Splunk Security Content for Threat Detection & Response: June Recap

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.7.0 and v5.8.0). With these releases, there are 16 new analytics and 3 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• Remote Employment Fraud Detections: Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents which are used to hide the true identity and/or location of an employee. We released a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.

• The MITRE ATT&CK Detection Coverage Overview is now live! This visualization shows the real-time detection coverage across all MITRE ATT&CK tactics and can be used to identify specific detections for a given Tactic.

• Inno Setup Abuse: Inno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. It has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. We released a story analytic story that demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.

• Web Browser Abuse: Locally installed malware may use Web Browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. We release a number of analytics which recognize these suspicious flags.

• Cisco Secure Firewall Threat Defense Integration: A number of ESCU Detections have been improved and tested to work with Event Streamer (eStreamer) data collected by the Cisco Secure Firewall Threat Defense (FTD) platform. For more information about Cisco Secure Firewall, please go here or refer to the Analytic Story Cisco Secure Firewall Threat Defense Analytics.

• Bugfixes based on Community Feedback: Feedback from community members and users continues to be one of the best paths to improve the quality and performance of ESCU content. We released a number of bug fixes that reduce false positives and improve the risk objects and fields returned from searches.

For all our tools and security content, please visit research.splunk.com.