v4.0.1

This is not a full release of ESCU. This is a patch release addressing one issue in the SSA_Content-v4.0.0.tar.gz and previous SSA_Content packages. The rest of this release is identical to v4.0.0

v4.0.0

ESCU v4.0.0

This major version change to 4.0 includes improvements to Sigma to Search Processing Language (SPL) converter, including backend changes testing and content generation.

NOTE: There is no impact to the ESCU application, our behind the scene tooling just got an upgrade!

New Analytic Story

• Winter Vivern
• Sandworm Tools
• BlackLotus Campaign

New Analytics

• Windows Exfiltration Over C2 Via Invoke RestMethod
• Windows Exfiltration Over C2 Via Powershell UploadString
• Windows Scheduled Task Created Via XML
• Windows Screen Capture Via Powershell
• Windows DNS Gather Network Info
• Windows Impair Defenses Disable HVCI
• Windows BootLoader Inventory
• Windows RDP Connection Successful

Other Updates

• Tagged several detections with Data Destruction
• Fixed number of deprecated and experimental searches had some runtime syntactic/parsing/execution errors.

v3.64.0

Updated Analytic Story

• 3CX Supply Chain Attack

New Analytics

• PowerShell Invoke-WmiExec Usage
• PowerShell Invoke CIMMethod CIMSession
• PowerShell Enable PowerShell Remoting
• PowerShell Start or Stop Service
• Windows PowerShell Get-CIMInstance Remote Computer
• Windows Enable Win32_ScheduledJob via Registry
• Windows PowerShell WMI Win32_ScheduledJob
• Windows Service Create with Tscon
• Windows Lateral Tool Transfer RemCom
• Windows Service Create RemComSvc

Other Updates

• Updated 3CX related analytics with the CVE ID(CVE-2023-29059)
• Updated git actions with appropriate permissions

v3.63.0

New Analytic Story

• 3CX Supply Chain Attack

New Analytics

• Hunting 3CXDesktopApp Software
• Windows Vulnerable 3CX Software
• 3CX Supply Chain Attack Network Indicators

Updated Analytics

• Splunk Improperly Formatted Parameter Crashes splunkd

v3.62.0

New Analytic Story

• CVE-2023-21716 Word RTF Heap Corruption
• CVE-2023-23397 Outlook Elevation of Privilege

New Analytics

• Okta Mismatch Between Source and Response for Okta Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta Suspicious Use of a Session Cookie
• Okta Phishing Detection with FastPass Origin Check
• Okta ThreatInsight Login Failure with High Unknown users
• Okta ThreatInsight Suspected PasswordSpray Attack
• Windows Rundll32 WebDAV Request
• Windows Rundll32 WebDav With Network Connection

Other Updates

• Updated ransomware_notes.csv and ransomware_extensions.csv files and transforms definition (thanks to @VatsalJagani )
• Updated playbook name to CrowdStrike OAuth API Device Attribute Lookup
• Updated several analytics to integrate better with Enterprise Security

v3.61.0

New Analytic Story

• Sneaky Active Directory Persistence Tricks (Huge thanks and shoutout to Dean Luxton, Steven Dick for contributing detections)
• BishopFox Sliver Adversary Emulation Framework

New Analytics

• Notepad with no Command Line Arguments
• Windows Process Injection into Notepad
• Windows AD Same Domain SID History Addition
• Windows AD Cross Domain SID History Addition
• Windows AD Replication Request Initiated by User Account
• Windows AD Replication Request Initiated from Unsanctioned Location
• Windows AD Domain Replication ACL Addition
• Windows AD DSRM Account Changes
• Windows AD DSRM Password Reset
• Windows AD Short Lived Domain Controller SPN Attribute
• Windows AD Short Lived Server Object
• Windows AD SID History Attribute Modified
• Windows AD AdminSDHolder ACL Modified
• Windows AD ServicePrincipalName Added To Domain Account
• Windows AD Short Lived Domain Account ServicePrincipalName
• Windows AD Rogue Domain Controller Network Activity
• Windows AD Account SID History Addition
• Windows AD Replication Service Traffic
• Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
• Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
• Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
• Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
• Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
• Windows Unusual Count Of Users Failed To Auth Using Kerberos
• Windows Unusual Count Of Users Failed To Authenticate From Process
• Windows Unusual Count Of Users Failed To Authenticate Using NTLM
• Windows Unusual Count Of Users Remotely Failed To Auth From Host

Updated Analytics

• Impacket Lateral Movement Commandline Parameters (Thank you Chris Chantrey)
• Suspicious Regsvr32 Register Suspicious Path (Thank you DipsyTipsy)
• Suspcious Reg.exe Process (Thank you DipsyTipsy)
• Linux SSH Remote Services Script Execute (Thank you DipsyTipsy)

New Playbooks

• Automated Enrichment (Parent Playbook)

  • Dynamic Attribute Lookup
  • Dynamic Identifier Reputation Analysis
  • Dynamic Related Tickets Search

• ServiceNow Related Tickets Search

• Splunk Notable Related Tickets Search

• AD LDAP Entity Attributes Lookup

• Azure AD Graph User Attributes Lookup

• Crowdstrike OAuth API Device Attribute

Other Updates

• Removed Experiemental/Deprecated BA detections removed from develop and research.splunk.com
• Migrating Password Spraying to XML
• Updates all of the splunkbase apps that are used for our automated testing framework

v3.60.0

New Analytics Story

• AwfulShred
• Fortinet FortiNAC CVE-2022-39952

New Analytics

• Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
• Linux Data Destruction Command
• Linux Hardware Addition SwapOff
• Linux Impair Defenses Process Kill
• Linux Indicator Removal Clear Cache
• Linux Indicator Removal Service File Deletion
• Linux System Reboot Via System Request Key
• Linux Unix Shell Enable All SysRq Functions
• Windows Steal Authentication Certificates CryptoAPI
• Windows Mimikatz Crypto Export File Extensions

Updated Analytics

• Linux Deletion Of Services
• Linux Disable Services
• Linux Shred Overwrite Command
• Linux Service Restarted
• Linux Stop Services
• Linux Deleting Critical Directory Using RM Command
• Wbemprox COM Object Execution

Other Updates:

• Added Lateral Movement story to deprecated with a note to refer to Active Directory Lateral Movement analytic story.
• Removed observables from action.escu.annotations in savedsearches.conf.
• Added MSAccess.exe to all the Microsoft Office analytics
• Updated Detect Outlook exe writing a zip file and removed explorer.exe as it was generating the bulk of noise.

v3.59.0

New Analytics

• Splunk csrf in the ssg kvstore client endpoint
• Splunk Improperly Formatted Parameter Crashes splunkd
• Persistent XSS in RapidDiag through User Interface Views
• Splunk risky Command Abuse disclosed february 2023
• Splunk unnecessary file extensions allowed by lookup table uploads
• Splunk XSS via View
• Splunk list all nonstandard admin accounts

Updated Analytic Story

• Splunk Vulnerabilities

v3.58.0

New Analytic Story

• AsyncRAT
• Compromised User Account
• Swift Slicer
• Windows Certificate Services

New Analytics

• AWS AD New MFA Method Registered For User
• AWS Concurrent Sessions From Different Ips
• AWS High Number Of Failed Authentications For User
• AWS High Number Of Failed Authentications From Ip
• AWS Password Policy Changes
• AWS Successful Console Authentication From Multiple IPs
• Azure AD Concurrent Sessions From Different Ips
• Azure AD High Number Of Failed Authentications For User
• Azure AD High Number Of Failed Authentications From Ip
• Azure AD New MFA Method Registered For User
• Azure AD Successful Authentication From Different Ips
• Detect suspicious processnames using a pretrained model in DSDL
• Driver Inventory
• LOLBAS With Network Traffic (Thanks to @nterl0k)
• Windows Data Destruction Recursive Exec Files Deletion
• Windows Export Certificate
• Windows PowerShell Export Certificate
• Windows PowerShell Export PfxCertificate
• Windows Spearphishing Attachment Onenote Spawn Mshta
• Windows Steal Authentication Certificates Certificate Issued
• Windows Steal Authentication Certificates Certificate Request
• Windows Steal Authentication Certificates CertUtil Backup
• Windows Steal Authentication Certificates CS Backup
• Windows Steal Authentication Certificates Export Certificate
• Windows Steal Authentication Certificates Export PfxCertificate
• Windows Powershell Cryptography Namespace
• Windows Scheduled Task with Highest Privileges
• Windows Spearphishing Attachment Connect To None MS Office Domain

Updated Analytics

• AWS Multiple Users Failing To Authenticate From Ip
• Exploit Public Facing Application via Apache Commons Text
• Office Application Drop Executable (Thanks to @TheLawsOfChaos )
• Office Product Spawning MSHTA
• Rundll32 with no Command Line Arguments with Network (Thanks to @nterl0k)
• Windows Java Spawning Shells

Other Updates

• Moved 12 failing detections to experimental
• Fixed a number of detections that use an incorrect sourcetype in their macro.
• Several Endpoint detections updated to from proc_guid to process_guid (Thanks to @nterl0k)

v3.57.0

New Analytic Story

• Chaos Ransomware
• LockBit Ransomware

New Analytics

• Detect suspicious DNS TXT records using pretrained model in DSDL
• Windows Boot or Logon Autostart Execution In Startup Folder
• Windows Modify Registry Default Icon Setting
• Windows Phishing PDF File Executes URL Link
• Windows Replication Through Removable Media
• Windows User Execution Malicious URL Shortcut File
• Windows Vulnerable Driver Loaded
• Linux Ngrok Reverse Proxy Usage
• Windows Server Software Component GACUtil Install to GAC
• Windows PowerShell Add Module to Global Assembly Cache
• Windows Credential Dumping LSASS Memory Createdump

Updated Analytics

• Known Services Killed by Ransomware
• Windows DLL Search Order Hijacking Hunt
• Windows DLL Search Order Hijacking Hunt Sysmon
• ProxyShell ProxyNotShell Behavior Detected (correlation)

Other Updates

• Added 3 new playbook files: Dynamic Identifier Reputation Analysis, PhishTank URL Reputation Analysis, VirusTotal v3 Identifier Reputation Analysis from phantomcyber/playbooks to security_content
• Added onenote.exe to several detection analytics related to Office Products