🩹 Patch Notes

ESCU 5.25.1 is a patch release that mediates a bug introduced in ESCU 5.25.0, which has been pulled from GitHub and Splunkbase.

In ESCU v5.25.0, the Detection Windows Security Support Provider Reg Query had its "version" bumped despite the detection being unchanged. This could lead to errors and failures during the Enterprise Security Content Versioning process.

Please note that this is a separate, and unrelated, issue to the Following Known Detection Versioning Issue SECHELP-341 in Enterprise Security 8.3, 8.4, and 8.5

Since the ESCU 5.25.0 Release has been pulled from Splunkbase and GitHub, the ESCU 5.25.0 Release Notes have been reproduced below.

🚀 ESCU 5.25.0 Key Highlights

• Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
• Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors. This update enhances visibility into attacker tradecraft involving bcdedit manipulation, recursive file deletion, remote process execution via WMI, and suspicious process/file activity, improving detection of pre-impact and impact-stage techniques commonly used in disruptive campaigns targeting enterprise environments.
• Detection & Content Improvements: Introduced new data source support, migrated Palo Alto integrations, enhanced detections with MITRE mappings, fixed regex and logic issues, reduced false positives, improved accuracy and performance, updated metadata based on telemetry insights, and refactored multiple analytics and SPL queries for better readability, consistency, and reliability

New Analytic Story - [2]

• Gh0st RAT
• Void Manticore

New Analytics - [2]

• Windows Routing and Remote Access Service Registry Key Change
• Windows Rundll32 with Non-Standard File Extension

Updated Analytics

Based on various other telemetry sources, we have updated a list of detections missing Mitre IDs, updated data sources and detections with the following changes:

• Malicious PowerShell Process - Encoded Command - Updated the broken regex with a more robust one that aims to detect most variation of the EncodedCommand flag [BUG] Malicious PowerShell Process - Encoded Command - regex doesn't make sense #3939)
• Outbound Network Connection from Java Using Default Ports - Remove duplicate entry for javaw.exe and other updates to the SPL structure so that it is more readable.
• Suspicious Rundll32 no Command Line Arguments - Remove the unnecessary usage of regex and moved the filter logic earlier for better performance
• Suspicious SearchProtocolHost no Command Line Arguments - Remove the unnecessary usage of regex and moved the filter logic earlier for better performance
• Windows New Deny Permission Set On Service SD Via Sc.EXE - Updated metadata info, including the FP section based on Athena telemetry.
• Windows New Service Security Descriptor Set Via Sc.EXE - Updated metadata info, including the FP section based on Athena telemetry.
• Detect Large ICMP Traffic / Detect Outbound LDAP Traffic - Update the logic to these by adding a more broad filter for local IPs.
• Detect Computer Changed with Anonymous Account - Updated the logic to be more accurate. (See explanation in [BUG] Logic Problem in Detect Computer Changed with Anonymous Account #3961)
• Windows Privileged Group Modification - Update logic to include EventID 4756 (Fix Add Event ID 4756 to windows_privileged_group_modification detection #3969)
• Windows Scheduled Task Service Spawned Shell - Update and beautify the SPL as well as other metadata and RBA related config.
• Possible Lateral Movement PowerShell Spawn - Fixed FP by adding exclusion for svchost with the schedule service
• Detect Use of cmd exe to Launch Script Interpreters - Fixed FP by adding exclusion for standard execution files paths.
• Scheduled Task Deleted Or Created via CMD - Fixed FP by adding exclusion for standard execution files paths.
• Beautified the SPL of multiple analytics that were leveraging the Palo Alto TA.