What's new
Enterprise Security Content Updates v4.41.0 was released on September 26, 2024 and includes the following enhancements:
Key highlights
ValleyRAT Analytic Story: This update introduces comprehensive detections tailored to the ValleyRAT malware, providing enhanced monitoring and threat-hunting capabilities for adversarial activity on Windows systems. The story includes new detections that focuses on impairing defenses, modifying system registries, and exploiting privilege escalation mechanisms. Key detections cover tactics such as disabling antivirus via registry modifications, setting Windows Defender exclusions, and UAC bypass techniques like FodHelper and Eventvwr. These detections improve visibility into malicious registry changes, task scheduling anomalies, and suspicious executable behavior, fortifying defenses against ValleyRAT C2 activity, and privilege abuse attempts.
New analytic story
New analytics
- Windows Impair Defenses Disable AV AutoStart via Registry
- Windows Modify Registry Utilize ProgIDs
- Windows Modify Registry ValleyRAT C2 Config
- Windows Modify Registry ValleyRat PWN Reg Entry
- Windows Schedule Task DLL Module Loaded
- Windows Schedule Tasks for CompMgmtLauncher or Eventvwr
Updated analytics
- Add or Set Windows Defender Exclusion
- CMLUA Or CMSTPLUA UAC Bypass
- Eventvwr UAC Bypass
- Executables Or Script Creation In Suspicious Path
- FodHelper UAC Bypass
- Suspicious Process File Path
- WinEvent Windows Task Scheduler Event Action Started
- Windows Access Token Manipulation SeDebugPrivilege
- Windows Defender Exclusion Registry Entry
This documentation applies to the following versions of Splunk® Security Content: 4.41.0
Feedback submitted, thanks!