Here's What's New in ESCU: July 2018

Summer is when laziness finds respectability.

– Sam Keen

Judging by the quote above, it’s clear that Sam Keen never worked in cybersecurity. Because evil never takes a vacation, the concepts of “summer” and “laziness” sound like a Rockwellian fantasy to anyone in the industry (and are highly unlikely to garner respectability). That said, the Splunk Security Research Team wants to make sure that you get to enjoy at least a few bonfires, a couple days at the beach, or a little hammock time in your backyard this summer. To this end, we’ve packed our most recent Enterprise Security Content Update (ESCU) releases with new Analytic Stories and searches, so you can take a few hard-won hours to relax.

Here’s what appeared in our July updates, which you should obviously download now in Splunkbase. (If you have not yet installed the ESCU app, go ahead and do that now. I’ll wait.)

Possible Backdoor Activity Associated with MUDCARP Espionage Campaigns

In July, Accenture iDefense analysts reported that a nation-state threat group called MUDCARP (also known as "temp.Periscope" and "Leviathan") had been observed targeting Cambodian elections using a javascript backdoor related to Orz/AIRBREAK. The malware injects a Windows executable file that spoofs a decryption tool, then drops the file. The malicious software is executed using Wscript.

The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating the following registry key:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\zipfldr.dll,RouteTheCall c:\\programdata\\winapp.exe'

An Analytic Story included in the July ESCU update—a joint research effort between Accenture iDefense and Splunk Security Research Team—searches for evidence of similar tactics, techniques, and procedures (TTPs) in your environment. These TTPs are not exclusive to MUDCARP. They can be leveraged by any nation-state actor to enable the use of an endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process.  

The Security Research Team was proud to work with iDefense/Accenture on this Analytic Story. It was exciting to see the power of iDefense’s internal threat intelligence combined with ESCU’s analytics. The experience really highlighted how the Analytic Story’s flexible format makes it easy to customize for specific environments and how valuable it can be as a means of sharing threat intelligence and analytic tradecraft. We’d love to hear about your experiences with and ideas for Analytic Stories. You can email us at or by clicking on the Feedback Center link in the ESCU app.  

Is There a Hole in Your Bucket?

Over the last year, a spate of large enterprises, including Verizon, Walmart, and the Department of Defense, were exposed for failing to secure their AWS environments, thereby leaving highly sensitive information—such as contact details, bank information, and private-access keys—vulnerable. In many cases, the misconfigurations involved neglecting to change admin accounts’ default credentials. While none of the organizations reported breaches, mistakes of this sort are unfortunate, unnecessary, and embarrassing.

You can avoid such mishaps by leveraging the analytics within ESCU’s Analytic Story, “Suspicious AWS S3 Activities," which is designed to help you monitor your AWS S3 buckets for evidence of faulty configurations (such as open buckets) or anomalous activity (such as buckets being accessed from an unfamiliar IP or a spike in S3 deletions). You can further contextualize your analytics with a search that queries AWS configuration logs and returns the information about a specific S3 bucket. The information returned includes the time the S3 bucket was created, the resource ID, the region it belongs to, the value of action performed, AWS account ID, and configuration values of the access-control lists associated with the bucket.

This month’s ESCU releases also contained a number of updated stories, listed below:

  • Hidden Cobra Malware
    Category: Malware
    Description: Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A. 

  • Windows Persistence Techniques
    Adversary Tactics
    Description: Monitor for activities and techniques associated with maintaining persistence on a Windows system—a sign that an adversary may have compromised your environment.

  • Windows Service Abuse
    Description: Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services may being modified or created in a suspicious manner.

  • Command and Control
    Category: Adversary Tactics
    Description: Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

  • Prohibited Traffic Allowed or Protocol Mismatch
    Best Practices
    Description: Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

  • Data Protection
    Description: Fortify your data-protection arsenal—while continuing to ensure data confidentiality and integrity—with searches that monitor for and help you investigate possible signs of data exfiltration.

  • Windows Service Abuse
    Description: Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download the latest Splunk ES Content Update now! If you have not yet installed ESCU, well, what are you waiting for? Go ahead and install it...and please don’t forget to let us know what you think


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content