splunk/security_content v5.27.0

on GitHub

🚀 Key Highlights

• 🚨 Linux Copy Fail Privilege Escalation (CVE-2026-31431): Added a new detection: Linux Auditd Copy Fail Privilege Escalation to identify exploitation of the Copy Fail vulnerability, a Linux kernel flaw that enables unprivileged users to perform controlled writes to file page cache and escalate privileges to root. This analytic leverages auditd telemetry to detect suspicious modification patterns targeting setuid binaries, providing early visibility into local privilege escalation attempts across affected Linux systems.

• 🔐 Cisco Secure Access Analytics: Introduced a new analytic story for Cisco Secure Access, leveraging firewall telemetry to detect suspicious access patterns. This release includes updates to existing detections: Large ICMP Traffic, Outbound SMB Traffic, Outbound LDAP Traffic, and Windows RDP Network Brute Force Attempts enabling them to operate with Cisco Secure Access Firewall data, validated through simulated attack scenarios to improve visibility into adversary activity traversing modern cloud-delivered security controls.

• 🪟 Windows Threat Detection Expansion: Significantly expanded coverage across multiple analytic stories with the addition of a broad set of new detections targeting modern Windows attack techniques, including PowerShell abuse, process injection, privilege escalation, registry manipulation, cloud and Azure activity, RMM tool usage, and C2 frameworks such as Cobalt Strike, Metasploit, and custom agents. These analytics enhance visibility into attacker behaviors like defense evasion (EDR bypass, obfuscation, EFI tampering), persistence (scheduled tasks, file association changes, GPO abuse), credential access (LAPS harvesting, keychain-like data access), and lateral movement and exfiltration, while also covering emerging tradecraft such as Cloudflared tunnels, Devtunnels, and supply chain tooling abuse—providing deeper detection across the Windows attack lifecycle.

• ⌨️ VIP Keylogger (.NET Stealer) Detection Coverage: Introduced new analytics to strengthen detection of VIP Keylogger and related .NET-based infostealers by focusing on behavioral indicators of stealthy execution and persistence. New detections: PowerShell Environment Variable Execution, Windows Anomalous Registry Value Length in Environment Key, PowerShell PInvoke Process Injection API Chain, and Windows Proxy Execution of .NET Utilities via Scripts surface patterns such as encoded payload staging in registry keys, script-driven execution of trusted .NET binaries, and in-memory process injection techniques, improving visibility into credential theft operations, obfuscated execution chains, and defense evasion commonly used in modern phishing-delivered stealer campaigns.

New Analytic Story - [2]

• Cisco Secure Access Analytics
• VIP Keylogger

New Analytics - [67]

• Linux Auditd Copy Fail Privilege Escalation
• PowerShell Environment Variable Execution
• PowerShell PInvoke Process Injection API Chain
• Windows .Key File Creation in Root Directory
• Windows Anomalous Registry Value Length in Environment Key
• Windows AppCertDLL Modification Via Command Line
• Windows Azure PowerShell Module Installation Via PowerShell Script
• Windows Azure Storage Utility Execution Via CLI
• Windows Cobalt Strike PowerShell Loader
• Windows Command Obfuscation with Environment Variable Substrings
• Windows Computer Account Changed to Domain Controller
• Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
• Windows CrowdStrike Agent Registry Key Removal
• Windows Crowdstrike RTR Script Execution
• Windows Default Cobalt Strike PowerShell Beacon
• Windows Devtunnels Execution
• Windows Devtunnels Image Loaded
• Windows Downdate Registry Activity
• Windows EDRSilencer Execution
• Windows EFI Bootloader File Modification
• Windows EFI Volume Mount Attempt Via Mountvol
• Windows Entra User Management Via Azure CLI
• Windows File Association Modification via Ftype
• Windows Filtering Platform Policy Added to Block EDR Process
• Windows Get-Variable.EXE Execution from WindowsApps Folder
• Windows GrimResource - MMC Process Accessing APDS DLL
• Windows Guest Account Enabled Via Net.EXE
• Windows IOBit Unlocker Extension DLL Registration via Regsvr32
• Windows LAPS Password Gathering Via PowerShell Script
• Windows Level RMM PowerShell Script Installer
• Windows Level RMM Watchdog Task Created
• Windows MSI Rollback Script Deleted By Non-Msiexec Process
• Windows Metasploit Confluence Plugin Execution
• Windows Mock Trusted Directory MSC File Creation
• Windows Mustang Panda USB Tool Execution
• Windows Netspy Network Scanner Execution
• Windows Network Connection From Program In Suspect Location
• Windows NorthStar C2 Agent Execution
• Windows OneDrive Share Mounted via Net
• Windows Potato Privilege Escalation Tool Execution
• Windows Potential Cloudflared Network Connection
• Windows Potential Cloudflared Tunnel Execution
• Windows Potential Web Shell Creation For VMware Workspace ONE
• Windows PowGoop Beacon Decoding
• Windows PowerShell Module File Created
• Windows PowerShell Script TabExpansion Direct Call
• Windows Privilege Escalation Attempt Via MSI Rollback
• Windows Process Accessing Windows Recall Directory
• Windows Proxy Execution of .NET Utilities via Scripts
• Windows PuTTY Suite Utility Execution
• Windows RMM Tool Execution
• Windows Remote Image Load
• Windows Scheduled Task Created in a Group Policy Object
• Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
• Windows Shell or Script Execution From IIS Directory
• Windows SoftEther VPN Masquerading as Legitimate Binary
• Windows Software Discovery Via PowerShell
• Windows Suspicious File in EFI Volume
• Windows Suspicious QEMU Execution
• Windows SymbolicLink-Testing-Tools Utility Execution
• Windows TeamCity Payload Execution from Temp Directory
• Windows TeamCity Plugin Installed
• Windows Theme File Creation in Unusual Location
• Windows Universal Data Link File Creation
• Windows Unusual File Creation in Confluence Directory
• Windows WinPEAS PowerShell Script Execution
• Windows XLL File Creation Outside of Typical Location

Other Updates

• Refined multiple detections using diverse telemetry sources to reduce false positives and enhance regex accuracy. (Pull Request)

• Updated all detections to align with MITRE ATT&CK v19 technique IDs, ensuring consistency with the latest framework and improving mapping accuracy for threat coverage, reporting, and correlation.

Note: This is the final release for ESCU v5.x. Starting with ESCU v6.0, the STRT will use new internal tooling instead of contentctl to validate, package, and publish ESCU releases. For more information, see https://github.com/splunk/contentctl/blob/main/README.md