Here's What's New in ESCU: July 2018

Summer is when laziness finds respectability.

– Sam Keen

Judging by the quote above, it’s clear that Sam Keen never worked in cybersecurity. Because evil never takes a vacation, the concepts of “summer” and “laziness” sound like a Rockwellian fantasy to anyone in the industry (and are highly unlikely to garner respectability). That said, the Splunk Security Research Team wants to make sure that you get to enjoy at least a few bonfires, a couple days at the beach, or a little hammock time in your backyard this summer. To this end, we’ve packed our most recent Enterprise Security Content Update (ESCU) releases with new Analytic Stories and searches, so you can take a few hard-won hours to relax.

Here’s what appeared in our July updates, which you should obviously download now in Splunkbase. (If you have not yet installed the ESCU app, go ahead and do that now. I’ll wait.)

Possible Backdoor Activity Associated with MUDCARP Espionage Campaigns

In July, Accenture iDefense analysts reported that a nation-state threat group called MUDCARP (also known as "temp.Periscope" and "Leviathan") had been observed targeting Cambodian elections using a javascript backdoor related to Orz/AIRBREAK. The malware injects a Windows executable file that spoofs a decryption tool, then drops the file. The malicious software is executed using Wscript.

The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating the following registry key:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\zipfldr.dll,RouteTheCall c:\\programdata\\winapp.exe'

An Analytic Story included in the July ESCU update—a joint research effort between Accenture iDefense and Splunk Security Research Team—searches for evidence of similar tactics, techniques, and procedures (TTPs) in your environment. These TTPs are not exclusive to MUDCARP. They can be leveraged by any nation-state actor to enable the use of an endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process.  

The Security Research Team was proud to work with iDefense/Accenture on this Analytic Story. It was exciting to see the power of iDefense’s internal threat intelligence combined with ESCU’s analytics. The experience really highlighted how the Analytic Story’s flexible format makes it easy to customize for specific environments and how valuable it can be as a means of sharing threat intelligence and analytic tradecraft. We’d love to hear about your experiences with and ideas for Analytic Stories. You can email us at or by clicking on the Feedback Center link in the ESCU app.  

Is There a Hole in Your Bucket?

Over the last year, a spate of large enterprises, including Verizon, Walmart, and the Department of Defense, were exposed for failing to secure their AWS environments, thereby leaving highly sensitive information—such as contact details, bank information, and private-access keys—vulnerable. In many cases, the misconfigurations involved neglecting to change admin accounts’ default credentials. While none of the organizations reported breaches, mistakes of this sort are unfortunate, unnecessary, and embarrassing.

You can avoid such mishaps by leveraging the analytics within ESCU’s Analytic Story, “Suspicious AWS S3 Activities," which is designed to help you monitor your AWS S3 buckets for evidence of faulty configurations (such as open buckets) or anomalous activity (such as buckets being accessed from an unfamiliar IP or a spike in S3 deletions). You can further contextualize your analytics with a search that queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, AWS account ID, and configuration values of the access-control lists associated with the bucket.

This month’s ESCU releases also contained a number of updated stories, listed below:

  • Hidden Cobra Malware
    Category: Malware
    Description: Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A. 

  • Windows Persistence Techniques
    Adversary Tactics
    Description: Monitor for activities and techniques associated with maintaining persistence on a Windows system—a sign that an adversary may have compromised your environment.

  • Windows Service Abuse
    Description: Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services may being modified or created in a suspicious manner.

  • Command and Control
    Category: Adversary Tactics
    Description: Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

  • Prohibited Traffic Allowed or Protocol Mismatch
    Best Practices
    Description: Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

  • Data Protection
    Description: Fortify your data-protection arsenal—while continuing to ensure data confidentiality and integrity—with searches that monitor for and help you investigate possible signs of data exfiltration.

  • Windows Service Abuse
    Description: Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download the latest Splunk ES Content Update now! If you have not yet installed ESCU, well, what are you waiting for? Go ahead and install it...and please don’t forget to let us know what you think

The Security Research Team is devoted to delivering actionable intelligence to Splunk's customers, in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more.

Join the Discussion