Splunk Security Content

🚀 Key Highlights

• 🚨 Linux Copy Fail Privilege Escalation (CVE-2026-31431): Added a new detection: Linux Auditd Copy Fail Privilege Escalation to identify exploitation of the Copy Fail vulnerability, a Linux kernel flaw that enables unprivileged users to perform controlled writes to file page cache and escalate privileges to root. This analytic leverages auditd telemetry to detect suspicious modification patterns targeting setuid binaries, providing early visibility into local privilege escalation attempts across affected Linux systems.

• 🔐 Cisco Secure Access Analytics: Introduced a new analytic story for Cisco Secure Access, leveraging firewall telemetry to detect suspicious access patterns. This release includes updates to existing detections: Large ICMP Traffic, Outbound SMB Traffic, Outbound LDAP Traffic, and Windows RDP Network Brute Force Attempts enabling them to operate with Cisco Secure Access Firewall data, validated through simulated attack scenarios to improve visibility into adversary activity traversing modern cloud-delivered security controls.

• 🪟 Windows Threat Detection Expansion: Significantly expanded coverage across multiple analytic stories with the addition of a broad set of new detections targeting modern Windows attack techniques, including PowerShell abuse, process injection, privilege escalation, registry manipulation, cloud and Azure activity, RMM tool usage, and C2 frameworks such as Cobalt Strike, Metasploit, and custom agents. These analytics enhance visibility into attacker behaviors like defense evasion (EDR bypass, obfuscation, EFI tampering), persistence (scheduled tasks, file association changes, GPO abuse), credential access (LAPS harvesting, keychain-like data access), and lateral movement and exfiltration, while also covering emerging tradecraft such as Cloudflared tunnels, Devtunnels, and supply chain tooling abuse—providing deeper detection across the Windows attack lifecycle.

• ⌨️ VIP Keylogger (.NET Stealer) Detection Coverage: Introduced new analytics to strengthen detection of VIP Keylogger and related .NET-based infostealers by focusing on behavioral indicators of stealthy execution and persistence. New detections: PowerShell Environment Variable Execution, Windows Anomalous Registry Value Length in Environment Key, PowerShell PInvoke Process Injection API Chain, and Windows Proxy Execution of .NET Utilities via Scripts surface patterns such as encoded payload staging in registry keys, script-driven execution of trusted .NET binaries, and in-memory process injection techniques, improving visibility into credential theft operations, obfuscated execution chains, and defense evasion commonly used in modern phishing-delivered stealer campaigns.

New Analytic Story - [2]

• Cisco Secure Access Analytics
• VIP Keylogger

New Analytics - [67]

• Linux Auditd Copy Fail Privilege Escalation
• PowerShell Environment Variable Execution
• PowerShell PInvoke Process Injection API Chain
• Windows .Key File Creation in Root Directory
• Windows Anomalous Registry Value Length in Environment Key
• Windows AppCertDLL Modification Via Command Line
• Windows Azure PowerShell Module Installation Via PowerShell Script
• Windows Azure Storage Utility Execution Via CLI
• Windows Cobalt Strike PowerShell Loader
• Windows Command Obfuscation with Environment Variable Substrings
• Windows Computer Account Changed to Domain Controller
• Windows ConvertTo-AADIntBackdoor Execution Via PowerShell Script
• Windows CrowdStrike Agent Registry Key Removal
• Windows Crowdstrike RTR Script Execution
• Windows Default Cobalt Strike PowerShell Beacon
• Windows Devtunnels Execution
• Windows Devtunnels Image Loaded
• Windows Downdate Registry Activity
• Windows EDRSilencer Execution
• Windows EFI Bootloader File Modification
• Windows EFI Volume Mount Attempt Via Mountvol
• Windows Entra User Management Via Azure CLI
• Windows File Association Modification via Ftype
• Windows Filtering Platform Policy Added to Block EDR Process
• Windows Get-Variable.EXE Execution from WindowsApps Folder
• Windows GrimResource - MMC Process Accessing APDS DLL
• Windows Guest Account Enabled Via Net.EXE
• Windows IOBit Unlocker Extension DLL Registration via Regsvr32
• Windows LAPS Password Gathering Via PowerShell Script
• Windows Level RMM PowerShell Script Installer
• Windows Level RMM Watchdog Task Created
• Windows MSI Rollback Script Deleted By Non-Msiexec Process
• Windows Metasploit Confluence Plugin Execution
• Windows Mock Trusted Directory MSC File Creation
• Windows Mustang Panda USB Tool Execution
• Windows Netspy Network Scanner Execution
• Windows Network Connection From Program In Suspect Location
• Windows NorthStar C2 Agent Execution
• Windows OneDrive Share Mounted via Net
• Windows Potato Privilege Escalation Tool Execution
• Windows Potential Cloudflared Network Connection
• Windows Potential Cloudflared Tunnel Execution
• Windows Potential Web Shell Creation For VMware Workspace ONE
• Windows PowGoop Beacon Decoding
• Windows PowerShell Module File Created
• Windows PowerShell Script TabExpansion Direct Call
• Windows Privilege Escalation Attempt Via MSI Rollback
• Windows Process Accessing Windows Recall Directory
• Windows Proxy Execution of .NET Utilities via Scripts
• Windows PuTTY Suite Utility Execution
• Windows RMM Tool Execution
• Windows Remote Image Load
• Windows Scheduled Task Created in a Group Policy Object
• Windows Set Custom DNS ServerLevelPlugin Via Dnscmd
• Windows Shell or Script Execution From IIS Directory
• Windows SoftEther VPN Masquerading as Legitimate Binary
• Windows Software Discovery Via PowerShell
• Windows Suspicious File in EFI Volume
• Windows Suspicious QEMU Execution
• Windows SymbolicLink-Testing-Tools Utility Execution
• Windows TeamCity Payload Execution from Temp Directory
• Windows TeamCity Plugin Installed
• Windows Theme File Creation in Unusual Location
• Windows Universal Data Link File Creation
• Windows Unusual File Creation in Confluence Directory
• Windows WinPEAS PowerShell Script Execution
• Windows XLL File Creation Outside of Typical Location

Other Updates

• Refined multiple detections using diverse telemetry sources to reduce false positives and enhance regex accuracy. (Pull Request)

• Updated all detections to align with MITRE ATT&CK v19 technique IDs, ensuring consistency with the latest framework and improving mapping accuracy for threat coverage, reporting, and correlation.

Note: This is the final release for ESCU v5.x. Starting with ESCU v6.0, the STRT will use new internal tooling instead of contentctl to validate, package, and publish ESCU releases. For more information, see https://github.com/splunk/contentctl/blob/main/README.md

🚀 Key Highlights

• 🍎 macOS Detection Coverage Expansion: Expanded detection coverage for macOS environments with three new analytic stories - macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation - delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
• ⛓️ Axios Supply Chain Post-Compromise Activity: Expanded detection coverage for Axios-related supply chain post-compromise scenarios by tagging existing analytics that capture behaviors associated with malicious package execution and downstream abuse. This update improves visibility into post-installation script execution, credential access, data exfiltration, and persistence mechanisms often triggered after a compromised dependency is introduced, helping defenders detect and respond to supply chain attacks impacting JavaScript and Node.js ecosystems.

New Analytic Story - [4]

• Axios Supply Chain Post Compromise
• MacOS Persistence Techniques
• MacOS Post-Exploitation
• MacOS Privilege Escalation

New Analytics - [11]

• MacOS Account Created
• MacOS Data Chunking
• MacOS Gatekeeper Bypass
• MacOS Hidden Files and Directories
• MacOS Kextload Usage
• MacOS Keychains Dumped
• MacOS List Firewall Rules (Internal Contributor :Jamie Windley)
• MacOS Log Removal
• MacOS LoginHook Persistence
• MacOS Network Share Discovery
• Microsoft Intune Bulk Wipe (External Contributor: jakeenea51)

Other Updates

• Fixed a bug in the Onboarding Assistant that affected Splunk Cloud customers using instances configured on ports (other than 8000). In these cases, detections within an analytic story failed to enable correctly or behaved inconsistently. This issue has been resolved, and detections can now be enabled successfully.
• Updated all View risk events for the last 7 days drilldown searches to reflect the correct earliest and latest time configuration.
• Improved detection coverage and accuracy across multiple rules by fixing regex issues, refining conditions, adding macro usage, and reducing false positives. To view the detailed list of updates and the associated Github issues, please view the details in this pull request.
• Removed missing fields from the Windows Event Log Cleared detection (External Contributor: AndreiBanaru).

Breaking Changes

As previously communicated in the ESCU v5.24.0 release, several detections have been removed. For a complete list of the detections removed in version v5.26.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v6.1.0, see the List of Detections Scheduled for Removal.