This documentation does not apply to the most recent version of Splunk® Enterprise Security Content Update.
For documentation on the most recent version, go to the latest release.
What's new
Enterprise Security Content Updates v4.40.0 was released on September 11, 2024 and includes the following enhancements:
Key highlights
Compromised Linux Host: This update introduces a robust set of 50 detections for compromised Linux hosts, covering a wide range of activities such as unauthorized account creation, file ownership changes, kernel module modifications, privilege escalation, data destruction, and suspicious service stoppages, enhancing visibility into potential malicious actions and system tampering.
Black Suit Ransomware: We have tagged existing analytics, aligning with tactics, techniques, and procedures (TTPs) associated with the Black Suit ransomware, providing organizations with targeted threat detection capabilities to identify and mitigate ransomware attacks before they can cause significant damage.
CISA Alert (CISA AA24-241A): In response to a joint advisory regarding Iran-based cyber actors exploiting U.S. and foreign organizations, this update includes new detections for identifying PowerShell Web Access installations and enabling activities, strengthening defenses against ransomware and espionage activities linked to these threats.
New analytic story
New analytics
- Linux Auditd Add User Account Type
- Linux Auditd Add User Account
- Linux Auditd At Application Execution
- Linux Auditd Auditd Service Stop
- Linux Auditd Base64 Decode Files
- Linux Auditd Change File Owner To Root
- Linux Auditd Clipboard Data Copy
- Linux Auditd Data Destruction Command
- Linux Auditd Data Transfer Size Limits Via Split Syscall
- Linux Auditd Data Transfer Size Limits Via Split
- Linux Auditd Database File And Directory Discovery
- Linux Auditd Dd File Overwrite
- Linux Auditd Disable Or Modify System Firewall
- Linux Auditd Doas Conf File Creation
- Linux Auditd Doas Tool Execution
- Linux Auditd Edit Cron Table Parameter
- Linux Auditd File And Directory Discovery
- Linux Auditd File Permission Modification Via Chmod
- Linux Auditd File Permissions Modification Via Chattr
- Linux Auditd Find Credentials From Password Managers
- Linux Auditd Find Credentials From Password Stores
- Linux Auditd Find Private Keys
- Linux Auditd Find Ssh Private Keys
- Linux Auditd Hardware Addition Swapoff
- Linux Auditd Hidden Files And Directories Creation
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd Kernel Module Enumeration
- Linux Auditd Kernel Module Using Rmmod Utility
- LinuxAuditd Nopasswd Entry In Sudoers File
- LinuxAuditd Osquery Service Stop
- LinuxAuditd Possible Access Or Modification Of Sshd Config File
- LinuxAuditd Possible Access To Credential Files
- LinuxAuditd Possible Access To Sudoers File
- LinuxAuditd Possible Append Cronjob Entry On Existing Cronjob File
- LinuxAuditd Preload Hijack Library Calls
- LinuxAuditd Preload Hijack Via Preload File
- LinuxAuditd Service Restarted
- LinuxAuditd Service Started
- LinuxAuditd Setuid Using Chmod Utility
- LinuxAuditd Setuid Using Setcap Utility
- LinuxAuditd Shred Overwrite Command
- LinuxAuditd Stop Services
- LinuxAuditd Sudo Or Su Execution
- LinuxAuditd Sysmon Service Stop
- LinuxAuditd System Network Configuration Discovery
- Linux Auditd Unix Shell Configuration Modification
- LinuxAuditd Unload Module Via Modprobe
- LinuxAuditd Virtual Disk File And Directory Discovery
- LinuxAuditd Whoami User Discovery
- Windows DISM Install PowerShell Web Access
- Windows Enable PowerShell Web Access
Updated analytics
- ASL AWS Concurrent Sessions From Different Ips
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- Anomalous usage of 7zip
- Citrix ADC Exploitation CVE-2023-3519
- Create Remote Thread into LSASS
- Create local admin accounts using net exe
- Detect Credential Dumping through LSASS access
- Detect New Local Admin account
- Detect Remote Access Software Usage DNS
- Detect Remote Access Software Usage File
- Detect Remote Access Software Usage Process
- Detect Remote Access Software Usage URL
- Detect SharpHound Command-Line Arguments
- Detect SharpHound File Modifications
- Disable Defender AntiVirus Registry
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Domain Controller Discovery with Nltest
- Elevated Group Discovery With Net
- Excessive Usage Of Taskkill
- Executable File Written in Administrative SMB Share
- F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
- Ivanti Connect Secure Command Injection Attempts
- Ivanti Connect Secure System Information Access via Auth Bypass
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Kubernetes Abuse of Secret by Unusual Location
- Kubernetes Abuse of Secret by Unusual User Agent
- Kubernetes Abuse of Secret by Unusual User Group
- Kubernetes Abuse of Secret by Unusual User Name
- Kubernetes Access Scanning
- Kubernetes Create or Update Privileged Pod
- Kubernetes Cron Job Creation
- Kubernetes DaemonSet Deployed
- Kubernetes Falco Shell Spawned
- Kubernetes Node Port Creation
- Kubernetes Pod Created in Default Namespace
- Kubernetes Pod With Host Network Attachment
- Kubernetes Scanning by Unauthenticated IP Address
- Kubernetes Suspicious Image Pulling
- Kubernetes Unauthorized Access
- Ngrok Reverse Proxy on Network
- PowerShell 4104 Hunting
- Powershell Disable Security Monitoring
- Registry Keys Used For Persistence
- Rubeus Command Line Parameters
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- Rundll32 with no Command Line Arguments with Network
- Scheduled Task Deleted Or Created via CMD
- Suspicious Scheduled Task from Public Directory
- System Information Discovery Detection
- Unknown Process Using The Kerberos Protocol
- WinEvent Windows Task Scheduler Event Action Started
- Windows AD Abnormal Object Access Activity
- Windows AD Privileged Object Access Activity
- Windows Abused Web Services
- Windows AdFind Exe
- Windows Alternate DataStream - Base64 Content
- Windows Alternate DataStream - Executable Content
- Windows Alternate DataStream - Process Execution
- Windows Create Local Account
- Windows Disable or Modify Tools Via Taskkill
- Windows Driver Load Non-Standard Path
- Windows Modify Registry Delete Firewall Rules
- Windows Modify Registry to Add or Modify Firewall Rule
- Windows Ngrok Reverse Proxy Usage
- Windows Privilege Escalation Suspicious Process Elevation
- Windows Privilege Escalation System Process Without System Parent
- Windows Privilege Escalation User Process Spawn System Process
- Windows Remote Create Service
- Windows Remote Services Rdp Enable
- Windows UAC Bypass Suspicious Child Process
- Windows UAC Bypass Suspicious Escalation Behavior
- Wsmprovhost LOLBAS Execution Process Spawn
Macros added
- linux_auditd
- linux_auditd_normalized_execve_process
- linux_auditd_normalized_proctitle_process
Other updates
- Updated text in feedback center dashboard
- Added Splunk Enterprise 9.3 as a version compatible with ESCU when uploading to Splunkbase
Last modified on 26 September, 2024
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 4.40.0
Download manual
Feedback submitted, thanks!