Skip to content

v5.18.0

Choose a tag to compare

View all tags
@patel-bhavin patel-bhavin released this 12 Nov 20:15
· 96 commits to develop since this release
v5.18.0
e42da6e
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

๐Ÿš€ Key Highlights

  • ๐Ÿ€ Castle RAT:
    Expanded coverage for the Castle RAT remote access trojan, which enables adversaries to execute commands, exfiltrate files, log keystrokes, and capture screens during targeted intrusion campaigns. Tagged multiple existing detections related to persistence, task creation, and suspicious process behavior, and introduced new analytics for unusual browser flag launches, ComputerDefaults-based UAC bypass, and handle duplication in known bypass binaries to improve visibility into Castle RAT infection chains, privilege escalation, and long-term access mechanisms.

  • ๐ŸŒ Research site enhancements:
    Weโ€™re excited to also announce that weโ€™ve enhanced research.splunk.com to provide deeper insights and richer context for detection engineers. Each detection entry now includes detailed attack data along with corresponding MITRE ATT&CK techniques, the environment used to generate the data, timestamps of simulated attacks, and tools leveraged during simulation. You can also explore step-by-step details on how to replay these attacks within your own Splunk environment for validation, tuning, and testing. This update is designed to help you better understand adversary behaviors, validate your detections with real-world data, and accelerate the development of high-fidelity detections. We highly recommend checking out the enhanced experience at https://research.splunk.com/attack_data and leveraging this data to strengthen your detection engineering workflows.

New Analytic Story - [1]

New Analytics - [3]

Other Updates

  • Tagged several other detection analytics to Castle RAT
  • Updated the Splunkbase link for the Ollama TA data source and TA versions of various data sources

๐Ÿ”ด BREAKING CHANGES:

  • As previously communicated in the ESCU v5.16.0 release, several detections have been removed. For a complete list of the detections removed in version v5.18.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.20.0, see the List of Detections Scheduled for Removal
Removed Detection Replacement Detection
Windows Change Default File Association For No File Ext Windows Change File Association Command To Notepad
Detect Rundll32 Application Control Bypass - setupapi Windows Application Whitelisting Bypass Attempt via Rundll32
Detect Rundll32 Application Control Bypass - syssetup Windows Application Whitelisting Bypass Attempt via Rundll32
Detect Rundll32 Application Control Bypass - advpack Windows Application Whitelisting Bypass Attempt via Rundll32
Assets 3
Loading