splunk/security_content v5.20.0

on GitHub

🚀 Key Highlights

• 🌐 Browser Hijacking:
  Introduced a new set of detections focused on browser hijacking techniques that manipulate Chrome configurations, registry settings, and command-line behaviors to persist malicious control, disable updates, and load unauthorized extensions. These detections surface suspicious actions such as disabling Chrome auto-updates, allowlisting or force-loading extensions, and abusing command-line flags to bypass browser security controls. Together, they help security teams identify early indicators of browser compromise, policy tampering, and user-impacting persistence mechanisms commonly leveraged by modern malware.

• ☸️ Cisco Isovalent Suspicious Activity:
  Expanded detection coverage leveraging Cisco Isovalent's kernel-level eBPF telemetry to identify advanced threats targeting Kubernetes and cloud-native environments. New detections focus on high-risk behaviors such as access to cloud metadata services, suspicious process execution, container escape techniques, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network behavior. By correlating low-level runtime signals with rich Kubernetes context, this content enables early detection of in-cluster attacks, lateral movement, and workload compromise before adversaries can escalate or persist.

• 🕵️ Suspicious User Agents:
  Introduced enhanced detection coverage to identify suspicious and default user agent strings commonly used by malware, command-and-control frameworks, remote monitoring and management (RMM) tools, and other potentially unwanted applications. These detections focus on uncovering overlooked or hard-coded user agents frequently left unchanged by adversaries, providing network-level visibility into malicious tooling that blends into normal HTTP traffic. By correlating anomalous user agents across malware, C2 frameworks, PUAs, and RMM software, security teams can more quickly identify and investigate stealthy network activity.

• 🤖 SesameOp & PromptFlux:
  Expanded analytic coverage for emerging malware families that abuse legitimate AI service APIs as command-and-control channels, allowing adversaries to hide malicious activity within trusted cloud traffic. This update tags relevant existing detections and introduces a new detection for Windows Potential AppDomainManager Hijack Artifacts Creation, addressing key persistence and injection techniques leveraged by SesameOp and PromptFlux. Together, these detections help surface anomalous API usage, suspicious persistence artifacts, and post-exploitation behaviors that indicate covert C2 activity masquerading as normal AI service interactions.

• 🔐 Cisco IOS & Secure Firewall Privileged Activity:
  Added new detections and risk-based correlation searches to identify high-risk administrative activity targeting Cisco IOS and Cisco Secure Firewall devices. The new detections focus on privileged command execution over HTTP and anomalous SSH behavior, including connections to non-standard ports and suspicious SSH services. These signals are correlated using the Risk data model to surface higher-fidelity alerts for privileged account creation combined with suspicious HTTP or SSH activity, helping teams identify post-exploitation and persistence attempts on network edge infrastructure.

New Analytic Story - [5]

• Browser Hijacking
• Cisco Isovalent Suspicious Activity
• PromptFlux
• SesameOp
• Suspicious User Agents

New Analytics - [25]

• Cisco Isovalent - Access To Cloud Metadata Service
• Cisco Isovalent - Cron Job Creation
• Cisco Isovalent - Curl Execution With Insecure Flags
• Cisco Isovalent - Kprobe Spike
• Cisco Isovalent - Late Process Execution
• Cisco Isovalent - Non Allowlisted Image Use
• Cisco Isovalent - Nsenter Usage in Kubernetes Pod
• Cisco Isovalent - Pods Running Offensive Tools
• Cisco Isovalent - Potential Escape to Host
• Cisco Isovalent - Shell Execution
• Cisco Privileged Account Creation with HTTP Command Execution
• Cisco Privileged Account Creation with Suspicious SSH Activity
• Cisco Secure Firewall - Privileged Command Execution via HTTP
• Cisco Secure Firewall - SSH Connection to Non-Standard Port
• Cisco Secure Firewall - SSH Connection to sshd_operns
• HTTP C2 Framework User Agent
• HTTP Malware User Agent
• HTTP PUA User Agent
• HTTP RMM User Agent
• HTTP Scripting Tool User Agent
• Windows Chrome Auto-Update Disabled via Registry
• Windows Chrome Enable Extension Loading via Command-Line
• Windows Chrome Extension Allowed Registry Modification
• Windows Chromium Process Loaded Extension via Command-Line
• Windows Potential AppDomainManager Hijack Artifacts Creation

Other Updates

• Performance & Coverage Improvements – Updated several searches by replacing regex-based matching with direct match driven comparisons to significantly improve performance and scalability in large environments, while also refreshing multiple lookup files to ensure accurate and up-to-date detection logic

Breaking Changes

As previously communicated in ESCU v5.18.0, several detections have been removed in v5.20.0: