Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.26.0, v4.27.0, and v4.28.0). With these releases, there are 18 new analytics, 1 new analytic story, 31 updated analytics, and 2 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• A new analytic story and detections for CVE-2024-27198 and CVE-2024-27199. This security content addresses critical authentication bypass vulnerabilities in JetBrains TeamCity. To learn more about these vulnerabilities and security content, check out our blog.
• Six new detections for remote monitoring management (RMM) software abuse contributed by @nterl0k. Thank you!

New Analytics (18)

• Cloud Security Groups Modifications by User
• Detect Remote Access Software Usage File (External Contributor : @nterl0k)
• Detect Remote Access Software Usage FileInfo (External Contributor : @nterl0k)
• Detect Remote Access Software Usage Process (External Contributor : @nterl0k)
• Windows Multiple Account Passwords Changed
• Windows Multiple Accounts Deleted
• Windows Multiple Accounts Disabled
• Detect Remote Access Software Usage DNS (External Contributor : @nterl0k)
• Detect Remote Access Software Usage Traffic (External Contributor : @nterl0k)
• High Volume of Bytes Out to Url
• Detect Remote Access Software Usage URL (External Contributor : @nterl0k)
• JetBrains TeamCity Authentication Bypass CVE-2024-27198
• JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
• JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
• Nginx ConnectWise ScreenConnect Authentication Bypass
• Windows Credential Access From Browser Password Store
• Windows Known Abused DLL Created (External Contributor : @nterl0k)
• Splunk Authentication Token Exposure in Debug Log

New Analytic Stories (1)

• JetBrains TeamCity Vulnerabilities

Updated Analytics (31)

• AWS IAM Delete Policy
• O365 Multiple Users Failing To Authenticate From Ip
• ConnectWise ScreenConnect Authentication Bypass
• JetBrains TeamCity RCE Attempt
• Okta User Logins From Multiple Cities
• Path traversal SPL injection
• Splunk User Enumeration Attempt
• AWS Concurrent Sessions From Different Ips
• AWS Credential Access RDS Password reset
• Kubernetes Nginx Ingress LFI
• Kubernetes Nginx Ingress RFI
• Kubernetes Previously Unseen Process
• Detect AzureHound Command-Line Arguments
• Detect AzureHound File Modifications
• Detect SharpHound Command-Line Arguments
• Detect SharpHound File Modifications
• Detect SharpHound Usage
• Disabling Windows Local Security Authority Defences via Registry
• Linux Iptables Firewall Modification
• Linux Kworker Process In Writable Process Path
• Linux Stdout Redirection To Dev Null File
• Network Traffic to Active Directory Web Services Protocol
• System Information Discovery Detection
• Windows SOAPHound Binary Execution
• Splunk Command and Scripting Interpreter Risky Commands
• ASL AWS Concurrent Sessions From Different Ips
• Gsuite Outbound Email With Attachment To External Domain
• Detect Excessive Account Lockouts From Endpoint
• Detect Excessive User Account Lockouts
• Short Lived Windows Accounts
• Windows Create Local Account

Updated Analytic Stories (2)

• Cyclops Blink
• Sneaky Active Directory Persistence Tricks

The team also published the following 3 blogs:

• Security Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199
• Under the Hood of SnakeKeylogger: Analyzing its Loader and its Tactics, Techniques, and Procedures
• Splunk Security Content for Threat Detection & Response: Q4 Roundup

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team