splunk/security_content v5.22.0

on GitHub

🚀 Key Highlights

• 🤖 Suspicious MCP Activities:
  Introduced a new analytic story focused on detecting abuse of authorized Model Context Protocol (MCP) server deployments, where legitimate AI tool integrations (filesystem, database, API, and cloud operations) may be weaponized for data exfiltration, privilege escalation, lateral movement, or persistence. This release includes a new MCP Technology Add-on (TA) for parsing MCP server telemetry and adds detections such as MCP Sensitive System File Search, MCP Prompt Injection, MCP Postgres Suspicious Query, MCP GitHub Suspicious Operation, and MCP Filesystem Server Suspicious Extension Write, providing visibility into malicious tool invocation patterns, abnormal data access, and AI-driven attack chains leveraging trusted automation infrastructure.

• 💥 DynoWiper and ZOVWiper (Sandworm Destructive Operations):
  Expanded coverage for the destructive malware families DynoWiper and ZOVWiper, attributed to the Russia-aligned threat group Sandworm, by tagging existing endpoint analytics aligned to their file-overwrite, drive enumeration, and system reboot behaviors. These wipers target critical infrastructure and financial sectors, systematically overwriting data across fixed and removable drives while selectively skipping system directories to maximize operational impact. By mapping current detections to known Sandworm tradecraft, this update strengthens visibility into destructive file modification patterns, large-scale overwrite activity, and pre-reboot execution behaviors associated with modern wiper deployments.

• ☀️ SolarWinds Web Help Desk RCE (CVE-2025-26399) Post-Exploitation:
  Tagged existing analytics to enhance visibility into post-exploitation activity following SolarWinds WHD remote code execution, focusing on suspicious process spawning, privilege escalation, lateral movement, persistence mechanisms, and outbound command-and-control behavior originating from compromised Web Help Desk services.

New Analytic Story - [5]

• DynoWiper
• SolarWinds WHD RCE Post Exploitation
• Suspicious MCP Activities
• XML Runner Loader
• ZOVWiper

New Analytics - [7]

• MCP Filesystem Server Suspicious Extension Write
• MCP Github Suspicious Operation
• MCP Postgres Suspicious Query
• MCP Prompt Injection
• MCP Sensitive System File Search
• Windows Execution of Microsoft MSC File In Suspicious Path
• Windows MMC Loaded Script Engine DLL

Updated Analytics

• CrowdStrike Falcon Stream Alerts (External Contributor : @bpluta-splunk)

Breaking Changes

As previously communicated in the ESCU v5.20.0 release, several detections have been removed. For a complete list of the detections removed in version v5.22.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.24.0, see the List of Detections Scheduled for Removal.