v4.19.0

Release Branch for ESCU 4.19.0

New Analytic Story

• CISA AA23-347A
• Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Updated Analytic Story

• Office 365 Account Takeover
• Office 365 Persistence Mechanisms
• Splunk Vulnerabilities

New Analytics

• Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor : Matthew Moore )
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor : Matthew Moore )
• Kubernetes Previously Unseen Container Image Name (Internal Contributor : Matthew Moore )
• Kubernetes Previously Unseen Process (Internal Contributor : Matthew Moore )
• Kubernetes Process Running From New Path (Internal Contributor : Matthew Moore )
• Kubernetes Process with Anomalous Resource Utilisation (Internal Contributor : Matthew Moore )
• Kubernetes Process with Resource Ratio Anomalies (Internal Contributor : Matthew Moore )
• Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor : Matthew Moore )
• Kubernetes Shell Running on Worker Node (Internal Contributor : Matthew Moore )
• Windows Account Discovery For None Disable User Account
• Windows Lsa Secrets Nolmhash Registry
• Windows Modify Registry Disable Restricted Admin
• Windows Account Discovery For Sam Account Name
• Windows Account Discovery With Netuser Preauthnotrequire
• Windows Archive Collected Data Via Powershell
• Windows Domain Account Discovery Via Get Netcomputer
• Windows Known Graphicalproton Loaded Modules
• Windows Process Commandline Discovery
• Windows System User Privilege Discovery
• Windows Modify Registry Nochangingwallpaper
• Windows Rundll32 Apply User Settings Changes
• Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k )
• Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k )
• Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k )
• Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k )
• Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k )
• O365 Concurrent Sessions From Different Ips
• Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor : Chase Franklin )
• Splunk ES DoS Through Investigation Attachments (Internal Contributor : Chase Franklin )

Updated Analytics

• GCP Authentication Failed During MFA Challenge
• GCP Multi-Factor Authentication Disabled
• GCP Successful Single-Factor Authentication
• Windows Steal Authentication Certificates - ESC1 Abuse
• Allow Network Discovery In Firewall
• Msmpeng Application DLL Side Loading

Other Updates

• Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
• Updated ALL Azure AD analytics to use sourcetype = azure:monitor:aad for better CIM Compliance.

v4.18.0

ESCU 4.18.0 Release branch

New Analytic Story

• Rhysida Ransomware
• Kubernetes Security

Updated Analytic Story

• NjRAT
• RedLine Stealer
• Amadey

New Analytics

• PingID Mismatch Auth Source and Verification Response (External Contributor : @nterl0k )
• PingID Multiple Failed MFA Requests For User (External Contributor : @nterl0k )
• PingID New MFA Method After Credential Reset (External Contributor : @nterl0k )
• PingID New MFA Method Registered For User (External Contributor : @nterl0k )
• Kubernetes Abuse of Secret by Unusual Location
• Kubernetes Abuse of Secret by Unusual User Agent
• Windows Modify System Firewall with Notable Process Path
• Kubernetes Abuse of Secret by Unusual User Group
• Kubernetes Abuse of Secret by Unusual User Name
• Kubernetes Access Scanning
• Kubernetes Suspicious Image Pulling
• Kubernetes Unauthorized Access
• Windows Modify System Firewall with Notable Process Path

Updated Analytics

• Allow File And Printing Sharing In Firewall
• Azure AD PIM Role Assigned
• CMD Carry Out String Command Parameter
• Detect Use of cmd exe to Launch Script Interpreters
• Modification Of Wallpaper

Other Updates

• Added two new lookup files ransomware_extensions_20231219.csv‎ and ransomware_notes_20231219.csv and updated the existing transforms definitions of ransomware_extensions_lookup and ransomware_notes_lookup to use the latest csv files.

v4.17.0

ESCU 4.17.0 Release branch

New Analytic Story

• Office 365 Account Takeover
• Office 365 Persistence Mechanisms
• Windows Attack Surface Reduction

Updated Analytic Story

• DarkGate Malware

New Analytics

• O365 Service Principal New Client Credentials
• O365 Mailbox Read Access Granted to Application
• O365 Tenant Wide Admin Consent Granted
• O365 Application Registration Owner Added
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Advanced Audit Disabled
• O365 High Number Of Failed Authentications for User
• O365 Multiple Users Failing To Authenticate From Ip
• O365 User Consent Blocked for Risky Application
• O365 User Consent Denied for OAuth Application
• O365 Mail Permissioned Application Consent Granted by User
• O365 ApplicationImpersonation Role Assigned
• O365 File Permissioned Application Consent Granted by User
• O365 Multiple Failed MFA Requests For User
• O365 High Privilege Role Granted
• O365 New MFA Method Registered
• O365 Multiple AppIDs and UserAgents Authentication Spike
• O365 Block User Consent For Risky Apps Disabled
• O365 Multi-Source Failed Authentications Spike
• Powershell Remote Services Add TrustedHost
• Windows Modify Registry AuthenticationLevelOverride
• Windows Modify Registry DisableRemoteDesktopAntiAlias
• Windows Modify Registry DisableSecuritySettings
• Windows Modify Registry DontShowUI
• Windows Modify Registry ProxyEnable
• Windows Modify Registry ProxyServer
• Windows Archive Collected Data via Rar
• Windows Indicator Removal Via Rmdir
• Windows Credentials from Password Stores Creation
• Windows Credentials from Password Stores Deletion
• Windows Defender ASR Rules Stacking
• Windows Defender ASR Rule Disabled
• Windows Defender ASR Registry Modification
• Windows Defender ASR Block Events
• Windows Defender ASR Audit Events
• Windows Masquerading Msdtc Process
• Windows Parent PID Spoofing with Explorer
• Web Remote ShellServlet Access
• Splunk RCE via User XSLT

Updated Analytics

• High Number of Login Failures from a single source
• O365 Add App Role Assignment Grant User
• O365 Added Service Principal
• O365 Bypass MFA via Trusted IP
• O365 Disable MFA
• O365 Excessive Authentication Failures Alert
• O365 Excessive SSO logon errors
• O365 New Federated Domain Added
• O365 PST export alert
• O365 Suspicious Admin Email Forwarding*
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• Splunk App for Lookup File Editing RCE via User XSLT

Other Updates

• Added Experiemental to action.correlationsearch.label name for Content Management
• Updated the splunk_risky_command lookup
• Updated several detections to output accurate risk/threat objects

v4.16.0

New Analytic Story

• DarkGate Malware
• SysAid On-Prem Software CVE-2023-47246 Vulnerability

Updated Analytic Story

• Azure Active Directory Account Takeover
• Splunk Vulnerabilities

New Analytics

• Azure AD Device Code Authentication
• Azure AD Tenant Wide Admin Consent Granted
• Azure AD Multiple AppIDs and UserAgents Authentication Spike
• Azure AD Block User Consent For Risky Apps Disabled
• Azure AD User Consent Blocked for Risky Application
• Azure AD OAuth Application Consent Granted By User
• Azure AD User Consent Denied for OAuth Application
• Azure AD New MFA Method Registered
• Azure AD Multiple Denied MFA Requests For User
• Azure AD Multi-Source Failed Authentications Spike
• Risk Rule for Dev Sec Ops by Repository
• Windows ConHost with Headless Argument
• Windows CAB File on Disk
• Windows WinDBG Spawning AutoIt3
• Windows MSIExec Spawn WinDBG
• Windows Modify Registry Default Icon Setting
• Windows AutoIt3 Execution
• Splunk App for Lookup File Editing RCE via User XSLT
• Splunk XSS in Highlighted JSON Events

Updated Analytics

• AWS ECR Container Scanning Findings High
• AWS ECR Container Scanning Findings Medium
• AWS ECR Container Scanning Findings Low Informational Unknown
• AWS ECR Container Upload Outside Business Hours

Deprecated Analytics

• Correlation by Repository and Risk
• Correlation by User and Risk

Other Updates

• CI updates to release.yml
• Added downstream trigger to security_content_automation repo to facilitate automated integration testing
• Updated Github CI workflow to use contentctl

v4.15.0

New Analytic Story

• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
• PlugX

New Analytics

• Citrix ADC and Gateway Unauthorized Data Disclosure

Updated Analytics

• Windows Admin Permission Discovery
• Confluence CVE-2023-22515 Trigger Vulnerability
• Confluence Data Center and Server Privilege Escalation

Other Updates

• Updated Gitlab CI pipelines to leverage code contentctl for validating, building, inspecting and releasing the ESCU app

v4.14.0

Release notes

New Analytic Story

• Subvert Trust Controls SIP and Trust Provider Hijacking
• Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
• Cisco IOS XE Software Web Management User Interface vulnerability

New Analytics

• Confluence CVE-2023-22515 Trigger Vulnerability
• Cisco IOS XE Implant Access
• Detect Certipy File Modifications (External Contributor : @nterl0k )
• Windows Domain Admin Impersonation Indicator
• Windows Registry SIP Provider Modification
• Microsoft SharePoint Server Elevation of Privilege
• Windows Steal Authentication Certificates - ESC1 Abuse (External Contributor : @nterl0k )
• Windows SIP Provider Inventory
• Windows SIP WinVerifyTrust Failed Trust Validation

Updated Analytics

• Citrix ADC Exploitation CVE-2023-3519

Other Updates

• Minor changes to playbook names and UUID
• Updated descriptions for 50 detections

BA Updates

• Added lower() to BA detection searches in the eval function

v4.13.0

New Analytic Story

• NjRat
• WS FTP Server Critical Vulnerabilities
• JetBrains TeamCity Unauthenticated RCE

New Analytics

• Windows Abused Web Services
• Windows Admin Permission Discovery
• Windows Delete or Modify System Firewall
• Windows Disable or Modify Tools Via Taskkill
• Windows Executable in Loaded Modules
• Windows Njrat Fileless Storage via Registry
• Windows Modify Registry With MD5 Reg Key Name
• Splunk Absolute Path Traversal Using runshellscript
• Splunk DoS Using Malformed SAML Request
• Splunk RCE via Serialized Session Payload
• Splunk Reflected XSS on App Search Table Endpoint
• WS FTP Remote Code Execution
• JetBrains TeamCity RCE Attempt

Updated Analytics

• Windows Replication Through Removable Media"
• TOR Traffic

Other Updates

• Updates to the lookup file : splunk_risky_command
• Tagged relevant detections with NjRat Behavior
• Updates to pretrained_dga_model_dsdl.ipynb notebook for better performance
• Several production detections have correct observables to produce accurate risk objects
• Updates to the generate code for creating BA detection files in the latest SPLv2

v4.12.0

New Analytic Story

• Forest Blizzard

New analytics

• Windows Find Domain Organizational Units with GetDomainOU
• Windows Find Interesting ACL with FindInterestingDomainAcl
• Windows Forest Discovery with GetForestDomain
• Windows Get Local Admin with FindLocalAdminAccess
• Headless Browser Mockbin or Mocky Request
• Headless Browser Usage
• Windows AD Abnormal Object Access Activity (External Contributor : @nterl0k )
• Windows AD Privileged Object Access Activity (External Contributor : @nterl0k )

Other Updates

• Adding CVE to Splunk Edit User Privilege Escalation
• Observables updated for 143+ detections to create accurate risk objects
• Added status field to BA spec
• Updated how to implement sections for all detections based on Endpoint.Processes

New Playbooks

• Jira Related Tickets Search

v4.11.1

New Analytic Story

• Juniper JunOS Remote Code Execution
• Flax Typhoon
• Windows Error Reporting Service Elevation of Privilege Vulnerability
• Ivanti Sentry Authentication Bypass CVE-2023-38035
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

New Analytics

• Juniper Networks Remote Code Execution Exploit Detection
• Windows SQL Spawning CertUtil
• Ivanti Sentry Authentication Bypass
• Adobe ColdFusion Access Control Bypass
• Adobe ColdFusion Unauthenticated Arbitrary File Read
• Splunk DOS via printf search function

Updated Analytics

• Splunk risky Command Abuse disclosed february 2023

Other Updates

• Added status field to BA package
• Updated splunk_risky_command.csv to splunk_risky_command_20230830.csv lookup file and updated the contents in the file

v4.11.0

New Analytic Story

• Juniper JunOS Remote Code Execution
• Flax Typhoon
• Windows Error Reporting Service Elevation of Privilege Vulnerability
• Ivanti Sentry Authentication Bypass CVE-2023-38035
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

New Analytics

• Juniper Networks Remote Code Execution Exploit Detection
• Windows SQL Spawning CertUtil
• Ivanti Sentry Authentication Bypass
• Adobe ColdFusion Access Control Bypass
• Adobe ColdFusion Unauthenticated Arbitrary File Read
• Splunk DOS via printf search function

Updated Analytics

• Splunk risky Command Abuse disclosed february 2023

Other Updates

• Added status field to BA package
• Updated splunk_risky_command.csv to splunk_risky_command_20230830.csv lookup file and updated the contents in the file