Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.29.0 and v4.30.0). With these releases, there are 41 new analytics, 5 new analytic stories, 32 updated analytics, and 3 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• The new Okta Account Takeover analytic story features detections covering suspicious activities within an Okta tenant, including failed multi-factor authentication attempts and unauthorized Identity Provider modifications.
• The new Windows AppLocker analytic story features detections covering WindowsAppLocker event logs to help detect attempts to bypass application restrictions.
• The new Zscaler Browser Proxy Threats analytic story features detections covering threats blocked by Zscaler, including malware, crypto-miners, virus downloads, and more.

New Analytics (41)

• Windows InProcServer32 New Outlook Form
• Windows MSHTA Writing to World Writable Path
• Windows New InProcServer32 Added
• Windows Phishing Outlook Drop Dll In FORM Dir
• Windows SqlWriter SQLDumper DLL Sideload
• Okta Authentication Failed During MFA Challenge
• Okta IDP Lifecycle Modifications
• Okta Multi-Factor Authentication Disabled
• Okta Multiple Accounts Locked Out
• Okta Multiple Failed MFA Requests For User
• Okta Multiple Users Failing To Authenticate From Ip
• Okta Successful Single Factor Authentication
• Okta Unauthorized Access to Application
• O365 Compliance Content Search Exported
• O365 Compliance Content Search Started
• O365 Elevated Mailbox Permission Assigned
• O365 Mailbox Email Forwarding Enabled
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 New Email Forwarding Rule Created
• O365 New Email Forwarding Rule Enabled
• O365 New Forwarding Mailflow Rule Created
• O365 Security And Compliance Alert Triggered
• Okta User Logins From Multiple Cities
• Windows AppLocker Block Events
• Windows AppLocker Execution from Uncommon Locations
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows AppLocker Rare Application Launch Detection
• Windows Unsigned MS DLL Side-Loading
• Zscaler Adware Activities Threat Blocked
• Zscaler Behavior Analysis Threat Blocked
• Zscaler CryptoMiner Downloaded Threat Blocked
• Zscaler Employment Search Web Activity
• Zscaler Exploit Threat Blocked
• Zscaler Legal Liability Threat Blocked
• Zscaler Malware Activity Threat Blocked
• Zscaler Phishing Activity Threat Blocked
• Zscaler Potentially Abused File Download
• Zscaler Privacy Risk Destinations Threat Blocked
• Zscaler Scam Destinations Threat Blocked
• Zscaler Virus Download threat blocked

New Analytic Stories (5)

• APT29 Diplomatic Deceptions with WINELOADER
• Outlook RCE CVE-2024-21378
• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats

Updated Analytics (32)

• CertUtil With Decode Argument
• Email Attachments With Lots Of Spaces
• Okta MFA Exhaustion Hunt
• Okta Mismatch Between Source and Response for Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Phishing Detection with FastPass Origin Check
• Okta Risk Threshold Exceeded
• Okta Suspicious Activity Reported
• Okta Suspicious Use of a Session Cookie
• Okta ThreatInsight Threat Detected
• Suspicious Email Attachment Extensions
• O365 Admin Consent Bypassed by Service Principal
• O365 Application Impersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 PST export alert
• Detect Use of cmd exe to Launch Script Interpreters
• Detection of tools built by NirSoft
• Excessive File Deletion In WinDefender Folder
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion of SSL Certificate
• Malicious Powershell Executed As A Service
• Registry Keys Used For Persistence
• SchCache Change By App Connect And Create ADSI Object
• Suspicious Regsvr32 Register Suspicious Path
• Windows Data Destruction Recursive Exec Files Deletion
• Windows High File Deletion Frequency
• Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
• SMB Traffic Spike
• SMB Traffic Spike - MLTK
• Web Remote ShellServlet Access

Updated Analytic Stories (3)

• Azure Active Directory Account Takeover
• Compromised User Account
• GCP Account Takeover

The team also published the blog From Water to Wine: An Analysis of WINELOADER.

For all our tools and security content, please visit research.splunk.com.

— The Splunk Threat Research Team