splunk/security_content v4.37.0

on GitHub

Key Highlights

Enterprise Security Content Updates version 4.37.0 introduces new detections focused on emerging threats like AcidPour, Gozi Malware, and ShrinkLocker. These analytics identify sophisticated techniques used by these malware families to compromise Windows environments, primarily through registry modifications. The update includes detections for attempts to configure BitLocker, delete firewall rules, disable Remote Desktop Protocol (RDP), alter Smart Card Group Policy, modify firewall rules, and change Outlook WebView settings. By monitoring these critical registry changes, security teams can more effectively identify potential compromises and swiftly mitigate risks associated with these advanced malware variants.We have also published a detailed blog on Acid Pour Wiper Malware and the various TTPs used by this wiper malware.

This release also contains detections for identifying exploitation of the following vulnerabilities:

• CVE-2024-5806, published by Progress Software, describes an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass.
• CVE-2024-29824, published by ZDI and Ivanti, concerns an enterprise endpoint management solution and describes a SQL injection resulting in remote code execution with a CVSS score of 9.8.
• CVE-2024-37085, published by Broadcom, impacts VMware ESXi hypervisors. Successful exploitation of this flaw allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host configured to use AD for user management by re-creating the default 'ESXi Admins' group after it has been deleted from Active Directory.

New Analytic Story - [6]

• AcidPour
• Gozi Malware
• Ivanti EPM Vulnerabilities
• MOVEit Transfer Authentication Bypass
• ShrinkLocker
• VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

New Analytics - [16]

• Ivanti EPM SQL Injection Remote Code Execution
• MOVEit Certificate Store Access Failure
• MOVEit Empty Key Fingerprint Authentication Attempt
• Windows ESX Admins Group Creation Security Event
• Windows ESX Admins Group Creation via Net
• Windows ESX Admins Group Creation via PowerShell
• Windows Known Abused DLL Loaded Suspiciously (External Contributor: @nterl0k )
• Windows LOLBAS Executed As Renamed File (External Contributor: @nterl0k)
• Windows LOLBAS Executed Outside Expected Path (External Contributor: @nterl0k )
• Windows Modify Registry Configure BitLocker
• Windows Modify Registry Delete Firewall Rules
• Windows Modify Registry Disable RDP
• Windows Modify Registry on Smart Card Group Policy
• Windows Modify Registry to Add or Modify Firewall Rule
• Windows Outlook WebView Registry Modification
• Windows Privileged Group Modification (External Contributor: @TheLawsOfChaos )

Updated Analytics - [11]

• Detect Remote Access Software Usage DNS (External Contributor: @nterl0k )
• Detect Remote Access Software Usage FileInfo(External Contributor: @nterl0k )
• Detect Remote Access Software Usage File(External Contributor: @nterl0k )
• Detect Remote Access Software Usage Process(External Contributor: @nterl0k )
• Detect Remote Access Software Usage Traffic(External Contributor: @nterl0k )
• Detect Remote Access Software Usage URL(External Contributor: @nterl0k )
• Possible Lateral Movement PowerShell Spawn
• Linux Obfuscated Files or Information Base64 Decode
• Linux Decode Base64 to Shell
• Windows Protocol Tunneling with Plink
• Malicious PowerShell Process - Encoded Command
• Windows Event Log Cleared
• Azure AD Admin Consent Bypassed by Service Principal (External Contributor: @dluxtron)
• Azure AD Global Administrator Role Assigned (External Contributor: @dluxtron)
• Azure AD Privileged Role Assigned (External Contributor: @dluxtron)
• Azure AD Service Principal New Client Credentials (External Contributor: @dluxtron)
• Detect New Local Admin account (External Contributor: @dluxtron)
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl (External Contributor: @dluxtron)
• Detect Renamed PSExec (External Contributor: Alex Oberkircher, Github)
• Scheduled Task Initiation on Remote Endpoint(External Contributor: @Badoodish, Github)

Macros Added - [2]

• moveit_sftp_logs
• remote_access_software_usage_exceptions

Lookups Added - [1]

• remote_access_software_exceptions

Lookups Updated - [4]

• lolbas_file_path
• privileged_azure_ad_roles
• remote_access_software
• splunk_risky_command

Other Updates

• Remove usage_searches.conf from the ESCU app
• Update the yaml file structure for data_sources objects
• Remove dev/ directory from Github repo as we do not actively maintain Sigma supported detections in this directory
• Removed ransomware_extensions.csv from the repo and replaced it with an updated lookup - ransomware_extensions_20231219.csv
• Removed ransomware_notes.csv from the repo and replaced it with an updated lookup - ransomware_notes_20231219.csv
• Removed privileged_azure_ad_roles.csv from the repo and replaced it with an updated lookup - privileged_azure_ad_roles20240729.csv
• Removed remote_access_software.csv from the repo and replaced it with an updated lookup - remote_access_software20240726.csv