Process Termination Frequency
• Linux Edit Cron Table Parameter
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Processes launching netsh
• Registry Keys Used For Persistence
• Suspicious Driver Loaded Path
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process Executed From Container File
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows File Transfer Protocol In Non-Common Process Path
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Phishing PDF File Executes URL Link
• Windows System Network Connections Discovery Netsh
• Windows User Execution Malicious URL Shortcut File
• WinEvent Scheduled Task Created Within Public Path

Other Updates

• Updated contentctl to output accurate providing technologies in savedsearches.conf

v4.24.0

Release notes for ESCUv4.24.0

New Analytics Story

• Office 365 Collection Techniques
• Phemedrone Stealer

Updated Analytics Story

• NOBELIUM Group

New Analytics

• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Multiple Service Principals Created by SP
• Azure AD Multiple Service Principals Created by User
• Azure AD Privileged Graph API Permission Assigned
• Azure AD Service Principal Authentication
• O365 Admin Consent Bypassed by Service Principal
• O365 FullAccessAsApp Permission Assigned
• O365 Multiple Mailboxes Accessed via API
• O365 Multiple Service Principals Created by SP
• O365 Multiple Service Principals Created by User
• O365 OAuth App Mailbox Access via EWS
• O365 OAuth App Mailbox Access via Graph API
• O365 Privileged Graph API Permission Assigned
• Network Traffic to Active Directory Web Services Protocol
• Windows Privilege Escalation Suspicious Process Elevation (External Contributor : @nterl0k )
• Windows Privilege Escalation System Process Without System Parent(External Contributor : @nterl0k )
• Windows Privilege Escalation User Process Spawn System Process(External Contributor : @nterl0k )
• Windows SOAPHound Binary Execution
• Ivanti Connect Secure SSRF in SAML Component

Updated Analytics

• Splunk unnecessary file extensions allowed by lookup table uploads
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD Multi-Source Failed Authentications Spike
• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Created
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Tenant Wide Admin Consent Granted
• O365 Added Service Principal
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Mailbox Read Access Granted to Application
• O365 Multi-Source Failed Authentications Spike
• O365 Multiple Users Failing To Authenticate From Ip
• O365 Service Principal New Client Credentials
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• O365 Tenant Wide Admin Consent Granted
• Correlation by Repository and Risk
• Correlation by User and Risk
• Any Powershell DownloadFile
• Any Powershell DownloadString
• Attacker Tools On Endpoint
• Create local admin accounts using net exe
• Create Remote Thread In Shell Application
• Creation of Shadow Copy
• Detect Certify Command Line Arguments
• Detect Certify With PowerShell Script Block Logging
• Detect Excessive Account Lockouts From Endpoint
• Detect New Local Admin account
• Detect Regasm with Network Connection
• Detect Regsvcs with Network Connection
• Detect Use of cmd exe to Launch Script Interpreters
• Disable Show Hidden Files
• Disable Windows SmartScreen Protection
• Disabling ControlPanel
• Disabling SystemRestore In Registry
• Download Files Using Telegram
• Elevated Group Discovery with PowerView
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• Execute Javascript With Jscript COM CLSID
• Execution of File with Multiple Extensions
• Extraction of Registry Hives
• Hiding Files And Directories With Attrib exe
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• MacOS LOLbin
• MacOS plutil
• Network Discovery Using Route Windows App
• [Non Chrome Process Accessing Chrome Default Dir](https://research.splunk.com/endpo...

v4.23.0

Release notes for ESCU v4.23.0

New Analytics Story

• Jenkins Server Vulnerabilities

Updated Analytics Story

New Analytics

• Splunk Information Disclosure in Splunk Add-on Builder
• Kubernetes Anomalous Inbound Network Activity from Process
• Kubernetes Anomalous Outbound Network Activity from Process
• Kubernetes Anomalous Traffic on Network Edge
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes newly seen TCP edge
• Kubernetes newly seen UDP edge
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Windows Impair Defense Change Win Defender Health Check Intervals
• Windows Impair Defense Change Win Defender Quick Scan Interval
• Windows Impair Defense Change Win Defender Throttle Rate
• Windows Impair Defense Change Win Defender Tracing Level
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Define Win Defender Threat Action
• Windows Impair Defense Disable Controlled Folder Access
• Windows Impair Defense Disable Defender Firewall And Network
• Windows Impair Defense Disable Defender Protocol Recognition
• Windows Impair Defense Disable PUA Protection
• Windows Impair Defense Disable Realtime Signature Delivery
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Disable Win Defender App Guard
• Windows Impair Defense Disable Win Defender Compute File Hashes
• Windows Impair Defense Disable Win Defender Gen reports
• Windows Impair Defense Disable Win Defender Network Protection
• Windows Impair Defense Disable Win Defender Report Infection
• Windows Impair Defense Disable Win Defender Scan On Update
• Windows Impair Defense Disable Win Defender Signature Retirement
• Windows Impair Defense Overide Win Defender Phishing Filter
• Windows Impair Defense Override SmartScreen Prompt
• Windows Impair Defense Set Win Defender Smart Screen Level To Warn
• Windows MsiExec HideWindow Rundll32 Execution
• Windows Process Injection In Non-Service SearchIndexer
• Jenkins Arbitrary File Read CVE-2024-23897

Updated Analytics

• Kubernetes Access Scanning
• Kubernetes Anomalous Inbound Outbound Network IO
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio
• Kubernetes AWS detect suspicious kubectl calls
• Kubernetes Previously Unseen Container Image Name
• Kubernetes Previously Unseen Process
• Kubernetes Process Running From New Path
• Kubernetes Process with Anomalous Resource Utilisation
• Kubernetes Process with Resource Ratio Anomalies
• Kubernetes Shell Running on Worker Node
• Kubernetes Shell Running on Worker Node with CPU Activity
• Disable Windows SmartScreen Protection
• Linux Service Started Or Enabled
• Unknown Process Using The Kerberos Protocol
• Windows Excessive Disabled Services Event

Other Updates

• Added a new input macro sourcetype="kube:container:falco"

Playbook Updates

• Splunk Attack Analyzer Dynamic Analysis
• Splunk Automated Email Investigation
• Splunk Identifier Activity Analysis
• Splunk Message Identifier Activity Analysis

v4.22.0

New Analytics Story

• Confluence Data Center and Confluence Server Vulnerabilities

New Analytics

• Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527

Updated Analytics

• Confluence Data Center and Server Privilege Escalation
• Confluence Unauthenticated Remote Code Execution CVE-2022-26134
• Ivanti Connect Secure Command Injection Attempts

v4.21.0

Release notes for ESCUv4.21.0

New Analytics Story

Updated Analytics Story

• Splunk Vulnerabilities

New Analytics

• Splunk Enterprise KV Store Incorrect Authorization
• Splunk Enterprise Windows Deserialization File Partition

Updated Analytics

• Splunk risky Command Abuse disclosed february 2023

Other Updates

• Updated splunk_risky_command lookup with a new splunk_risky_command_20240122.csv file

v4.20.0

New Analytic Story

Ivanti Connect Secure VPN Vulnerabilities

New Analytics

Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
Ivanti Connect Secure Command Injection Attempts
Ivanti Connect Secure System Information Access via Auth Bypass

v4.19.0

Release Branch for ESCU 4.19.0

New Analytic Story

• CISA AA23-347A
• Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Updated Analytic Story

• Office 365 Account Takeover
• Office 365 Persistence Mechanisms
• Splunk Vulnerabilities

New Analytics

• Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor : Matthew Moore )
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor : Matthew Moore )
• Kubernetes Previously Unseen Container Image Name (Internal Contributor : Matthew Moore )
• Kubernetes Previously Unseen Process (Internal Contributor : Matthew Moore )
• Kubernetes Process Running From New Path (Internal Contributor : Matthew Moore )
• Kubernetes Process with Anomalous Resource Utilisation (Internal Contributor : Matthew Moore )
• Kubernetes Process with Resource Ratio Anomalies (Internal Contributor : Matthew Moore )
• Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor : Matthew Moore )
• Kubernetes Shell Running on Worker Node (Internal Contributor : Matthew Moore )
• Windows Account Discovery For None Disable User Account
• Windows Lsa Secrets Nolmhash Registry
• Windows Modify Registry Disable Restricted Admin
• Windows Account Discovery For Sam Account Name
• Windows Account Discovery With Netuser Preauthnotrequire
• Windows Archive Collected Data Via Powershell
• Windows Domain Account Discovery Via Get Netcomputer
• Windows Known Graphicalproton Loaded Modules
• Windows Process Commandline Discovery
• Windows System User Privilege Discovery
• Windows Modify Registry Nochangingwallpaper
• Windows Rundll32 Apply User Settings Changes
• Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k )
• Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k )
• Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k )
• Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k )
• Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k )
• O365 Concurrent Sessions From Different Ips
• Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor : Chase Franklin )
• Splunk ES DoS Through Investigation Attachments (Internal Contributor : Chase Franklin )

Updated Analytics

• GCP Authentication Failed During MFA Challenge
• GCP Multi-Factor Authentication Disabled
• GCP Successful Single-Factor Authentication
• Windows Steal Authentication Certificates - ESC1 Abuse
• Allow Network Discovery In Firewall
• Msmpeng Application DLL Side Loading

Other Updates

• Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
• Updated ALL Azure AD analytics to use sourcetype = azure:monitor:aad for better CIM Compliance.

v4.18.0

ESCU 4.18.0 Release branch

New Analytic Story

• Rhysida Ransomware
• Kubernetes Security

Updated Analytic Story

• NjRAT
• RedLine Stealer
• Amadey

New Analytics

• PingID Mismatch Auth Source and Verification Response (External Contributor : @nterl0k )
• PingID Multiple Failed MFA Requests For User (External Contributor : @nterl0k )
• PingID New MFA Method After Credential Reset (External Contributor : @nterl0k )
• PingID New MFA Method Registered For User (External Contributor : @nterl0k )
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Abuse of Secret by Unusual User Agent
• Windows Modify System Firewall with Notable Process Path
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Access Scanning
• Kubernetes Suspicious Image Pulling
• Kubernetes Unauthorized Access
• Windows Modify System Firewall with Notable Process Path

Updated Analytics

• Allow File And Printing Sharing In Firewall
• Azure AD PIM Role Assigned
• CMD Carry Out String Command Parameter
• Detect Use of cmd exe to Launch Script Interpreters
• Modification Of Wallpaper

Other Updates

• Added two new lookup files ransomware_extensions_20231219.csv‎ and ransomware_notes_20231219.csv and updated the existing transforms definitions of ransomware_extensions_lookup and ransomware_notes_lookup to use the latest csv files.