v5.18.0

🚀 Key Highlights

• 🐀 Castle RAT:
  Expanded coverage for the Castle RAT remote access trojan, which enables adversaries to execute commands, exfiltrate files, log keystrokes, and capture screens during targeted intrusion campaigns. Tagged multiple existing detections related to persistence, task creation, and suspicious process behavior, and introduced new analytics for unusual browser flag launches, ComputerDefaults-based UAC bypass, and handle duplication in known bypass binaries to improve visibility into Castle RAT infection chains, privilege escalation, and long-term access mechanisms.

• 🌐 Research site enhancements:
  We’re excited to also announce that we’ve enhanced research.splunk.com to provide deeper insights and richer context for detection engineers. Each detection entry now includes detailed attack data along with corresponding MITRE ATT&CK techniques, the environment used to generate the data, timestamps of simulated attacks, and tools leveraged during simulation. You can also explore step-by-step details on how to replay these attacks within your own Splunk environment for validation, tuning, and testing. This update is designed to help you better understand adversary behaviors, validate your detections with real-world data, and accelerate the development of high-fidelity detections. We highly recommend checking out the enhanced experience at https://research.splunk.com/attack_data and leveraging this data to strengthen your detection engineering workflows.

New Analytic Story - [1]

• Castle RAT

New Analytics - [3]

• Windows Browser Process Launched with Unusual Flags
• Windows ComputerDefaults Spawning a Process
• Windows Handle Duplication in Known UAC-Bypass Binaries

Other Updates

• Tagged several other detection analytics to Castle RAT
• Updated the Splunkbase link for the Ollama TA data source and TA versions of various data sources

🔴 BREAKING CHANGES:

• As previously communicated in the ESCU v5.16.0 release, several detections have been removed. For a complete list of the detections removed in version v5.18.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.20.0, see the List of Detections Scheduled for Removal

Removed Detection	Replacement Detection
Windows Change Default File Association For No File Ext	Windows Change File Association Command To Notepad
Detect Rundll32 Application Control Bypass - setupapi	Windows Application Whitelisting Bypass Attempt via Rundll32
Detect Rundll32 Application Control Bypass - syssetup	Windows Application Whitelisting Bypass Attempt via Rundll32
Detect Rundll32 Application Control Bypass - advpack	Windows Application Whitelisting Bypass Attempt via Rundll32

v5.17.0

🚀 Key Highlights

• 🧩 Microsoft WSUS CVE-2025-59287 Remote Code Execution:
  Introduced a new analytic story for the exploitation of CVE-2025-59287, a critical WSUS deserialization vulnerability enabling unauthenticated remote code execution. Added a new detection — Windows WSUS Spawning Shell — and tagged related process-based detections to enhance post-exploitation visibility.

• 🛡️ Oracle E-Business Suite Exploitation (TALOS Collaboration):
  Released new Snort-based detections developed with Cisco Talos to identify exploitation attempts against Oracle E-Business Suite. These analytics detect anomalous web requests, payload delivery, and lateral movement behaviors targeting enterprise ERP systems based on Snort alerts.

• 🌐 HTTP Request Smuggling:
  Introduced a new analytic story to detect and investigate HTTP request smuggling techniques that exploit discrepancies in how web servers and proxies handle request sequences. Added detections — HTTP Suspicious Tool User Agent, HTTP Request to Reserved Name, HTTP Rapid POST with Mixed Status Codes, HTTP Possible Request Smuggling, and HTTP Duplicated Header — leveraging searches for indicators like CL.TE, TE.TE, and CL.0 to identify abuse of HTTP parsing logic and potential security control bypasses.

• 💀 Scattered Lapsus$ Hunters and Hellcat Ransomware:
  Tagged a broad set of existing TTPs and added new analytic stories covering the Scattered Lapsus$ Hunters coalition (Scattered Spider, Lapsus$, and Shiny Hunters) and the Hellcat Ransomware RaaS group. These updates enhance visibility into MFA bypass, credential theft, remote access tool abuse, PowerShell infection chains, SSH persistence, and custom ransomware payloads targeting critical infrastructure, telecom, and government sectors.

New Analytic Story - [5]

• HTTP Request Smuggling
• Hellcat Ransomware
• Microsoft WSUS CVE-2025-59287
• Oracle E-Business Suite Exploitation
• Scattered Lapsus$ Hunters

New Analytics - [18]

• Advanced IP or Port Scanner Execution
• Cisco Secure Firewall - Oracle E-Business Suite Correlation
• Cisco Secure Firewall - Oracle E-Business Suite Exploitation
• File Download or Read to Pipe Execution
• HTTP Duplicated Header
• HTTP Possible Request Smuggling
• HTTP Rapid POST with Mixed Status Codes
• HTTP Request to Reserved Name on IIS Server
• HTTP Suspicious Tool User Agent
• Windows Default RDP File Creation By Non MSTSC Process
• Windows Defender ASR or Threat Configuration Tamper
• Windows Process Execution From RDP Share
• Windows WBAdmin File Recovery From Backup
• Windows WSUS Spawning Shell
• Wmiprvse LOLBAS Execution Process Spawn(Search name update: @Shotscape)
• Windows NirSoft Tool Bundle File Created
• Windows PowerShell Process Implementing Manual Base64 Decoder
• Windows PsTools Recon Usage

Other Updates

• Added new and updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic and names. Following are the details about the breaking changes

🔴 BREAKING CHANGES :

• We have deprecated some detections that are scheduled to be removed in 5.20.0 and will be replaced with the following. It is highly recommended to following the deprecated process here to ensure that the detections continue running reliably,

a. Windows Change Default File Association For No File Ext
-> Replacement - Windows Change File Association Command To Notepad
b. Detect Rundll32 Application Control Bypass - setupapi
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
c. Detect Rundll32 Application Control Bypass - syssetup
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
d. Detect Rundll32 Application Control Bypass - advpack
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32

v5.16.0

🚀 Key Highlights

🦙 Suspicious Ollama Activities : Introduced a new analytic story focused on monitoring misuse and abuse of locally hosted LLMs through Ollama. This story includes detections such as Abnormal Network Connectivity, Service Crash or Availability Attack, Excessive API Requests, API Endpoint Scan Reconnaissance, Memory Exhaustion Resource Abuse, Model Exfiltration or Data Leakage, RCE via Model Loading, and Suspicious Prompt Injection or Jailbreak. A dedicated TA-Ollama is developed to parse Ollama server logs, enabling precise detection of adversarial prompt engineering, local model abuse, and AI-powered lateral movement scenarios.

✈️ Suspicious Microsoft 365 Copilot Activities : Added a new analytic story targeting emerging risks in GenAI integration with Microsoft 365 Copilot. Detections include M365 Copilot Application Usage Pattern Anomalies, Failed Authentication Patterns, Non-Compliant Devices Accessing Copilot, and Session Origin Anomalies. These analytics help security teams identify compromised identities, unauthorized device access, and abnormal usage trends associated with enterprise AI assistants.

🔒LokiBot and PromptLock Malware: Expanded coverage for LokiBot, a pervasive credential-stealing Trojan distributed via phishing and malicious attachments. A new detection (Windows Visual Basic Command-Line Compiler DNS Query) was added alongside enhanced tagging across related analytics to better identify suspicious DNS communications and data exfiltration attempts.

In addition, we introduced coverage for PromptLock, the first known GenAI-driven ransomware proof-of-concept discovered by ESET in 2025. PromptLock leverages a local AI model (gpt-oss:20b) via the Ollama API to dynamically generate Lua scripts for multi-platform encryption and exfiltration. These detections focus on anomalous AI invocation patterns, file encryption activity, and use of local LLM APIs for malicious automation.

👻 APT37 (Rustonotto & FadeStealer) and GhostRedirector: Expanded coverage for APT37, adding a new detection for suspicious Windows Cabinet file extraction activity linked to their Rustonotto and FadeStealer toolsets. This update enhances visibility into phishing-based infections, persistence mechanisms, and data exfiltration behavior.
Also introduced a new GhostRedirector and Rungan analytic story to track server compromises involving malicious IIS modules, SQL injection abuse, and stealthy PowerShell activity used to maintain access and manipulate web traffic.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

New Analytic Story - [6]

• APT37 Rustonotto and FadeStealer
• GhostRedirector IIS Module and Rungan Backdoor
• Lokibot
• PromptLock
• Suspicious Microsoft 365 Copilot Activities
• Suspicious Ollama Activities

New Analytics - [19]

• M365 Copilot Application Usage Pattern Anomalies
• M365 Copilot Failed Authentication Patterns
• M365 Copilot Non Compliant Devices Accessing M365 Copilot
• M365 Copilot Session Origin Anomalies
• Web or Application Server Spawning a Shell
• Windows Application Whitelisting Bypass Attempt via Rundll32
• Windows Cabinet File Extraction Via Expand
• Windows Change File Association Command To Notepad
• Windows Set Network Profile Category to Private via Registry
• Windows Symlink Evaluation Change via Fsutil
• Windows Visual Basic Commandline Compiler DNSQuery
• Ollama Abnormal Network Connectivity
• Ollama Abnormal Service Crash Availability Attack
• Ollama Excessive API Requests
• Ollama Possible API Endpoint Scan Reconnaissance
• Ollama Possible Memory Exhaustion Resource Abuse
• Ollama Possible Model Exfiltration Data Leakage
• Ollama Possible RCE via Model Loading
• Ollama Suspicious Prompt Injection Jailbreak

Other Updates

• Updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic

🔴 BREAKING CHANGES :

• Remove the notable alert actions: meaning these will no longer create notable/findings and will continue create risk events aka intermediate findings
  a. Attempt To Add Certificate To Untrusted Store
  b. Windows Archived Collected Data In TEMP Folder
  c. Windows Rundll32 Apply User Settings Changes
  d. Windows Scheduled Task Created Via XML

• Add the notable alert actions: meaning these will now create notable/findings and will continue create risk events aka intermediate findings
  a. Windows Certutil Root Certificate Addition

• As previously communicated in the ESCU v5.14.0 release, several detections have been removed. For a complete list of the detections removed in version v5.16.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.18.0, see the List of Detections Scheduled for Removal

v5.15.2

🚀 Key Highlights

ESCU v5.15.2 fixes incorrect reference links, CVE tags, and MITRE mappings introduced for ArcaneDoor in v5.15.0 and adds a new generic analytic story.

New Analytic Story - [1]

• Suspicious Cisco Adaptive Security Appliance Activity

Other Updates

• Tagged detection Cisco ASA - Logging Disabled via CLI to the Suspicious Cisco Adaptive Security Appliance Activity story

v5.15.0

🚀 Key Highlights

🚪 ArcaneDoor - A new analytic story to help security teams detect exploitation of Cisco ASA/Firewall zero-day vulnerabilities (CVE-2025-20333 & CVE-2025-20362) tied to recent state-sponsored activity. This story introduces two new detections, focused on identifying suspicious behaviors and behaviors that may indicate attempts to disable or suppress logging. In addition, the Cisco Secure Firewall – Intrusion Events by Threat Activity lookup has been updated with the latest Snort IDs to ensure more accurate coverage of related threats.

New Analytic Stories - [1]

• ArcaneDoor

New Analytics - [2]

• Cisco ASA - Core Syslog Message Volume Drop
• Cisco ASA - Logging Disabled via CLI

Updated Analytics - [1]

• Cisco Secure Firewall - Intrusion Events by Threat Activity
• Linux Auditd Service Started

v5.14.0

🚀 Key Highlights

🧠 LAMEHUG: Introduced new detections for the LAMEHUG malware, which leverages outbound requests to Hugging Face APIs (e.g., Qwen 2.5-Coder-32B-Instruct) to generate AI-driven Windows command chains. Common behaviors include execution of systeminfo, net start, tasklist, dsquery, and recursive file copy operations into %ProgramData%\info\. Initial delivery vectors often involve phishing ZIPs with .pif binaries disguised as PDF or image viewers.

🕵️ ObjectivyStealer: Tagged relevant existing content to cover behaviors associated with ObjectivyStealer, a stealthy information-stealing malware targeting web browsers, messaging apps, cryptocurrency wallets, and local system files. It evades detection by operating from user profile or temp directories and maintains persistence using registry run keys or scheduled tasks. This mapping enhances detection of credential theft, session hijacking, and encrypted exfiltration to remote C2 infrastructure.

🛡️ Secret Blizzard: Added detections for suspicious use of certutil.exe to install root certificates from temp directories using the -addstore root command. This tactic, seen in post-exploitation scenarios, may be used to intercept HTTPS traffic, impersonate trusted services, or bypass endpoint defenses. These analytics detect certificate installation from .tmp files, use of the -f (force) and -Enterprise flags, and other high-risk trust modifications that can lead to persistent compromise.

📨 NotDoor Malware: Introduced a new analytic story focused on detecting NotDoor, a malicious Outlook macro backdoor linked to APT28 (Fancy Bear). This story adds detections for suspicious Outlook macro creation, persistence via LoadMacroProviderOnBoot, and disabling of security dialogs — all techniques leveraged by NotDoor to exfiltrate data, upload files, and execute remote commands via email-based triggers.

New Analytic Story - [5]

• 0bj3ctivity Stealer
• LAMEHUG
• NotDoor Malware
• PathWiper
• Secret Blizzard

New Analytics - [19]

• Linux Magic SysRq Key Abuse(External Contributor: @CheraghiMilad)
• Windows AI Platform DNS Query
• Windows Certutil Root Certificate Addition
• Windows DLL Module Loaded in Temp Dir
• Windows Excel ActiveMicrosoftApp Child Process
• Windows File Collection Via Copy Utilities
• Windows Net System Service Discovery
• Windows Outlook Dialogs Disabled from Unusual Process
• Windows Outlook LoadMacroProviderOnBoot Persistence
• Windows Outlook Macro Created by Suspicious Process
• Windows Outlook Macro Security Modified
• Windows Set Private Network Profile via Registry
• Windows SpeechRuntime COM Hijacking DLL Load
• Windows SpeechRuntime Suspicious Child Process
• Windows Wmic CPU Discovery
• Windows Wmic DiskDrive Discovery
• Windows Wmic Memory Chip Discovery
• Windows Wmic Network Discovery
• Windows Wmic Systeminfo Discovery

Other Updates

• As previously communicated in the ESCU v5.12.0 release, several detections have been removed. For a complete list of the detections removed in version v5.14.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.16.0, see the List of Detections Scheduled for Removal

v5.13.0

Key highlights

ESCU 5.13 is a rapid‑response release addressing active exploitation of Cisco Smart Install (CVE‑2018‑0171) by Static Tundra, a Russian state‑sponsored espionage group linked to FSB Center 16 and known for long‑term compromises of network devices. The actor is abusing a seven‑year‑old, already‑patched flaw on unpatched or EOL IOS/IOS XE gear to steal configurations and establish persistent access, including bespoke SNMP tooling and historic firmware implants such as SYNful Knock.

To mitigate this campaign, the Splunk Threat Research Team operationalized Cisco Talos’ PCAP patterns and tradecraft into high‑signal detections on cisco:ios telemetry. These detections surface Smart Install ingress on TCP/4786 and oversized SMI packets, follow‑on configuration/persistence actions (privileged account creation, SNMP community changes, interface modifications), and TFTP staging/exfiltration, with Cisco Secure Firewall mappings for unified triage.

This release provides security teams actionable hunts and earlier containment checks for a critical blind spot that typically sits outside EDR and has been abused for long‑dwell espionage (while engineering teams concurrently begin remediation in line with Talos/Cisco guidance to patch or disable Smart Install, adopt SNMPv3, and harden management access). Given the campaign’s global scope (telecom, higher education, manufacturing across North America, Asia, Africa, and Europe) and the likelihood of similar activity by other state actors, this coverage is broadly applicable.

Enabled by our ongoing Cisco + Splunk Better Together collaboration, customers can rapidly receive high fidelity hunts to detect earlier, verify remediation, and reduce mean time to detection and containment, cutting dwell time across IOS/IOS XE and other current and legacy environments. Kudos to Cisco Talos for surfacing this emerging tradecraft and the Splunk Threat Research Team who rapidly operationalized this intelligence into actionable detections across Cisco product suite!

Here’s a summary of the latest updates:

Cisco Smart Install Remote Code Execution (CVE-2018-0171): Introduced a new analytic story built using cisco:ios logs and network traffic pcap samples from Cisco Talos to detect exploitation attempts known to be used by Static Tundra. Detections include suspicious Smart Install traffic, privileged account creation, SNMP configuration changes, and TFTP-based data exfiltration on vulnerable Cisco devices. You can read more about it in this recent Talos blog.

New Analytic Story - [1]

Cisco Smart Install Remote Code Execution CVE-2018-0171

New Analytics - [8]

Cisco Configuration Archive Logging Analysis
Cisco IOS Suspicious Privileged Account Creation
Cisco Network Interface Modifications
Cisco SNMP Community String Configuration Changes
Cisco Secure Firewall - Static Tundra Smart Install Abuse
Cisco Smart Install Oversized Packet Detection
Cisco Smart Install Port Discovery and Status
Cisco TFTP Server Configuration for Data Exfiltration

Updated Analytics - [1]

Cisco Secure Firewall - Intrusion Events by Threat Activity

v5.12.0

🚀 Key Highlights

🛡️ Medusa Rootkit (UNC3886): Introduced a new analytic story for Medusa Rootkit, a stealthy malware leveraged by UNC3886 to maintain persistence on Linux 🐧 and Windows 🪟 systems. This release adds detections for Linux GDrive Binary Activity, Linux Medusa Rootkit, Windows GDrive Binary Activity, and Windows Suspicious VMware Tools Child Process, while also mapping other existing detections to this threat actor.

📦 MSIX Package Abuse: We added a new analytic story covering abuse of Microsoft MSIX application packages, leveraging telemetry from AppXDeploymentServer/Operational logs 📑. This story introduces detections for suspicious MSIX behaviors, including Windows Advanced Installer MSIX with AI_STUBS Execution, Unsigned Package Installation, PowerShell MSIX Package Installation, and interactions with Windows Apps directories 📂, providing visibility into application sideloading and potential malware delivery.

🖥️ Windows RDP Artifacts & Defense Evasion: A new analytic story focused on RDP activity 💻 followed by artifact cleanup 🧹 or evasion techniques. Windows RDP usage generates forensic artifacts such as Default.rdp files 📄 and bitmap caches 🖼️ that can reveal details about accessed systems. This release adds detections for RDP file creation, deletion, and un-hiding events, bitmap cache file activity, RDP server registry entry creation/deletion, and RDP client launched with admin session, while tagging existing detections to ensure comprehensive monitoring of both RDP usage and evasion behavior.

---

📚 New Analytic Stories – [3]

• MSIX Package Abuse
• Medusa Rootkit
• Windows RDP Artifacts and Defense Evasion

♻️ Updated Analytic Story – [1]

• China-Nexus Threat Activity

🆕 New Analytics – [22]

• Linux Gdrive Binary Activity
• Linux Medusa Rootkit
• Windows Advanced Installer MSIX with AI_STUBS Execution
• Windows AppX Deployment Full Trust Package Installation
• Windows AppX Deployment Package Installation Success
• Windows AppX Deployment Unsigned Package Installation
• Windows Default RDP File Creation
• Windows Default Rdp File Deletion
• Windows Default Rdp File Unhidden
• Windows Developer-Signed MSIX Package Installation
• Windows Gdrive Binary Activity
• Windows MSIX Package Interaction
• Windows PowerShell MSIX Package Installation
• Windows PowerShell Script From WindowsApps Directory
• Windows RDP Bitmap Cache File Creation
• Windows RDP Cache File Deletion
• Windows RDP Client Launched with Admin Session
• Windows RDP Login Session Was Established
• Windows RDP Server Registry Deletion
• Windows RDP Server Registry Entry Created
• Windows Rdp AutomaticDestinations Deletion
• Windows Suspicious VMWare Tools Child Process

---

⚠️ Other Updates

As previously communicated in the ESCU v5.10.0 release, several detections have been removed.
For a complete list of the detections removed in version v5.12.0, refer to the List of Removed Detections.

Additionally, a new set of detections has been deprecated.
For details on detections scheduled for removal in ESCU v5.14.0, see the List of Detections Scheduled for Removal.

v5.11.0

Key highlights

• 🔐 Interlock Ransomware & NaiLaoLocker: Interlock Ransomware exhibits unexpected file encryption patterns—such as anomalous PowerShell or CMD processes spawned from Office apps—and large-scale file renaming, while NaiLaoLocker employs multi-threaded AES-256-CBC encryption with SM2 key wrapping via DLL side-loading and mutex creation to evade re-execution; we mapped all existing detections to both malware and updated the ransomware extensions and notes lookup files.
• 🐀 Interlock RAT: Interlock RAT is a modular, stealthy backdoor first observed in mid-2024 that uses encrypted C2 communications and fake browser-update installers to gain persistence, capture keystrokes, and exfiltrate data; we mapped existing detections to this RAT to surface indicators like anomalous network beaconing, persistence artifacts, and credential-theft behaviors.
• Scattered Spider (UNC3944/Scatter Swine/Oktapus/Octo Tempest/Storm-0875/Muddled Libra): Scattered Spider is an extortion-focused group using SIM-swap attacks, push-bombing MFA fatigue, and social engineering to deploy legitimate remote-access tools (e.g., TeamViewer, AnyDesk, Ngrok) for data theft and ransomware deployment; we mapped existing detections to this actor, covering behaviors such as MFA bombing prompts, unauthorized remote-access tool execution, and cloud API abuse.

New Analytic Stories - [4]

• Interlock Ransomware
• Interlock Rat
• NailaoLocker Ransomware
• Scattered Spider

New Analytics - [2]

• Splunk AppDynamics Secure Application Alerts
• Windows Rundll32 Load DLL in Temp Dir

Updated Analytics - [3]

• Cobalt Strike Named Pipes (External Contributor : @atgithub11)
• O365 BEC Email Hiding Rule Created (External Contributor : @0xC0FFEEEE)
• Azure AD Multiple Denied MFA Requests For User (External Contributor : @jakeenea51)

v5.10.0

Key Highlights

• 🔐 Citrix NetScaler CVE-2025-5777 (CitrixBleed 2): Introduced a new analytic story addressing CitrixBleed 2, a critical memory disclosure vulnerability actively exploited in the wild since June 2025. This release includes a detection for identifying HTTP requests to the vulnerable /nf/auth/startwebview.do endpoint, helping security teams uncover scanning and exploitation activity targeting Citrix ADC and Gateway appliances.

• 🧱 Microsoft SharePoint Vulnerabilities: Introduced a new analytic story focused on detecting exploitation attempts related to CVE-2025-53770, a vulnerability in the ToolPane.aspx endpoint of Microsoft SharePoint. This story includes detections for suspicious requests to the vulnerable endpoint, GET activity to known malicious webshells like spinstall0.aspx, and file creation events indicative of webshell deployment—helping identify both initial exploitation and post-exploitation activity.

• 💻 ESXi Post-Compromise Activity: Shipped a new analytic story focused on detecting attacker behavior after initial access to ESXi environments. This story includes 24 detections for actions such as VM termination, reverse shells, SSH brute force, system clock tampering, audit log wiping, unauthorized user elevation, and malicious VIB installations—providing broad coverage for common post-compromise tactics.

• 🛡️ Cisco Duo Suspicious Activity: Released a new analytic story to detect unusual or risky administrative behavior and insecure policy configurations in Cisco Duo environments. This release includes 14 detections covering unusual admin logins by browser, OS, or country, generation of bypass codes, and policy settings that allow risky behavior like skipping 2FA, allowing tampered devices, or permitting outdated Java/Flash use.

• 🐀 Quasar RAT: Released a new analytic story focused on detecting activity related to Quasar RAT, a widely used open-source remote access Trojan known for credential theft, surveillance, and lateral movement. This story maps over 20 existing detections to Quasar techniques and adds three new detections targeting unusual access to sensitive configuration and credential storage locations such as FileZilla XML configs, IntelliForms registry entries, and Mozilla NSS libraries—enabling better visibility into post-exploitation behavior and stealthy credential harvesting.

New Analytic Story - [5]

• Cisco Duo Suspicious Activity
• Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
• ESXi Post Compromise
• Microsoft SharePoint Vulnerabilities
• Quasar RAT

New Analytics - [45]

• Cisco Duo Admin Login Unusual Browser
• Cisco Duo Admin Login Unusual Country
• Cisco Duo Admin Login Unusual Os
• Cisco Duo Bulk Policy Deletion
• Cisco Duo Bypass Code Generation
• Cisco Duo Policy Allow Devices Without Screen Lock
• Cisco Duo Policy Allow Network Bypass 2FA
• Cisco Duo Policy Allow Old Flash
• Cisco Duo Policy Allow Old Java
• Cisco Duo Policy Allow Tampered Devices
• Cisco Duo Policy Bypass 2FA
• Cisco Duo Policy Deny Access
• Cisco Duo Policy Skip 2FA for Other Countries
• Cisco Duo Set User Status to Bypass 2FA
• Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
• Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
• ESXi Account Modified
• ESXi Audit Tampering
• ESXi Bulk VM Termination
• ESXi Download Errors
• ESXi Encryption Settings Modified
• ESXi External Root Login Activity
• ESXi Firewall Disabled
• ESXi Lockdown Mode Disabled
• ESXi Loghost Config Tampering
• ESXi Malicious VIB Forced Install
• ESXi Reverse Shell Patterns
• ESXi SSH Brute Force
• ESXi SSH Enabled
• ESXi Sensitive Files Accessed
• ESXi Shared or Stolen Root Account
• ESXi Shell Access Enabled
• ESXi Syslog Config Change
• ESXi System Clock Manipulation
• ESXi System Information Discovery
• ESXi User Granted Admin Role
• ESXi VIB Acceptance Level Tampering
• ESXi VM Discovery
• ESXi VM Exported via Remote Tool
• Windows SharePoint Spinstall0 GET Request
• Windows SharePoint Spinstall0 Webshell File Creation
• Windows SharePoint ToolPane Endpoint Exploitation Attempt
• Windows Unusual FileZilla XML Config Access
• Windows Unusual Intelliform Storage Registry Access
• Windows Unusual Process Load Mozilla NSS-Mozglue Module

Other Updates

• Added a missing data source file for Cisco NVM and updated data source files to use PascalCase for XmlWinEventLog
• As previously communicated in the ESCU v5.8.0 release, several detections have been removed. For a complete list of the detections removed in version v5.10.0, refer to the List of Removed Detections in v5.10.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.12.0, see the List of Detections Scheduled for Removal in ESCU v5.12.0.