v5.13.0

Key highlights

ESCU 5.13 is a rapid‑response release addressing active exploitation of Cisco Smart Install (CVE‑2018‑0171) by Static Tundra, a Russian state‑sponsored espionage group linked to FSB Center 16 and known for long‑term compromises of network devices. The actor is abusing a seven‑year‑old, already‑patched flaw on unpatched or EOL IOS/IOS XE gear to steal configurations and establish persistent access, including bespoke SNMP tooling and historic firmware implants such as SYNful Knock.

To mitigate this campaign, the Splunk Threat Research Team operationalized Cisco Talos’ PCAP patterns and tradecraft into high‑signal detections on cisco:ios telemetry. These detections surface Smart Install ingress on TCP/4786 and oversized SMI packets, follow‑on configuration/persistence actions (privileged account creation, SNMP community changes, interface modifications), and TFTP staging/exfiltration, with Cisco Secure Firewall mappings for unified triage.

This release provides security teams actionable hunts and earlier containment checks for a critical blind spot that typically sits outside EDR and has been abused for long‑dwell espionage (while engineering teams concurrently begin remediation in line with Talos/Cisco guidance to patch or disable Smart Install, adopt SNMPv3, and harden management access). Given the campaign’s global scope (telecom, higher education, manufacturing across North America, Asia, Africa, and Europe) and the likelihood of similar activity by other state actors, this coverage is broadly applicable.

Enabled by our ongoing Cisco + Splunk Better Together collaboration, customers can rapidly receive high fidelity hunts to detect earlier, verify remediation, and reduce mean time to detection and containment, cutting dwell time across IOS/IOS XE and other current and legacy environments. Kudos to Cisco Talos for surfacing this emerging tradecraft and the Splunk Threat Research Team who rapidly operationalized this intelligence into actionable detections across Cisco product suite!

Here’s a summary of the latest updates:

Cisco Smart Install Remote Code Execution (CVE-2018-0171): Introduced a new analytic story built using cisco:ios logs and network traffic pcap samples from Cisco Talos to detect exploitation attempts known to be used by Static Tundra. Detections include suspicious Smart Install traffic, privileged account creation, SNMP configuration changes, and TFTP-based data exfiltration on vulnerable Cisco devices. You can read more about it in this recent Talos blog.

New Analytic Story - [1]

Cisco Smart Install Remote Code Execution CVE-2018-0171

New Analytics - [8]

Cisco Configuration Archive Logging Analysis
Cisco IOS Suspicious Privileged Account Creation
Cisco Network Interface Modifications
Cisco SNMP Community String Configuration Changes
Cisco Secure Firewall - Static Tundra Smart Install Abuse
Cisco Smart Install Oversized Packet Detection
Cisco Smart Install Port Discovery and Status
Cisco TFTP Server Configuration for Data Exfiltration

Updated Analytics - [1]

Cisco Secure Firewall - Intrusion Events by Threat Activity

v5.12.0

🚀 Key Highlights

🛡️ Medusa Rootkit (UNC3886): Introduced a new analytic story for Medusa Rootkit, a stealthy malware leveraged by UNC3886 to maintain persistence on Linux 🐧 and Windows 🪟 systems. This release adds detections for Linux GDrive Binary Activity, Linux Medusa Rootkit, Windows GDrive Binary Activity, and Windows Suspicious VMware Tools Child Process, while also mapping other existing detections to this threat actor.

📦 MSIX Package Abuse: We added a new analytic story covering abuse of Microsoft MSIX application packages, leveraging telemetry from AppXDeploymentServer/Operational logs 📑. This story introduces detections for suspicious MSIX behaviors, including Windows Advanced Installer MSIX with AI_STUBS Execution, Unsigned Package Installation, PowerShell MSIX Package Installation, and interactions with Windows Apps directories 📂, providing visibility into application sideloading and potential malware delivery.

🖥️ Windows RDP Artifacts & Defense Evasion: A new analytic story focused on RDP activity 💻 followed by artifact cleanup 🧹 or evasion techniques. Windows RDP usage generates forensic artifacts such as Default.rdp files 📄 and bitmap caches 🖼️ that can reveal details about accessed systems. This release adds detections for RDP file creation, deletion, and un-hiding events, bitmap cache file activity, RDP server registry entry creation/deletion, and RDP client launched with admin session, while tagging existing detections to ensure comprehensive monitoring of both RDP usage and evasion behavior.

---

📚 New Analytic Stories – [3]

• MSIX Package Abuse
• Medusa Rootkit
• Windows RDP Artifacts and Defense Evasion

♻️ Updated Analytic Story – [1]

• China-Nexus Threat Activity

🆕 New Analytics – [22]

• Linux Gdrive Binary Activity
• Linux Medusa Rootkit
• Windows Advanced Installer MSIX with AI_STUBS Execution
• Windows AppX Deployment Full Trust Package Installation
• Windows AppX Deployment Package Installation Success
• Windows AppX Deployment Unsigned Package Installation
• Windows Default RDP File Creation
• Windows Default Rdp File Deletion
• Windows Default Rdp File Unhidden
• Windows Developer-Signed MSIX Package Installation
• Windows Gdrive Binary Activity
• Windows MSIX Package Interaction
• Windows PowerShell MSIX Package Installation
• Windows PowerShell Script From WindowsApps Directory
• Windows RDP Bitmap Cache File Creation
• Windows RDP Cache File Deletion
• Windows RDP Client Launched with Admin Session
• Windows RDP Login Session Was Established
• Windows RDP Server Registry Deletion
• Windows RDP Server Registry Entry Created
• Windows Rdp AutomaticDestinations Deletion
• Windows Suspicious VMWare Tools Child Process

---

⚠️ Other Updates

As previously communicated in the ESCU v5.10.0 release, several detections have been removed.
For a complete list of the detections removed in version v5.12.0, refer to the List of Removed Detections.

Additionally, a new set of detections has been deprecated.
For details on detections scheduled for removal in ESCU v5.14.0, see the List of Detections Scheduled for Removal.

v5.11.0

Key highlights

• 🔐 Interlock Ransomware & NaiLaoLocker: Interlock Ransomware exhibits unexpected file encryption patterns—such as anomalous PowerShell or CMD processes spawned from Office apps—and large-scale file renaming, while NaiLaoLocker employs multi-threaded AES-256-CBC encryption with SM2 key wrapping via DLL side-loading and mutex creation to evade re-execution; we mapped all existing detections to both malware and updated the ransomware extensions and notes lookup files.
• 🐀 Interlock RAT: Interlock RAT is a modular, stealthy backdoor first observed in mid-2024 that uses encrypted C2 communications and fake browser-update installers to gain persistence, capture keystrokes, and exfiltrate data; we mapped existing detections to this RAT to surface indicators like anomalous network beaconing, persistence artifacts, and credential-theft behaviors.
• Scattered Spider (UNC3944/Scatter Swine/Oktapus/Octo Tempest/Storm-0875/Muddled Libra): Scattered Spider is an extortion-focused group using SIM-swap attacks, push-bombing MFA fatigue, and social engineering to deploy legitimate remote-access tools (e.g., TeamViewer, AnyDesk, Ngrok) for data theft and ransomware deployment; we mapped existing detections to this actor, covering behaviors such as MFA bombing prompts, unauthorized remote-access tool execution, and cloud API abuse.

New Analytic Stories - [4]

• Interlock Ransomware
• Interlock Rat
• NailaoLocker Ransomware
• Scattered Spider

New Analytics - [2]

• Splunk AppDynamics Secure Application Alerts
• Windows Rundll32 Load DLL in Temp Dir

Updated Analytics - [3]

• Cobalt Strike Named Pipes (External Contributor : @atgithub11)
• O365 BEC Email Hiding Rule Created (External Contributor : @0xC0FFEEEE)
• Azure AD Multiple Denied MFA Requests For User (External Contributor : @jakeenea51)

v5.10.0

Key Highlights

• 🔐 Citrix NetScaler CVE-2025-5777 (CitrixBleed 2): Introduced a new analytic story addressing CitrixBleed 2, a critical memory disclosure vulnerability actively exploited in the wild since June 2025. This release includes a detection for identifying HTTP requests to the vulnerable /nf/auth/startwebview.do endpoint, helping security teams uncover scanning and exploitation activity targeting Citrix ADC and Gateway appliances.

• 🧱 Microsoft SharePoint Vulnerabilities: Introduced a new analytic story focused on detecting exploitation attempts related to CVE-2025-53770, a vulnerability in the ToolPane.aspx endpoint of Microsoft SharePoint. This story includes detections for suspicious requests to the vulnerable endpoint, GET activity to known malicious webshells like spinstall0.aspx, and file creation events indicative of webshell deployment—helping identify both initial exploitation and post-exploitation activity.

• 💻 ESXi Post-Compromise Activity: Shipped a new analytic story focused on detecting attacker behavior after initial access to ESXi environments. This story includes 24 detections for actions such as VM termination, reverse shells, SSH brute force, system clock tampering, audit log wiping, unauthorized user elevation, and malicious VIB installations—providing broad coverage for common post-compromise tactics.

• 🛡️ Cisco Duo Suspicious Activity: Released a new analytic story to detect unusual or risky administrative behavior and insecure policy configurations in Cisco Duo environments. This release includes 14 detections covering unusual admin logins by browser, OS, or country, generation of bypass codes, and policy settings that allow risky behavior like skipping 2FA, allowing tampered devices, or permitting outdated Java/Flash use.

• 🐀 Quasar RAT: Released a new analytic story focused on detecting activity related to Quasar RAT, a widely used open-source remote access Trojan known for credential theft, surveillance, and lateral movement. This story maps over 20 existing detections to Quasar techniques and adds three new detections targeting unusual access to sensitive configuration and credential storage locations such as FileZilla XML configs, IntelliForms registry entries, and Mozilla NSS libraries—enabling better visibility into post-exploitation behavior and stealthy credential harvesting.

New Analytic Story - [5]

• Cisco Duo Suspicious Activity
• Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
• ESXi Post Compromise
• Microsoft SharePoint Vulnerabilities
• Quasar RAT

New Analytics - [45]

• Cisco Duo Admin Login Unusual Browser
• Cisco Duo Admin Login Unusual Country
• Cisco Duo Admin Login Unusual Os
• Cisco Duo Bulk Policy Deletion
• Cisco Duo Bypass Code Generation
• Cisco Duo Policy Allow Devices Without Screen Lock
• Cisco Duo Policy Allow Network Bypass 2FA
• Cisco Duo Policy Allow Old Flash
• Cisco Duo Policy Allow Old Java
• Cisco Duo Policy Allow Tampered Devices
• Cisco Duo Policy Bypass 2FA
• Cisco Duo Policy Deny Access
• Cisco Duo Policy Skip 2FA for Other Countries
• Cisco Duo Set User Status to Bypass 2FA
• Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
• Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
• ESXi Account Modified
• ESXi Audit Tampering
• ESXi Bulk VM Termination
• ESXi Download Errors
• ESXi Encryption Settings Modified
• ESXi External Root Login Activity
• ESXi Firewall Disabled
• ESXi Lockdown Mode Disabled
• ESXi Loghost Config Tampering
• ESXi Malicious VIB Forced Install
• ESXi Reverse Shell Patterns
• ESXi SSH Brute Force
• ESXi SSH Enabled
• ESXi Sensitive Files Accessed
• ESXi Shared or Stolen Root Account
• ESXi Shell Access Enabled
• ESXi Syslog Config Change
• ESXi System Clock Manipulation
• ESXi System Information Discovery
• ESXi User Granted Admin Role
• ESXi VIB Acceptance Level Tampering
• ESXi VM Discovery
• ESXi VM Exported via Remote Tool
• Windows SharePoint Spinstall0 GET Request
• Windows SharePoint Spinstall0 Webshell File Creation
• Windows SharePoint ToolPane Endpoint Exploitation Attempt
• Windows Unusual FileZilla XML Config Access
• Windows Unusual Intelliform Storage Registry Access
• Windows Unusual Process Load Mozilla NSS-Mozglue Module

Other Updates

• Added a missing data source file for Cisco NVM and updated data source files to use PascalCase for XmlWinEventLog
• As previously communicated in the ESCU v5.8.0 release, several detections have been removed. For a complete list of the detections removed in version v5.10.0, refer to the List of Removed Detections in v5.10.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.12.0, see the List of Detections Scheduled for Removal in ESCU v5.12.0.

v5.9.0

Key Highlights

• 🔍 Cisco Network Visibility Module Analytics: Introduced a new analytic story leveraging Cisco NVM telemetry to detect suspicious endpoint network behavior. This release includes 14 analytics covering threats such as insecure curl usage, typosquatted Python packages, abuse of native Windows tools like rundll32 and mshta, and anomalous network connections from uncommon or argument-less processes.

• 💣 Disk Wiper: Released a new analytic story focused on identifying destructive malware that irreversibly erases disk data, with tagged detections targeting recursive file deletion and raw access to disk volumes and the primary boot record.

• ⚙️ CrowdStrike EDR Playbook Pack for Splunk SOAR: Shipped a new playbook pack that enables automated investigation, enrichment, and response using CrowdStrike Falcon, helping security teams streamline endpoint operations with playbooks for actions like device isolation, process termination, file handling, and denylisting executables.

New Analytic Story - [2]

• Cisco Network Visibility Module Analytics
• Disk Wiper

New Analytics - [19]

• Cisco NVM - Curl Execution With Insecure Flags
• Cisco NVM - Installation of Typosquatted Python Package
• Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
• Cisco NVM - Non-Network Binary Making Network Connection
• Cisco NVM - Outbound Connection to Suspicious Port
• Cisco NVM - Rclone Execution With Network Activity
• Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
• Cisco NVM - Susp Script From Archive Triggering Network Activity
• Cisco NVM - Suspicious Download From File Sharing Website
• Cisco NVM - Suspicious File Download via Headless Browser
• Cisco NVM - Suspicious Network Connection From Process With No Args
• Cisco NVM - Suspicious Network Connection Initiated via MsXsl
• Cisco NVM - Suspicious Network Connection to IP Lookup Service API
• Cisco NVM - Webserver Download From File Sharing Website
• CrowdStrike Falcon Stream Alerts(Internal Contributor : @bpluta-splunk)
• Linux Auditd Auditd Daemon Abort
• Linux Auditd Auditd Daemon Shutdown
• Linux Auditd Auditd Daemon Start
• Windows File Download Via PowerShell

Updated Analytics - [2]

• Attacker Tools On Endpoint(External Contributor : @sventec )
• O365 BEC Email Hiding Rule Created(External Contributor @0xC0FFEEEE )

Macros Added - [1]

• cisco_network_visibility_module_flowdata

Macros Updated - [0]

Lookups Added - [2]

• suspicious_ports_list
• typo_squatted_python_packages

Lookups Updated - [1]

• attacker_tools

Other Updates

• Updated all content to use the latest links for Splunk Documentation - https://help.splunk.com/

Playbooks Added - [9]

(Internal Contributor : @ccl0utier )

• CrowdStrike OAuth API Endpoint Analysis
• CrowdStrike OAuth API Executable Denylisting
• CrowdStrike OAuth API File Collection
• CrowdStrike OAuth API File Eviction
• CrowdStrike OAuth API File Restore
• CrowdStrike OAuth API Get Device Info
• CrowdStrike OAuth API Network Isolation
• CrowdStrike OAuth API Network Restore
• CrowdStrike OAuth API Process Termination

v5.8.0

Key Highlights

• 🥸Remote Employment Fraud Detections
  Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents which are used to hide the true identity and/or location of an employee. This release includes a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.
• 📦Inno Setup Abuse
  Inno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. Recently, it has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. This story demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.
• 🕸️Web Browser Abuse
  Locally installed malware may use Web Browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. This release supplies a number of analytics which recognize these suspicious flags.

New Analytic Story - [2]

• Malicious Inno Setup Loader
• Remote Employment Fraud

New Analytics - [4]

• Windows Chromium Browser No Security Sandbox Process
• Windows Chromium Browser with Custom User Data Directory
• Windows DNS Query Request To TinyUrl
• Windows Disable Internet Explorer Addons

Updated Analytics - [63]

• A number of analytics have been updated with improved formatting and tagged with new analytic stories.
• Several analytics had their logic tuned, improved and updated.
  Cobalt Strike Named Pipes
  Detect Renamed WinRAR
  Excessive Usage Of Cacls App
  Icacls Deny Command
  ICACLS Grant Command
  Modify ACL permission To Files Or Folder
  Network Traffic to Active Directory Web Services Protocol
  Suspicious Copy on System32
  Windows Files and Dirs Access Rights Modification Via Icacls

Other Updates

• Added Macro - “zoom_index”
• Updated Macro “gsuite_drive”
• As previously communicated in the ESCU v5.6.0 release, several detections have been removed. For a complete list of the detections removed in version v5.8.0, refer to the List of Removed Detections in v5.8.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.10.0, see the List of Detections Scheduled for Removal in ESCU v5.10.0.

v5.7.0

Key highlights

ESCU 5.7.0 brings tighter integration with Cisco Security Products and a number of fixes and improvements to existing content:

🛡️ Cisco Secure Firewall Threat Defense Integration
Improved and tested several ESCU detections to work with Event Streamer (eStreamer) data collected by the Cisco Secure Firewall Threat Defense (FTD) platform. For more information about Cisco Secure Firewall, go to the Cisco Secure Firewall site or refer to the Cisco Secure Firewall Threat Defense Analytics analytic story.

🐛 Bugfixes based on community feedback
Feedback from community members and users continues to be one of the best paths to improve the quality and performance of ESCU content. This release includes a number of bug fixes that reduces false positives and improves the risk entities and fields returned from searches.

New Analytics - [1]

• Cisco Secure Firewall - Remote Access Software Usage Traffic

Updated Analytics - [12]

• AWS Defense Evasion Impair Security Services
• Detect Outbound LDAP Traffic
• Detect Remote Access Software Usage Traffic
• Internal Horizontal Port Scan NMAP Top 20
• Internal Horizontal Port Scan
• Internal Vertical Port Scan
• O365 Concurrent Sessions From Different Ips
• Prohibited Network Traffic Allowed
• Protocol or Port Mismatch
• Protocols passing authentication in cleartext
• TOR Traffic
• Windows Sensitive Registry Hive Dump Via CommandLine

Other Updates

• Added lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools
• Updated lookups cisco_secure_firewall_filetype_lookup and cisco_snort_ids_to_threat_mapping
• No detections have been removed in the ESCU v5.7.0 release. As previously communicated in the ESCU v5.6.0 release, several detections will be removed in ESCU v5.8.0. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0

v5.6.0

Key highlights

🛡️ Cisco Secure Firewall Intrusion Analytics
We developed six new analytic rules using Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma Stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation by combining the presence of specific Snort IDs triggered in a short period of time.

📊 Threat Activity by Snort IDs Dashboard
A new dashboard leveraging Cisco Firewall logs from eStreamer and a curated lookup to correlate Snort intrusion identifiers with specific threat actors, visualize device-wide activity and file trends, and explore the overall risk profile of the host with events from Splunk Enterprise Security.

📝 New Analytic Story & Threat Mappings
We published a new analytic story on Fake CAPTCHA campaigns—mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection—and completed comprehensive Xworm RAT threat mapping to ensure broad detection coverage.

New Analytic Story - [2]

• Fake CAPTCHA Campaigns
• XWorm

New Analytics - [8]

• Cisco Secure Firewall - High Priority Intrusion Classification
• Cisco Secure Firewall - Intrusion Events by Threat Activity
• Cisco Secure Firewall - Lumma Stealer Activity
• Cisco Secure Firewall - Lumma Stealer Download Attempt
• Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
• Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
• Windows PowerShell FakeCAPTCHA Clipboard Execution
• Windows Renamed Powershell Execution

Other Updates

• Added two new lookups cisco_snort_ids_to_threat_mapping and threat_snort_count that contain information about snort Ids that are mapped to specific threat actors

• Updated several detections based on customer feedback and bug reports on Github issues.

• As previously communicated in the ESCU v5.4.0 release, several detections have been removed. For a complete list of the detections removed in version v5.6.0, refer to the List of Removed Detections in v5.6.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0

v5.5.0

✨ Highlights

• 🛡️ SAP NetWeaver Exploitation
  Released a new analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. You can read more about this vulnerability here.

• 🍏 AMOS Stealer Analytics
  Added a new analytic story for AMOS Stealer and introduced the “macOS AMOS Stealer – Virtual Machine Check Activity” detection, which looks for the execution of the osascript command along with specific command-line strings.

• 🪟 Additional Windows Detections
  We shipped three new Windows-focused detections to improve visibility into post-compromise activity: one that identifies reconnaissance by monitoring built-in log query utilities against the Windows Event Log, another that alerts when an adversary clears the Event Log via Wevtutil, and a third that detects malicious file downloads executed through the CertUtil utility.

New Analytic Story - [2]

• AMOS Stealer
• SAP NetWeaver Exploitation

New Analytics - [5]

• MacOS AMOS Stealer - Virtual Machine Check Activity
• SAP NetWeaver Visual Composer Exploitation Attempt
• Windows EventLog Recon Activity Using Log Query Utilities
• Windows Eventlog Cleared Via Wevtutil
• Windows File Download Via CertUtil

Other Updates

• Updated theis_nirsoft_software lookup with additional nirsoft tooling
• Updated attack_data links for several detections.

v5.4.0

✨ Highlights

• 🔥 Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.

• 🤖 AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.

• 🕵️ Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.

• 🆕 New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.

---

📚 New Analytic Stories – [6]

• AWS Bedrock Security
• Cactus Ransomware
• Cisco Secure Firewall Threat Defense Analytics
• Earth Alux
• Storm-2460 CLFS Zero Day Exploitation
• Water Gamayun

---

🧠 New Analytics – [27]

• AWS Bedrock Delete GuardRails
• AWS Bedrock Delete Knowledge Base
• AWS Bedrock Delete Model Invocation Logging Configuration
• AWS Bedrock High Number List Foundation Model Failures
• AWS Bedrock Invoke Model Access Denied
• Cisco Secure Firewall - Binary File Type Download
• Cisco Secure Firewall - Bits Network Activity
• Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
• Cisco Secure Firewall - Blocked Connection
• Cisco Secure Firewall - Communication Over Suspicious Ports
• Cisco Secure Firewall - Connection to File Sharing Domain
• Cisco Secure Firewall - File Download Over Uncommon Port
• Cisco Secure Firewall - High EVE Threat Confidence
• Cisco Secure Firewall - High Volume of Intrusion Events Per Host
• Cisco Secure Firewall - Malware File Downloaded
• Cisco Secure Firewall - Potential Data Exfiltration
• Cisco Secure Firewall - Rare Snort Rule Triggered
• Cisco Secure Firewall - Repeated Blocked Connections
• Cisco Secure Firewall - Repeated Malware Downloads
• Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
• Cisco Secure Firewall - Wget or Curl Download
• CrushFTP Authentication Bypass Exploitation
• CrushFTP Max Simultaneous Users From IP
• Windows MSC EvilTwin Directory Path Manipulation
• Windows PowerShell Invoke-RestMethod IP Information Collection
• Windows Shell Process from CrushFTP
• Windows WMIC Shadowcopy Delete

---

🛠 Other Updates

• 🔄 Reverted several searches to use | join instead of prestats = t due to bugs encountered in the search logic.
• ❌ Removed Detections – As notified in the ESCU v5.2.0 release, we have removed these detections. Please use replacements where appropriate.
• 🗓️ Deprecated more detections now scheduled for removal in ESCU v5.6.0.
• 📥 Updated deprecation_info lookup to reflect the latest list of deprecated and removed detections.