Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.24.0 and v4.25.0). With these releases, there are 27 new analytics, 5 new analytic stories, 110 updated analytics, and 1 updated analytic story now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• New content to help detect Midnight Blizzard (also known as Nobelium and APT29) attack techniques, improving detection coverage against sophisticated threats targeting Microsoft 365 environments. To learn more about Midnight Blizzard and the security content created by the Splunk Threat Research Team, check out the blog “Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard.”
• A new analytic story with content that can be used to help detect Phemedrone Stealer activities. To learn more about Phemedrone Stealer and the security content created by the Splunk Threat Research Team, check out the blog “Unveiling Phemedrone Stealer: Threat Analysis and Detections.”
• New content to help detect the critical ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel.

New Analytics (27)

• Azure AD Admin Consent Bypassed by Service Principal
• Azure AD FullAccessAsApp Permission Assigned
• Azure AD Multiple Service Principals Created by SP
• Azure AD Multiple Service Principals Created by User
• Azure AD Privileged Graph API Permission Assigned
• Azure AD Service Principal Authentication
• O365 Admin Consent Bypassed by Service Principal
• O365 FullAccessAsApp Permission Assigned
• O365 Multiple Mailboxes Accessed via API
• O365 Multiple Service Principals Created by SP
• O365 Multiple Service Principals Created by User
• O365 OAuth App Mailbox Access via EWS
• O365 OAuth App Mailbox Access via Graph API
• O365 Privileged Graph API Permission Assigned
• Network Traffic to Active Directory Web Services Protocol
• Windows Privilege Escalation Suspicious Process Elevation
• Windows Privilege Escalation System Process Without System Parent
• Windows Privilege Escalation User Process Spawn System Process
• Windows SOAPHound Binary Execution
• Ivanti Connect Secure SSRF in SAML Component
• ConnectWise ScreenConnect Path Traversal
• ConnectWise ScreenConnect Path Traversal Windows SACL
• Windows Non Discord App Access Discord LevelDB
• Windows Time Based Evasion via Choice Exec
• Windows Unsecured Outlook Credentials Access In Registry
• ConnectWise ScreenConnect Authentication Bypass
• WordPress Bricks Builder plugin RCE

New Analytic Stories (5)

• Office 365 Collection Techniques
• Phemedrone Stealer
• ConnectWise ScreenConnect Vulnerabilities
• Snake Keylogger
• WordPress Vulnerabilities

Updated Analytics (110)

• Splunk unnecessary file extensions allowed by lookup table uploads
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD Multi-Source Failed Authentications Spike
• Azure AD Privileged Role Assigned
• Azure AD Privileged Role Assigned to Service Principal
• Azure AD Service Principal Created
• Azure AD Service Principal New Client Credentials
• Azure AD Service Principal Owner Added
• Azure AD Tenant Wide Admin Consent Granted
• O365 Added Service Principal
• O365 Application Registration Owner Added
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 Mailbox Read Access Granted to Application
• O365 Multi-Source Failed Authentications Spike
• O365 Multiple Users Failing To Authenticate From Ip
• O365 Service Principal New Client Credentials
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• O365 Tenant Wide Admin Consent Granted
• Correlation by Repository and Risk
• Correlation by User and Risk
• Any Powershell DownloadFile
• Any Powershell DownloadString
• Attacker Tools On Endpoint
• Create local admin accounts using net exe
• Create Remote Thread In Shell Application
• Creation of Shadow Copy
• Detect Certify Command Line Arguments
• Detect Certify With PowerShell Script Block Logging
• Detect Excessive Account Lockouts From Endpoint
• Detect New Local Admin account
• Detect Regasm with Network Connection
• Detect Regsvcs with Network Connection
• Detect Use of cmd exe to Launch Script Interpreters
• Disable Show Hidden Files
• Disable Windows SmartScreen Protection
• Disabling ControlPanel
• Disabling SystemRestore In Registry
• Download Files Using Telegram
• Elevated Group Discovery with PowerView
• Executable File Written in Administrative SMB Share
• Executables Or Script Creation In Suspicious Path
• Execute Javascript With Jscript COM CLSID
• Execution of File with Multiple Extensions
• Extraction of Registry Hives
• Hiding Files And Directories With Attrib exe
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion Of Cron Jobs
• Linux Deletion Of Init Daemon Script
• Linux Deletion Of Services
• Linux Deletion of SSL Certificate
• Linux High Frequency Of File Deletion In Boot Folder
• Linux High Frequency Of File Deletion In Etc Folder
• MacOS LOLbin
• MacOS plutil
• Network Discovery Using Route Windows App
• Non Chrome Process Accessing Chrome Default Dir
• Non Firefox Process Access Firefox Profile Dir
• Overwriting Accessibility Binaries
• PowerShell - Connect To Internet With Hidden Window
• Rundll32 Process Creating Exe Dll Files
• Scheduled Task Deleted Or Created via CMD
• Schtasks scheduling job on remote system
• Spoolsv Spawning Rundll32
• Spoolsv Writing a DLL
• Spoolsv Writing a DLL - Sysmon
• Suspicious Driver Loaded Path
• Suspicious mshta child process
• Suspicious Process DNS Query Known Abuse Web Services
• Suspicious Process File Path
• System Processes Run From Unexpected Locations
• Trickbot Named Pipe
• Windows Account Discovery for None Disable User Account
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows Admin Permission Discovery
• Windows Alternate DataStream - Base64 Content
• Windows Alternate DataStream - Executable Content
• Windows Credentials from Password Stores Chrome Extension Access
• Windows Credentials from Password Stores Chrome LocalState Access
• Windows Credentials from Password Stores Chrome Login Data Access
• Windows Gather Victim Network Info Through Ip Check Web Services
• Windows Process Injection Remote Thread
• Windows Registry Payload Injection
• Windows Replication Through Removable Media
• Windows Rundll32 WebDav With Network Connection
• Windows Scheduled Task Created Via XML
• Windows Scheduled Task Service Spawned Shell
• Windows Security Account Manager Stopped
• Windows Suspect Process With Authentication Traffic
• Windows UAC Bypass Suspicious Child Process
• Windows UAC Bypass Suspicious Escalation Behavior
• Windows WinLogon with Public Network Connection
• WinEvent Scheduled Task Created Within Public Path
• Detect DGA domains using pretrained model in DSDL
• Multiple Archive Files Http Post Traffic
• Plain HTTP POST Exfiltrated Data
• DNS Query Length With High Standard Deviation
• Detect Regasm Spawning a Process
• High Process Termination Frequency
• Linux Edit Cron Table Parameter
• Processes launching netsh
• Registry Keys Used For Persistence
• Suspicious Process Executed From Container File
• Windows File Transfer Protocol In Non-Common Process Path
• Windows Phishing PDF File Executes URL Link
• Windows System Network Connections Discovery Netsh
• Windows User Execution Malicious URL Shortcut File

Updated Analytic Stories (1)

• NOBELIUM Group

The team also published the following 3 blogs:

• Unveiling Phemedrone Stealer: Threat Analysis and Detections
• Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard
• Another Year of RATs and Trojan Stealer: Detection Commonalities and Summary

Plus, Principal Threat Researcher Michael Haag hosted the Tech Talk "Using the Splunk Threat Research Team’s Latest Security Content.” During this Tech Talk, Michael provided:

• Best practices for accessing and using the team’s content in the ESCU app
• An overview of the team’s content updates between November and January
• Deeper dives into new content for detecting DarkGate malware, Office 365 account takeover, and Windows Attack Surface Reduction events

You can watch the Tech Talk on-demand here. For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team