v5.8.0

Key Highlights

• 🥸Remote Employment Fraud Detections
  Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents which are used to hide the true identity and/or location of an employee. This release includes a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.
• 📦Inno Setup Abuse
  Inno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. Recently, it has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. This story demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.
• 🕸️Web Browser Abuse
  Locally installed malware may use Web Browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. This release supplies a number of analytics which recognize these suspicious flags.

New Analytic Story - [2]

• Malicious Inno Setup Loader
• Remote Employment Fraud

New Analytics - [4]

• Windows Chromium Browser No Security Sandbox Process
• Windows Chromium Browser with Custom User Data Directory
• Windows DNS Query Request To TinyUrl
• Windows Disable Internet Explorer Addons

Updated Analytics - [63]

• A number of analytics have been updated with improved formatting and tagged with new analytic stories.
• Several analytics had their logic tuned, improved and updated.
  Cobalt Strike Named Pipes
  Detect Renamed WinRAR
  Excessive Usage Of Cacls App
  Icacls Deny Command
  ICACLS Grant Command
  Modify ACL permission To Files Or Folder
  Network Traffic to Active Directory Web Services Protocol
  Suspicious Copy on System32
  Windows Files and Dirs Access Rights Modification Via Icacls

Other Updates

• Added Macro - “zoom_index”
• Updated Macro “gsuite_drive”
• As previously communicated in the ESCU v5.6.0 release, several detections have been removed. For a complete list of the detections removed in version v5.8.0, refer to the List of Removed Detections in v5.8.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.10.0, see the List of Detections Scheduled for Removal in ESCU v5.10.0.

v5.7.0

Key highlights

ESCU 5.7.0 brings tighter integration with Cisco Security Products and a number of fixes and improvements to existing content:

🛡️ Cisco Secure Firewall Threat Defense Integration
Improved and tested several ESCU detections to work with Event Streamer (eStreamer) data collected by the Cisco Secure Firewall Threat Defense (FTD) platform. For more information about Cisco Secure Firewall, go to the Cisco Secure Firewall site or refer to the Cisco Secure Firewall Threat Defense Analytics analytic story.

🐛 Bugfixes based on community feedback
Feedback from community members and users continues to be one of the best paths to improve the quality and performance of ESCU content. This release includes a number of bug fixes that reduces false positives and improves the risk entities and fields returned from searches.

New Analytics - [1]

• Cisco Secure Firewall - Remote Access Software Usage Traffic

Updated Analytics - [12]

• AWS Defense Evasion Impair Security Services
• Detect Outbound LDAP Traffic
• Detect Remote Access Software Usage Traffic
• Internal Horizontal Port Scan NMAP Top 20
• Internal Horizontal Port Scan
• Internal Vertical Port Scan
• O365 Concurrent Sessions From Different Ips
• Prohibited Network Traffic Allowed
• Protocol or Port Mismatch
• Protocols passing authentication in cleartext
• TOR Traffic
• Windows Sensitive Registry Hive Dump Via CommandLine

Other Updates

• Added lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools
• Updated lookups cisco_secure_firewall_filetype_lookup and cisco_snort_ids_to_threat_mapping
• No detections have been removed in the ESCU v5.7.0 release. As previously communicated in the ESCU v5.6.0 release, several detections will be removed in ESCU v5.8.0. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0

v5.6.0

Key highlights

🛡️ Cisco Secure Firewall Intrusion Analytics
We developed six new analytic rules using Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma Stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation by combining the presence of specific Snort IDs triggered in a short period of time.

📊 Threat Activity by Snort IDs Dashboard
A new dashboard leveraging Cisco Firewall logs from eStreamer and a curated lookup to correlate Snort intrusion identifiers with specific threat actors, visualize device-wide activity and file trends, and explore the overall risk profile of the host with events from Splunk Enterprise Security.

📝 New Analytic Story & Threat Mappings
We published a new analytic story on Fake CAPTCHA campaigns—mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection—and completed comprehensive Xworm RAT threat mapping to ensure broad detection coverage.

New Analytic Story - [2]

• Fake CAPTCHA Campaigns
• XWorm

New Analytics - [8]

• Cisco Secure Firewall - High Priority Intrusion Classification
• Cisco Secure Firewall - Intrusion Events by Threat Activity
• Cisco Secure Firewall - Lumma Stealer Activity
• Cisco Secure Firewall - Lumma Stealer Download Attempt
• Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
• Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
• Windows PowerShell FakeCAPTCHA Clipboard Execution
• Windows Renamed Powershell Execution

Other Updates

• Added two new lookups cisco_snort_ids_to_threat_mapping and threat_snort_count that contain information about snort Ids that are mapped to specific threat actors

• Updated several detections based on customer feedback and bug reports on Github issues.

• As previously communicated in the ESCU v5.4.0 release, several detections have been removed. For a complete list of the detections removed in version v5.6.0, refer to the List of Removed Detections in v5.6.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0

v5.5.0

✨ Highlights

• 🛡️ SAP NetWeaver Exploitation
  Released a new analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. You can read more about this vulnerability here.

• 🍏 AMOS Stealer Analytics
  Added a new analytic story for AMOS Stealer and introduced the “macOS AMOS Stealer – Virtual Machine Check Activity” detection, which looks for the execution of the osascript command along with specific command-line strings.

• 🪟 Additional Windows Detections
  We shipped three new Windows-focused detections to improve visibility into post-compromise activity: one that identifies reconnaissance by monitoring built-in log query utilities against the Windows Event Log, another that alerts when an adversary clears the Event Log via Wevtutil, and a third that detects malicious file downloads executed through the CertUtil utility.

New Analytic Story - [2]

• AMOS Stealer
• SAP NetWeaver Exploitation

New Analytics - [5]

• MacOS AMOS Stealer - Virtual Machine Check Activity
• SAP NetWeaver Visual Composer Exploitation Attempt
• Windows EventLog Recon Activity Using Log Query Utilities
• Windows Eventlog Cleared Via Wevtutil
• Windows File Download Via CertUtil

Other Updates

• Updated theis_nirsoft_software lookup with additional nirsoft tooling
• Updated attack_data links for several detections.

v5.4.0

✨ Highlights

• 🔥 Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.

• 🤖 AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.

• 🕵️ Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.

• 🆕 New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.

---

📚 New Analytic Stories – [6]

• AWS Bedrock Security
• Cactus Ransomware
• Cisco Secure Firewall Threat Defense Analytics
• Earth Alux
• Storm-2460 CLFS Zero Day Exploitation
• Water Gamayun

---

🧠 New Analytics – [27]

• AWS Bedrock Delete GuardRails
• AWS Bedrock Delete Knowledge Base
• AWS Bedrock Delete Model Invocation Logging Configuration
• AWS Bedrock High Number List Foundation Model Failures
• AWS Bedrock Invoke Model Access Denied
• Cisco Secure Firewall - Binary File Type Download
• Cisco Secure Firewall - Bits Network Activity
• Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
• Cisco Secure Firewall - Blocked Connection
• Cisco Secure Firewall - Communication Over Suspicious Ports
• Cisco Secure Firewall - Connection to File Sharing Domain
• Cisco Secure Firewall - File Download Over Uncommon Port
• Cisco Secure Firewall - High EVE Threat Confidence
• Cisco Secure Firewall - High Volume of Intrusion Events Per Host
• Cisco Secure Firewall - Malware File Downloaded
• Cisco Secure Firewall - Potential Data Exfiltration
• Cisco Secure Firewall - Rare Snort Rule Triggered
• Cisco Secure Firewall - Repeated Blocked Connections
• Cisco Secure Firewall - Repeated Malware Downloads
• Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
• Cisco Secure Firewall - Wget or Curl Download
• CrushFTP Authentication Bypass Exploitation
• CrushFTP Max Simultaneous Users From IP
• Windows MSC EvilTwin Directory Path Manipulation
• Windows PowerShell Invoke-RestMethod IP Information Collection
• Windows Shell Process from CrushFTP
• Windows WMIC Shadowcopy Delete

---

🛠 Other Updates

• 🔄 Reverted several searches to use | join instead of prestats = t due to bugs encountered in the search logic.
• ❌ Removed Detections – As notified in the ESCU v5.2.0 release, we have removed these detections. Please use replacements where appropriate.
• 🗓️ Deprecated more detections now scheduled for removal in ESCU v5.6.0.
• 📥 Updated deprecation_info lookup to reflect the latest list of deprecated and removed detections.

v5.3.0

Key Highlights

• ⚙️ Detection Output Standardization: Additionally, we’ve updated the majority of our detections to include a standardized set of output fields within each detection analytic and enhanced our tooling to consistently enforce this structure—improving usability, correlation, and integration across security workflows.

• 🚨 Apache Tomcat Session Deserialization Attacks: CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat’s partial PUT feature disclosed on March 10, 2025. We introduced a new analytic story targeting potential exploitation of Apache Tomcat servers. This story includes detections for suspicious session deserialization attempts and file uploads—techniques commonly used by attackers to gain remote access or execute arbitrary code.

• 🪟 Windows Shortcut Exploit Abuse: Released a new analytic story to detect emerging exploitation patterns involving Windows LNK files. This includes detections for abuse of SSH ProxyCommand, LNK files with abnormal padding, and Windows Explorer spawning suspicious processes like PowerShell or CMD. These analytics are designed to surface stealthy initial access and execution techniques leveraged in recent zero-day attacks. More details can be found here - (ZDI-CAN-25373)

• 💥 New Ransomware Campaigns: We’ve expanded our ransomware mapping to include detection coverage for emerging threats such as Medusa Ransomware, Termite, Van Helsing, Salt Typhoon, and Sea Shell Blizzard. These mappings help contextualize detections within current threat actor TTPs and provide better visibility into campaign-specific behaviors.

• 🔥 Windows Firewall Rule Monitoring: We also introduced new detections to monitor firewall-related security events on Windows systems, including: Windows Firewall Rule Added, Windows Firewall Rule Deletion, and Windows Firewall Rule Modification—helping security teams track unauthorized or suspicious changes to host-based firewall configurations.

New Analytic Stories - [8]

• Apache Tomcat Session Deserialization Attacks
• Medusa Ransomware
• PHP-CGI RCE Attack on Japanese Organizations
• Salt Typhoon
• Seashell Blizzard
• Termite Ransomware
• VanHelsing Ransomware
• ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day (Contributor: @ajkingio , @hunter-3)

New Analytics - [15]

• Detect Large ICMP Traffic
• Tomcat Session Deserialization Attempt
• Tomcat Session File Upload Attempt
• Windows AD Self DACL Assignment
• Windows ConsoleHost History File Deletion
• Windows Explorer LNK Exploit Process Launch With Padding (Contributor: @ajkingio, @hunter-3)
• Windows Explorer.exe Spawning PowerShell or Cmd (Contributor: @ajkingio, @hunter-3)
• Windows Firewall Rule Added
• Windows Firewall Rule Deletion
• Windows Firewall Rule Modification
• Windows MSTSC RDP Commandline
• Windows Powershell History File Deletion
• Windows Process Injection into Commonly Abused Processes (Contributor: @0xC0FFEEEE)
• Windows Remote Host Computer Management Access
• Windows SSH Proxy Command(Contributor: @ajkingio, @hunter-3)

Other Updates

• Updated ransomware_extensions and remote_access_software lookup with new values. (Contributor @sventec)
• Updated a majority of detections to output improved field names, which should enhance how they appear in Enterprise Security. We also added output_fields to the data source objects to enforce output validation for detection analytics
• Fixed a minor bug that prevented the deprecated and removed content warning banner from displaying correctly on the landing page

v5.2.0

Key highlights

We released new analytic stories and detections to enhance monitoring and security across GitHub, O365, and SQL Server environments. Here’s a summary of the latest updates:

• 👨‍💻 GitHub Malicious Activity: A new analytic story focused on detecting potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.

• 📧 O365 Email Threat Monitoring: Expanded coverage for malicious email activity in O365 environments. New detections focus on identifying inbox rule modifications, excessive email deletions, suspicious exfiltration behavior, and attempts to compromise payroll or password information. These detections help security teams track and mitigate email-based attacks, account takeovers, and data exfiltration tactics.

• 🗒️ SQL Server Abuse: Introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.

• 🔍 We have also mapped several of our existing detections to the Black Basta Ransomware, SnappyBee and SystemBC malware families as they continue to make headlines targeting various organizations.

• 🎗️ As announced in ESCU v5.0.0 release, we are removing old and dated content from the app starting with ESCU v5.2.0, which includes several removal of detections in this release to improve quality of detections. Along with the deprecation assistant that is shipped in the application, you can also refer to this list of removed detections and replacements on Splunk docs.

New Analytic Story - [6]

• Black Basta Ransomware
• China-Nexus Threat Activity
• GitHub Malicious Activity
• SQL Server Abuse
• SnappyBee
• SystemBC

New Analytics - [43]

• Executables Or Script Creation In Temp Path
• GitHub Enterprise Delete Branch Ruleset
• GitHub Enterprise Disable 2FA Requirement
• GitHub Enterprise Disable Audit Log Event Stream
• GitHub Enterprise Disable Classic Branch Protection Rule
• GitHub Enterprise Disable Dependabot
• GitHub Enterprise Disable IP Allow List
• GitHub Enterprise Modify Audit Log Event Stream
• GitHub Enterprise Pause Audit Log Event Stream
• GitHub Enterprise Register Self Hosted Runner
• GitHub Enterprise Remove Organization
• GitHub Enterprise Repository Archived
• GitHub Enterprise Repository Deleted
• GitHub Organizations Delete Branch Ruleset
• GitHub Organizations Disable 2FA Requirement
• GitHub Organizations Disable Classic Branch Protection Rule
• GitHub Organizations Disable Dependabot
• GitHub Organizations Repository Archived
• GitHub Organizations Repository Deleted
• O365 BEC Email Hiding Rule Created (External Contributor: @0xC0FFEEEE )
• O365 Email Hard Delete Excessive Volume (External Contributor: @nterl0k)
• O365 Email New Inbox Rule Created (External Contributor: @nterl0k)
• O365 Email Password and Payroll Compromise Behavior (External Contributor: @nterl0k)
• O365 Email Receive and Hard Delete Takeover Behavior (External Contributor: @nterl0k)
• O365 Email Send Attachments Excessive Volume(External Contributor: @nterl0k)
• O365 Email Send and Hard Delete Exfiltration Behavior(External Contributor: @nterl0k)
• O365 Email Send and Hard Delete Suspicious Behavior(External Contributor: @nterl0k)
• O365 Email Suspicious Search Behavior(External Contributor: @nterl0k)
• Windows Anonymous Pipe Activity
• Windows PowerShell Invoke-Sqlcmd Execution
• Windows Process Execution From ProgramData
• Windows SQL Server Configuration Option Hunt
• Windows SQL Server Critical Procedures Enabled
• Windows SQL Server Extended Procedure DLL Loading Hunt
• Windows SQL Server Startup Procedure
• Windows SQL Server xp_cmdshell Config Change
• Windows SQLCMD Execution
• Windows Scheduled Task with Suspicious Command
• Windows Scheduled Task with Suspicious Name
• Windows SnappyBee Create Test Registry
• Windows Sqlservr Spawning Shell
• Windows Svchost.exe Parent Process Anomaly
• Windows Unusual SysWOW64 Process Run System32 Executable

Macros Added - [5]

• github_enterprise
• github_organizations
• o365_messagetrace
• o365_suspect_search_terms_regex
• process_sqlcmd

Macros Updated - [1]

• linux_auditd

Lookups Added - [2]

• deprecation_info
• windows_suspicious_tasks

Lookups Updated - [1]

• ransomware_notes_lookup

Removed detections from v5.2.0

• The list of removed detections and its potential replacements(where available)

Marked for Deprecation in v5.4.0

• AWS SAML Access by Provider User and Principal
• GitHub Actions Disable Security Workflow
• aws detect permanent key creation
• Github Commit In Develop
• Suspicious Driver Loaded Path
• Known Services Killed by Ransomware
• Github Commit Changes In Master
• GitHub Pull Request from Unknown User
• [Suspicious Event Log Service Behavior](https://research.splunk.com/deprecated/2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e...

v5.1.1

Release notes -v5.1.1 (Patch build)

• Minor text update to malicious_powershell_strings.csv lookup file that caused MS Defender to falsely flag ESCU v5.1.0 as a malware.

v5.1.0

Release notes - v5.1.0

Key highlights

We released 4 new analytic stories and added 41 new detection analytics. Some high level details of the new analytic stories in this release

• 📡 Remote Monitoring and Management Software: Added a new story file to help users analyze unauthorized remote monitoring & management (RMM) tool usage, including detection of 3rd-party software installations like AnyDesk and TeamViewer through phishing/drive-by compromises.

• ☁️ AWS S3 Bucket Security Monitoring: A new analytic story which addresses the risks associated with S3 bucket misconfigurations and potential hijacking of decommissioned buckets. This story includes baselines and detections that track public S3 buckets before deletion, monitor access attempts to these bucket names, and identify potential hijacking activities, leveraging AWS CloudTrail logs, DNS queries, and web proxy data to ensure robust monitoring and security.

• 🛡️ Security Solution Tampering: A new analytic story, which includes new detections focused on identifying tampering activities with Cisco Secure Endpoint services. These detections cover techniques such as inhibiting system recovery and disabling or modifying security tools, enhancing our ability to detect and respond to potential security threats.

• 📋 Windows Audit Policy Tampering: We also added detections for Windows audit policies, which are crucial for logging key system activities for monitoring and forensic analysis. This analytic story provides a framework to detect suspicious activities involving audit policy manipulation, such as the use of auditpol.exe with specific flags, helping to uncover potential malicious activity and maintain the integrity of security monitoring mechanisms.

• In addition, external contributor @nterl0k has significantly enhanced our detection capabilities with six new Office 365 security detections and several other detections.. These include monitoring changes to email transport rules, various methods of data exfiltration, and suspicious authentication and search behaviors, providing robust protection against potential threats.

New Analytic Story - [4]

• AWS S3 Bucket Security Monitoring
• Remote Monitoring and Management Software (External Contributor: @nterl0k)
• Security Solution Tampering
• Windows Audit Policy Tampering

New Analytics - [41]

• Cisco Secure Application Alerts
• Cisco AI Defense Security Alerts by Application Name
• Detect Web Access to Decommissioned S3 Bucket
  Detect DNS Query to Decommissioned S3 Bucket
• O365 Email Transport Rule Changed (External Contributor: @nterl0k)
• O365 Exfiltration via File Access (External Contributor: @nterl0k)
• O365 Exfiltration via File Download (External Contributor: @nterl0k)
• O365 Exfiltration via File Sync Download (External Contributor: @nterl0k)
• O365 Multiple OS Vendors Authenticating From User (External Contributor: @nterl0k)
• O365 SharePoint Suspicious Search Behavior (External Contributor: @nterl0k)
• Potential Telegram API Request Via CommandLine (External Contributor: @zake1god)
• Windows Audit Policy Auditing Option Disabled via Auditpol
• Windows Audit Policy Auditing Option Modified - Registry
• Windows Audit Policy Cleared via Auditpol
• Windows Audit Policy Disabled via Auditpol
• Windows Audit Policy Disabled via Legacy Auditpol
• Windows Audit Policy Excluded Category via Auditpol
• Windows Audit Policy Restored via Auditpol
• Windows Audit Policy Security Descriptor Tampering via Auditpol
• Windows BitLocker Suspicious Command Usage (External Contributor: @nterl0k)
• Windows Cisco Secure Endpoint Related Service Stopped
• Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
• Windows Cisco Secure Endpoint Unblock File Via Sfc
• Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
• Windows Compatibility Telemetry Suspicious Child Process
• Windows Compatibility Telemetry Tampering Through Registry
• Windows Event Logging Service Has Shutdown
• Windows Global Object Access Audit List Cleared Via Auditpol
• Windows Important Audit Policy Disabled
• Windows PowerShell Process With Malicious String (External Contributor: @nterl0k)
• Windows PowerShell Script Block With Malicious String (External Contributor: @nterl0k)
• Windows Process Executed From Removable Media (External Contributor: @nterl0k)
• Windows Process Execution in Temp Dir
• Windows Remote Desktop Network Bruteforce Attempt
• Windows Security And Backup Services Stop
• Windows Service Created with Suspicious Service Name
• Windows Suspicious Driver Loaded Path
• Windows Suspicious Process File Path
• Windows System Remote Discovery With Query
• Windows USBSTOR Registry Key Modification (External Contributor: @nterl0k)
• Windows WPDBusEnum Registry Key Modification (External Contributor: @nterl0k)

(Big thank you to @nterl0k from our Github Community for contributing several amazing tested detections, stories, lookups for this release! )

Macros Added - [4]

• important_audit_policy_subcategory_guids
• normalized_service_binary_field
• process_auditpol
• windows_exchange_iis

Macros Updated - [11]

• ms_defender
• powershell
• printservice
• remoteconnectionmanager
• sysmon
• wineventlog_application
• wineventlog_rdp
• wineventlog_security
• wineventlog_system
• wineventlog_task_scheduler
• wmi

Lookups Added - [2]

• malicious_powershell_strings
• windows_suspicious_services

Lookups Updated - [5]

• asr_rules
• builtin_groups_lookup
• dynamic_dns_providers_default
• remote_access_software
• security_services_lookup

Other updates

• New baselines: Baseline Of Open S3 Bucket Decommissioning
• Added a dropdown for dashboards to the navigation bar

v5.0.0

🌟 Github Community

🎉 The Splunk Threat Research Team is thrilled to announce Enterprise Security Content Update (ESCU) v5.0.0!

Key Highlights

• (NEW) 🚨 Deprecation Assistant Dashboard: This release introduces a deprecation assistant dashboard for ESCU users to identify and manage deprecated detection analytics currently enabled in their Splunk Environment. These detections will be removed in ESCU v5.2.0 and could disrupt environments using them. For more in-depth information about which pieces of content will be removed and their replacements, please refer to the docs - 📄 Documentation.

• (NEW) 🛠️ Analytic Story Onboarding Assistant: In this release, we've introduced a redesigned home page with an enhanced UI that offers direct access to release notes, analytics counts, and the latest version on Splunkbase, complemented by a detailed timeline of STRT blogs and updates. Additionally, we've launched the Analytic Story Onboarding Assistant, a new preview feature designed to streamline the process of enabling several detections from multiple analytics stories for which there is data available in your Splunk Environment.

• 🔍 New Analytics: We have expanded our threat detection capabilities by mapping existing analytics and developing new detections for a range of threats, including Backdoor Pingpong, Cleo File Transfer Software, Crypto Stealer, SDDL Tampering Defense Evasion, Derusbi, Earth Estries, Nexus APT Threat Activity, WinDealer RAT, and XorDDos.

New Analytic Story - [9]

• Backdoor Pingpong
• Cleo File Transfer Software
• Crypto Stealer
• Defense Evasion or Unauthorized Access Via SDDL Tampering
• Derusbi
• Earth Estries
• Nexus APT Threat Activity
• WinDealer RAT
• XorDDos

New Analytics - [52]

• ASL AWS Create Access Key
• ASL AWS Create Policy Version to allow all resources
• ASL AWS Credential Access GetPasswordData
• ASL AWS Credential Access RDS Password reset
• ASL AWS Defense Evasion PutBucketLifecycle
• ASL AWS Detect Users creating keys with encrypt policy without MFA
• ASL AWS Disable Bucket Versioning
• ASL AWS EC2 Snapshot Shared Externally
• ASL AWS IAM AccessDenied Discovery Events
• ASL AWS IAM Assume Role Policy Brute Force
• ASL AWS Network Access Control List Created with All Open Ports
• ASL AWS Network Access Control List Deleted
• ASL AWS SAML Update identity provider
• ASL AWS UpdateLoginProfile
• Azure AD AzureHound UserAgent Detected
• Azure AD Service Principal Enumeration
• Azure AD Service Principal Privilege Escalation
• Detect Remote Access Software Usage Registry
• Microsoft Intune Device Health Scripts
• Microsoft Intune DeviceManagementConfigurationPolicies
• Microsoft Intune Manual Device Management
• O365 Service Principal Privilege Escalation
• Windows Account Access Removal via Logoff Exec
• Windows CertUtil Download With URL Argument
• Windows DNS Query Request by Telegram Bot API
• Windows Detect Network Scanner Behavior
• Windows File and Directory Enable ReadOnly Permissions
• Windows File and Directory Permissions Enable Inheritance
• Windows File and Directory Permissions Remove Inheritance
• Windows Impair Defenses Disable Auto Logger Session
• Windows New Custom Security Descriptor Set On EventLog Channel
• Windows New Deny Permission Set On Service SD Via Sc.EXE
• Windows New EventLog ChannelAccess Registry Value Set
• Windows New Service Security Descriptor Set Via Sc.EXE
• Windows Obfuscated Files or Information via RAR SFX
• Windows Office Product Dropped Cab or Inf File
• Windows Office Product Dropped Uncommon File
• Windows Office Product Spawned Control
• Windows Office Product Spawned MSDT
• Windows Office Product Spawned Rundll32 With No DLL
• Windows Office Product Spawned Uncommon Process
• Windows Powershell Logoff User via Quser
• Windows Process With NetExec Command Line Parameters
• Windows Registry Dotnet ETW Disabled Via ENV Variable
• Windows Remote Management Execute Shell
• Windows ScManager Security Descriptor Tampering Via Sc.EXE
• Windows Service Execution RemCom
• Windows Service Stop Attempt
• Windows Set Account Password Policy To Unlimited Via Net
• Windows SubInAcl Execution
• Windows Suspicious Child Process Spawned From WebServer
• Windows User Discovery Via Net

Other Updates

• We've updated our YAML configurations by enhancing validation, improving accuracy and consistency, and replacing the 'observables' key with an 'RBA' key to better align with Enterprise Security standards and simplify risk attribution.