What's new
Enterprise Security Content Updates v4.42.0 was released on October 15, 2024 and includes the following enhancements:
Key highlights
Splunk Vulnerabilities: This release introduces key detections for recently disclosed Splunk vulnerabilities, including issues like disabling KVStore via CSRF, image file disclosure in PDF exports, and persistent XSS attacks. It also covers critical vulnerabilities such as remote code execution through arbitrary file writes and sensitive information disclosure in low-privileged user sessions and DEBUG logs. These detections enhance monitoring for exploitation attempts, improving Splunk's defenses against potential attacks and data breaches.
CISA AA24-241A: This new analytic story delivers detections tailored to identify malicious usage of PowerShell Web Access (PSWA) in Windows environments. These new detections focus on monitoring PowerShell Web Access activity through the IIS application pool and web access logs, providing enhanced visibility into suspicious or unauthorized access. The story introduces two key detections: "Windows Identify PowerShell Web Access IIS Pool" and "Windows IIS Server PSWA Console Access," which track the creation and usage of PSWA sessions, anomalies in IIS pool configurations, and unusual patterns of console access. By improving detection of PowerShell Web Access exploitation, we can defend against potential privilege escalation, lateral movement, and remote code execution attempts within Windows infrastructures.
In addition to these updates, the detection logic for "Windows AdFind Exe" and "Linux Auditd Change File Owner To Root" has been improved based on customer feedback. These enhancements provide more accurate identification of AdFind tool usage in Windows environments and better detection of unauthorized file ownership changes to root in Linux systems, further fortifying defenses against privilege abuse and lateral movement techniques across both platforms.
Updated analytic story
New analytics
- Splunk Disable KVStore via CSRF Enabling Maintenance Mode
- Splunk Image File Disclosure via PDF Export in Classic Dashboard
- Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App
- Splunk Persistent XSS via Props Conf
- Splunk Persistent XSS via Scheduled Views
- Splunk RCE Through Arbitrary File Write to Windows System Root
- Splunk SG Information Disclosure for Low Privs User
- Splunk Sensitive Information Disclosure in DEBUG Logging Channels
- Windows IIS Server PSWA Console Access
- Windows Identify PowerShell Web Access IIS Pool
Updated analytics
- Create Remote Thread into LSASS
- Detect Regsvcs with Network Connection
- Linux Auditd Change File Owner To Root
- Possible Lateral Movement PowerShell Spawn
- Suspicious Process DNS Query Known Abuse Web Services
- Windows AdFind Exe
- Windows DISM Install PowerShell Web Access
- Windows Enable PowerShell Web Access
- Windows Impair Defenses Disable AV AutoStart via Registry
- Windows Modify Registry Utilize ProgIDs
- Windows Modify Registry ValleyRAT C2 Config
- Windows Modify Registry ValleyRat PWN Reg Entry
- Windows Privileged Group Modification
- Windows Scheduled Task DLL Module Loaded
- Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 4.42.0
Download manual
Feedback submitted, thanks!