π Key Highlights
π Cisco Secure Access Threat Detection π
Introduced new analytics for Cisco Secure Access to identify access to anonymizer and privacy-focused services as well as automated web reconnaissance activity. New detections β Cisco Secure Access Access to Anonymizer Services and Cisco Secure Access Automated Web Reconnaissance via HTTP Access Errors β help uncover attempts to obscure attacker infrastructure, evade attribution, and perform large-scale web application discovery through patterns of abnormal HTTP error responses and suspicious outbound connectivity.
π¦ π¨ SUNBlueHammer & RedSun π¨ π¦
Added new analytic stories and detections covering the BlueHammer and RedSun exploit families, which abuse Microsoft Defender functionality to achieve privilege escalation and credential access. New analytics detect suspicious Defender engine and signature update activity, non-administrative password changes, abnormal password reset bursts, unauthorized Defender file modifications, and processes interacting with Defender update components, while also introducing support for Windows Security Event ID 4723 (password change attempts) to improve visibility into credential theft and privilege escalation tradecraft associated with these emerging attack techniques.
π΄ Linux Copy Fail Analytics π΄
Expanded Linux detection coverage for Copy Fail (CVE-2026-31431) and related post-exploitation activity with new analytics targeting malformed authentication entries, PF_ALG registration outside normal boot windows, suspicious namespace creation, and process execution with null argv valuesβbehaviors associated with privilege escalation, stealthy execution, and kernel abuse. This release also introduces support for Linux kern.log telemetry through a new data source, providing deeper visibility into low-level system activity and emerging Linux exploitation techniques.
###π§ Salt Typhoon Tradecraft on Cisco IOS XEπ§
Added a new set of analytics focused on Salt Typhoon-style activity targeting Cisco IOS XE devices, providing coverage for reconnaissance, persistence, defense evasion, and unauthorized remote access techniques observed in network infrastructure compromises. New detections identify behaviors such as Guestshell activation and destruction, log clearing sequences, VTY access control tampering, tunnel interface creation, WebUI abuse, remote access probing, and suspicious platform package shell interactions, helping defenders detect adversaries attempting to establish persistence, evade logging, and manipulate Cisco networking infrastructure.
π Cisco SD-WAN Authentication Analytics π
Added new analytics to identify suspicious authentication patterns in Cisco SD-WAN environments, including multiple source IPs authenticating to vManage via SSH and repeated SSH key-based authentications from a single source, helping detect potential credential sharing, unauthorized administrative access, and distributed brute-force or persistence activity targeting SD-WAN management infrastructure.
π¨ TC Windchill Exploitation Detection Coverage π¬οΈ
Added a new analytic story for PTC Windchill Exploitation along with detections for gateway command execution and GW READY/OK probing activity, providing visibility into exploitation attempts targeting Windchill environments. This release also introduces a new Windchill Log4j data source and supporting macro to help defenders identify reconnaissance, command execution, and post-exploitation behaviors against enterprise product lifecycle management (PLM) infrastructure.
New Analytic Story - [5]
New Analytics - [34]
- Cisco IOS XE Guestshell Activation and Destroy
- Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal
- Cisco IOS XE Reconnaissance Command Activity
- Cisco IOS XE Remote Access Probe Burst
- Cisco IOS XE Request Platform Package Describe Shell Pattern
- Cisco IOS XE Tunnel Interface Configuration
- Cisco IOS XE VTY Access Class Tampering
- Cisco IOS XE WebUI Login From IOSd Local Port
- Cisco IOS XE WebUI Programmatic Configuration
- Cisco SA - Access to Anonymizer Services
- Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
- Cisco SD-WAN Multiple SSH key Authentication from Same Source
- Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
- Linux Binary Launched Process with Null Argv
- Linux Malformed Auth Entry
- Linux PF_ALG Registration Outside of Boot Window
- Linux Suspicious Namespace Creation
- PTC Windchill GW READY OK Probe
- PTC Windchill Gateway Command Execution
- Powershell Defender Threat Actions Set to Allow
- Splunk Secure Application Alerts for Runtime Security((Internal Contributor: @bryan-splunk )
- Windows Admin Password Changed by Non-Admin
- Windows Cloud Files Filter Loaded by Uncommon Process
- Windows Cloud Files Filter Log Created by Non-System Process
- Windows FFmpeg Audio and Video Device Discovery
- Windows FFmpeg DirectShow Video Capture
- Windows MsMpEng Writing to System32
- Windows Non-System Process Querying Definition Update
- Windows Suspicious Burst of Password Changes
- Windows Suspicious Child Process of TieringEngineService.exe
- Windows Suspicious Defender Engine or Signature Files Created
- Windows Suspicious Defender Update Activity in INetCache
- Windows VSSVC Process Accessing Defender Engine
- Windows Wermgr Alternate Data Stream in Temp Dir
Other Updates
Fixed several regex related bugs that were reported as Github Issues (External Contributor: @srkyn)
Breaking Changes
As previously communicated in the ESCU v5.26.0 release, several detections have been removed. For a complete list of the detections removed in version v6.1.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v6.4.0, see the List of Detections Scheduled for Removal or see the notes below.
Detections Removed in Release v6.1.0
| Detection | Reason | Replacement Content |
|---|---|---|
| Attempt To Add Certificate To Untrusted Store | Detection is deprecated as the usage of certutil and addstore by itself is not malicious. | None |
| CHCP Command Execution | Detection is deprecated as the usage of chcp.com by itself is not malicious. | None |
| Ivanti Sentry Authentication Bypass | Detection is deprecated since it is not specific enough to identify the intended malicious activity and might produce false positives. | None |
| Processes launching netsh | Detection is deprecated as the usage of netsh.exe by itself is often used for legitimate purposes. | None |
| Sc exe Manipulating Windows Services | Detection is deprecated as the usage of sc.exe by itself is often used for legitimate purposes. | None |
Detections Scheduled for Future Removal in Future Releases
| Detection | Removed in Version | Reason | Replacement Content |
|---|---|---|---|
| PowerShell - Connect To Internet With Hidden Window | 6.4.0 | Detection has been deprecated due to incorrect logic and bad performance. | None |
| Regsvr32 with Known Silent Switch Cmdline | 6.4.0 | Detection has been deprecated since its logic is already covered by another more improved detection. | Regsvr32 Silent and Install Param Dll Loading |