splunk/security_content v5.10.0

on GitHub

Key Highlights

• 🔐 Citrix NetScaler CVE-2025-5777 (CitrixBleed 2): Introduced a new analytic story addressing CitrixBleed 2, a critical memory disclosure vulnerability actively exploited in the wild since June 2025. This release includes a detection for identifying HTTP requests to the vulnerable /nf/auth/startwebview.do endpoint, helping security teams uncover scanning and exploitation activity targeting Citrix ADC and Gateway appliances.

• 🧱 Microsoft SharePoint Vulnerabilities: Introduced a new analytic story focused on detecting exploitation attempts related to CVE-2025-53770, a vulnerability in the ToolPane.aspx endpoint of Microsoft SharePoint. This story includes detections for suspicious requests to the vulnerable endpoint, GET activity to known malicious webshells like spinstall0.aspx, and file creation events indicative of webshell deployment—helping identify both initial exploitation and post-exploitation activity.

• 💻 ESXi Post-Compromise Activity: Shipped a new analytic story focused on detecting attacker behavior after initial access to ESXi environments. This story includes 24 detections for actions such as VM termination, reverse shells, SSH brute force, system clock tampering, audit log wiping, unauthorized user elevation, and malicious VIB installations—providing broad coverage for common post-compromise tactics.

• 🛡️ Cisco Duo Suspicious Activity: Released a new analytic story to detect unusual or risky administrative behavior and insecure policy configurations in Cisco Duo environments. This release includes 14 detections covering unusual admin logins by browser, OS, or country, generation of bypass codes, and policy settings that allow risky behavior like skipping 2FA, allowing tampered devices, or permitting outdated Java/Flash use.

• 🐀 Quasar RAT: Released a new analytic story focused on detecting activity related to Quasar RAT, a widely used open-source remote access Trojan known for credential theft, surveillance, and lateral movement. This story maps over 20 existing detections to Quasar techniques and adds three new detections targeting unusual access to sensitive configuration and credential storage locations such as FileZilla XML configs, IntelliForms registry entries, and Mozilla NSS libraries—enabling better visibility into post-exploitation behavior and stealthy credential harvesting.

New Analytic Story - [5]

• Cisco Duo Suspicious Activity
• Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
• ESXi Post Compromise
• Microsoft SharePoint Vulnerabilities
• Quasar RAT

New Analytics - [45]

• Cisco Duo Admin Login Unusual Browser
• Cisco Duo Admin Login Unusual Country
• Cisco Duo Admin Login Unusual Os
• Cisco Duo Bulk Policy Deletion
• Cisco Duo Bypass Code Generation
• Cisco Duo Policy Allow Devices Without Screen Lock
• Cisco Duo Policy Allow Network Bypass 2FA
• Cisco Duo Policy Allow Old Flash
• Cisco Duo Policy Allow Old Java
• Cisco Duo Policy Allow Tampered Devices
• Cisco Duo Policy Bypass 2FA
• Cisco Duo Policy Deny Access
• Cisco Duo Policy Skip 2FA for Other Countries
• Cisco Duo Set User Status to Bypass 2FA
• Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
• Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
• ESXi Account Modified
• ESXi Audit Tampering
• ESXi Bulk VM Termination
• ESXi Download Errors
• ESXi Encryption Settings Modified
• ESXi External Root Login Activity
• ESXi Firewall Disabled
• ESXi Lockdown Mode Disabled
• ESXi Loghost Config Tampering
• ESXi Malicious VIB Forced Install
• ESXi Reverse Shell Patterns
• ESXi SSH Brute Force
• ESXi SSH Enabled
• ESXi Sensitive Files Accessed
• ESXi Shared or Stolen Root Account
• ESXi Shell Access Enabled
• ESXi Syslog Config Change
• ESXi System Clock Manipulation
• ESXi System Information Discovery
• ESXi User Granted Admin Role
• ESXi VIB Acceptance Level Tampering
• ESXi VM Discovery
• ESXi VM Exported via Remote Tool
• Windows SharePoint Spinstall0 GET Request
• Windows SharePoint Spinstall0 Webshell File Creation
• Windows SharePoint ToolPane Endpoint Exploitation Attempt
• Windows Unusual FileZilla XML Config Access
• Windows Unusual Intelliform Storage Registry Access
• Windows Unusual Process Load Mozilla NSS-Mozglue Module

Other Updates

• Added a missing data source file for Cisco NVM and updated data source files to use PascalCase for XmlWinEventLog
• As previously communicated in the ESCU v5.8.0 release, several detections have been removed. For a complete list of the detections removed in version v5.10.0, refer to the List of Removed Detections in v5.10.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.12.0, see the List of Detections Scheduled for Removal in ESCU v5.12.0.