🚀 Key Highlights

• 🐚 React2Shell (CVE-2025-55182):
  Introduced a new analytic story, React2Shell, addressing the critical pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components. This vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js 15.x and 16.x versions using the App Router. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing attackers to execute arbitrary JavaScript code on the server without authentication.
  New detections provide coverage for both Windows and Linux environments, focusing on suspicious child processes spawned by Node.js, React, or Next.js server processes, including execution of shells, scripting interpreters, and system utilities commonly abused post-exploitation. Additionally, a network-based detection leverages Cisco Secure Firewall Threat Defense Intrusion Events, which identifies React Server Components remote code execution attempts at the network layer, providing early visibility into exploitation attempts.

• 👾 Tuoni C2 Framework:
  Introduced a new analytic story addressing threats from the Tuoni command-and-control framework, a sophisticated cross-platform red teaming tool increasingly adopted by threat actors for real-world attacks. Tuoni enables adversaries to deploy malicious payloads directly into system memory, bypassing traditional disk-based detection mechanisms. Its modular design supports multiple attack variations and allows operators to maintain persistence and execute commands across Windows, Linux, and macOS environments without leaving significant forensic artifacts. New detections focus on identifying Tuoni's memory-based execution patterns, suspicious process behaviors, and command-and-control communication indicators commonly associated with this framework, providing security teams with visibility into attacks that leverage this emerging threat tool.

• 🔐 Kerberos Coercion with DNS (CVE-2025-33073):
  Introduced comprehensive detection coverage for the recently disclosed CVE-2025-33073 vulnerability, where attackers leverage DNS records to trigger Kerberos authentication from remote hosts—a technique that can lead to credential relay or domain privilege escalation. New detections including Windows Short-Lived DNS Record, Windows Kerberos Coercion via DNS, Windows Credential Target Information Structure in Command Line, and DNS Kerberos Coercion provide end-to-end visibility into DNS-based coercion behaviors across authentication and name resolution events, enabling SOCs to identify identity coercion attacks that often unfold silently inside Active Directory environments.

• 📦 NPM Supply Chain Compromise (Shai-Hulud Campaigns):
  Expanded detection coverage for npm ecosystem supply chain compromises, addressing both the Shai-Hulud 2.0 worm campaign and recurring lifecycle hook abuse patterns. Added analytics to detect malicious npm package installations that execute arbitrary scripts through preinstall, install, postinstall, or prepare hooks—a long-standing risk vector exploited in major incidents from event-stream (2018) to ua-parser-js (2021) and Shai-Hulud (2025). New detections monitor GitHub workflow tampering, credential theft, and cross-platform exfiltration behaviors that often unfold silently inside CI/CD pipelines, giving defenders early visibility into malicious package lifecycle hooks and enhancing the ability to detect supply chain compromise before widespread impact.

• 🖥️ NetSupport RMM Tool Abuse:
  Strengthened detection coverage for malicious use of the NetSupport Manager RMM tool, which adversaries frequently deploy for covert remote access under the guise of legitimate remote-support activity. New analytics identify NetSupport's presence through loaded module patterns, executable masquerading, and registry manipulation, helping distinguish authorized IT administration from unauthorized NetSupport-based intrusions involving renamed binaries, PowerShell-assisted deployment, suspicious startup locations, and stealthy remote control sessions. These detections complement updated credential-theft coverage to surface cases where NetSupport is deployed as part of a broader credential access or persistence chain.

• 🤖 Suspicious Local LLM Frameworks (Shadow AI):
  Added new analytics to address the rise of Shadow AI—unauthorized deployment of local Large Language Model (LLM) frameworks such as Ollama, LM Studio, GPT4All, Jan, llama.cpp, and KoboldCPP inside enterprise environments. These tools allow users to run powerful models locally, creating blind spots for data exfiltration, policy violations, and unmonitored processing of sensitive information. New detections monitor model file downloads (.gguf, .ggml, safetensors), suspicious process execution, and DNS lookups to model repositories, providing defenders with early warning before unmonitored AI runtimes become channels for data exposure or endpoint abuse.

• 🔥 Suspicious Cisco ASA Activity:
  Expanded detection coverage for malicious or unauthorized activity on Cisco Adaptive Security Appliances (ASA), representing the most extensive set of Cisco ASA security analytics released to date. New detections focus on configuration tampering, credential misuse, and covert administrative behaviors often seen in targeted network compromise and firewall takeover scenarios. Analytics surface high-risk events including AAA policy modification, logging filter tampering, logging message suppression, packet capture activation, and device file copy operations—both locally and to remote destinations. Additional detections highlight identity-based abuse such as new local user account creation, user deletion, privilege level changes, and lockout threshold anomalies, along with reconnaissance command usage that may reveal adversary staging or pre-attack mapping. By bringing ASA telemetry into the same analytic ecosystem as NVM, FTD, Duo, Umbrella, and Talos-driven rapid responses, this update enhances visibility into attempts to weaken audit controls, establish persistence, exfiltrate configuration data, or manipulate security boundaries on Cisco ASA devices.

New Analytic Story - [6]

• Kerberos Coercion with DNS
• NPM Supply Chain Compromise
• NetSupport RMM Tool Abuse
• React2Shell
• Suspicious Local LLM Frameworks
• Tuoni

New Analytics - [31]

• Cisco ASA - AAA Policy Tampering
• Cisco ASA - Device File Copy Activity
• Cisco ASA - Device File Copy to Remote Location
• Cisco ASA - Logging Filters Configuration Tampering
• Cisco ASA - Logging Message Suppression
• Cisco ASA - New Local User Account Created
• Cisco ASA - Packet Capture Activity
• Cisco ASA - Reconnaissance Command Activity
• Cisco ASA - User Account Deleted From Local Database
• Cisco ASA - User Account Lockout Threshold Exceeded
• Cisco ASA - User Privilege Level Change
• Cisco Secure Firewall - React Server Components RCE Attempt
• DNS Kerberos Coercion
• GitHub Workflow File Creation or Modification
• LLM Model File Creation
• Linux Suspicious React or Next.js Child Process
• Local LLM Framework DNS Query
• Shai-Hulud 2 Exfiltration Artifact Files
• Shai-Hulud Workflow File Creation or Modification
• Windows Credential Target Information Structure in Commandline
• Windows Executable Masquerading as Benign File Types
• Windows Kerberos Coercion via DNS
• Windows Local LLM Framework Execution
• Windows NetSupport RMM DLL Loaded By Uncommon Process
• Windows PUA Named Pipe
• [Windows RMM Named Pipe](https://research.splunk.com/endpoint/c07c7138-e...

🚀 Key Highlights

• 🐀 Castle RAT:
  Expanded coverage for the Castle RAT remote access trojan, which enables adversaries to execute commands, exfiltrate files, log keystrokes, and capture screens during targeted intrusion campaigns. Tagged multiple existing detections related to persistence, task creation, and suspicious process behavior, and introduced new analytics for unusual browser flag launches, ComputerDefaults-based UAC bypass, and handle duplication in known bypass binaries to improve visibility into Castle RAT infection chains, privilege escalation, and long-term access mechanisms.

• 🌐 Research site enhancements:
  We’re excited to also announce that we’ve enhanced research.splunk.com to provide deeper insights and richer context for detection engineers. Each detection entry now includes detailed attack data along with corresponding MITRE ATT&CK techniques, the environment used to generate the data, timestamps of simulated attacks, and tools leveraged during simulation. You can also explore step-by-step details on how to replay these attacks within your own Splunk environment for validation, tuning, and testing. This update is designed to help you better understand adversary behaviors, validate your detections with real-world data, and accelerate the development of high-fidelity detections. We highly recommend checking out the enhanced experience at https://research.splunk.com/attack_data and leveraging this data to strengthen your detection engineering workflows.

New Analytic Story - [1]

• Castle RAT

New Analytics - [3]

• Windows Browser Process Launched with Unusual Flags
• Windows ComputerDefaults Spawning a Process
• Windows Handle Duplication in Known UAC-Bypass Binaries

Other Updates

• Tagged several other detection analytics to Castle RAT
• Updated the Splunkbase link for the Ollama TA data source and TA versions of various data sources

🔴 BREAKING CHANGES:

• As previously communicated in the ESCU v5.16.0 release, several detections have been removed. For a complete list of the detections removed in version v5.18.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.20.0, see the List of Detections Scheduled for Removal

🚀 Key Highlights

• 🧩 Microsoft WSUS CVE-2025-59287 Remote Code Execution:
  Introduced a new analytic story for the exploitation of CVE-2025-59287, a critical WSUS deserialization vulnerability enabling unauthenticated remote code execution. Added a new detection — Windows WSUS Spawning Shell — and tagged related process-based detections to enhance post-exploitation visibility.

• 🛡️ Oracle E-Business Suite Exploitation (TALOS Collaboration):
  Released new Snort-based detections developed with Cisco Talos to identify exploitation attempts against Oracle E-Business Suite. These analytics detect anomalous web requests, payload delivery, and lateral movement behaviors targeting enterprise ERP systems based on Snort alerts.

• 🌐 HTTP Request Smuggling:
  Introduced a new analytic story to detect and investigate HTTP request smuggling techniques that exploit discrepancies in how web servers and proxies handle request sequences. Added detections — HTTP Suspicious Tool User Agent, HTTP Request to Reserved Name, HTTP Rapid POST with Mixed Status Codes, HTTP Possible Request Smuggling, and HTTP Duplicated Header — leveraging searches for indicators like CL.TE, TE.TE, and CL.0 to identify abuse of HTTP parsing logic and potential security control bypasses.

• 💀 Scattered Lapsus$ Hunters and Hellcat Ransomware:
  Tagged a broad set of existing TTPs and added new analytic stories covering the Scattered Lapsus$ Hunters coalition (Scattered Spider, Lapsus$, and Shiny Hunters) and the Hellcat Ransomware RaaS group. These updates enhance visibility into MFA bypass, credential theft, remote access tool abuse, PowerShell infection chains, SSH persistence, and custom ransomware payloads targeting critical infrastructure, telecom, and government sectors.

New Analytic Story - [5]

• HTTP Request Smuggling
• Hellcat Ransomware
• Microsoft WSUS CVE-2025-59287
• Oracle E-Business Suite Exploitation
• Scattered Lapsus$ Hunters

New Analytics - [18]

• Advanced IP or Port Scanner Execution
• Cisco Secure Firewall - Oracle E-Business Suite Correlation
• Cisco Secure Firewall - Oracle E-Business Suite Exploitation
• File Download or Read to Pipe Execution
• HTTP Duplicated Header
• HTTP Possible Request Smuggling
• HTTP Rapid POST with Mixed Status Codes
• HTTP Request to Reserved Name on IIS Server
• HTTP Suspicious Tool User Agent
• Windows Default RDP File Creation By Non MSTSC Process
• Windows Defender ASR or Threat Configuration Tamper
• Windows Process Execution From RDP Share
• Windows WBAdmin File Recovery From Backup
• Windows WSUS Spawning Shell
• Wmiprvse LOLBAS Execution Process Spawn(Search name update: @Shotscape)
• Windows NirSoft Tool Bundle File Created
• Windows PowerShell Process Implementing Manual Base64 Decoder
• Windows PsTools Recon Usage

Other Updates

• Added new and updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic and names. Following are the details about the breaking changes

🔴 BREAKING CHANGES :

• We have deprecated some detections that are scheduled to be removed in 5.20.0 and will be replaced with the following. It is highly recommended to following the deprecated process here to ensure that the detections continue running reliably,

a. Windows Change Default File Association For No File Ext
-> Replacement - Windows Change File Association Command To Notepad
b. Detect Rundll32 Application Control Bypass - setupapi
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
c. Detect Rundll32 Application Control Bypass - syssetup
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
d. Detect Rundll32 Application Control Bypass - advpack
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32

🚀 Key Highlights

🦙 Suspicious Ollama Activities : Introduced a new analytic story focused on monitoring misuse and abuse of locally hosted LLMs through Ollama. This story includes detections such as Abnormal Network Connectivity, Service Crash or Availability Attack, Excessive API Requests, API Endpoint Scan Reconnaissance, Memory Exhaustion Resource Abuse, Model Exfiltration or Data Leakage, RCE via Model Loading, and Suspicious Prompt Injection or Jailbreak. A dedicated TA-Ollama is developed to parse Ollama server logs, enabling precise detection of adversarial prompt engineering, local model abuse, and AI-powered lateral movement scenarios.

✈️ Suspicious Microsoft 365 Copilot Activities : Added a new analytic story targeting emerging risks in GenAI integration with Microsoft 365 Copilot. Detections include M365 Copilot Application Usage Pattern Anomalies, Failed Authentication Patterns, Non-Compliant Devices Accessing Copilot, and Session Origin Anomalies. These analytics help security teams identify compromised identities, unauthorized device access, and abnormal usage trends associated with enterprise AI assistants.

🔒LokiBot and PromptLock Malware: Expanded coverage for LokiBot, a pervasive credential-stealing Trojan distributed via phishing and malicious attachments. A new detection (Windows Visual Basic Command-Line Compiler DNS Query) was added alongside enhanced tagging across related analytics to better identify suspicious DNS communications and data exfiltration attempts.

In addition, we introduced coverage for PromptLock, the first known GenAI-driven ransomware proof-of-concept discovered by ESET in 2025. PromptLock leverages a local AI model (gpt-oss:20b) via the Ollama API to dynamically generate Lua scripts for multi-platform encryption and exfiltration. These detections focus on anomalous AI invocation patterns, file encryption activity, and use of local LLM APIs for malicious automation.

👻 APT37 (Rustonotto & FadeStealer) and GhostRedirector: Expanded coverage for APT37, adding a new detection for suspicious Windows Cabinet file extraction activity linked to their Rustonotto and FadeStealer toolsets. This update enhances visibility into phishing-based infections, persistence mechanisms, and data exfiltration behavior.
Also introduced a new GhostRedirector and Rungan analytic story to track server compromises involving malicious IIS modules, SQL injection abuse, and stealthy PowerShell activity used to maintain access and manipulate web traffic.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

New Analytic Story - [6]

• APT37 Rustonotto and FadeStealer
• GhostRedirector IIS Module and Rungan Backdoor
• Lokibot
• PromptLock
• Suspicious Microsoft 365 Copilot Activities
• Suspicious Ollama Activities

New Analytics - [19]

• M365 Copilot Application Usage Pattern Anomalies
• M365 Copilot Failed Authentication Patterns
• M365 Copilot Non Compliant Devices Accessing M365 Copilot
• M365 Copilot Session Origin Anomalies
• Web or Application Server Spawning a Shell
• Windows Application Whitelisting Bypass Attempt via Rundll32
• Windows Cabinet File Extraction Via Expand
• Windows Change File Association Command To Notepad
• Windows Set Network Profile Category to Private via Registry
• Windows Symlink Evaluation Change via Fsutil
• Windows Visual Basic Commandline Compiler DNSQuery
• Ollama Abnormal Network Connectivity
• Ollama Abnormal Service Crash Availability Attack
• Ollama Excessive API Requests
• Ollama Possible API Endpoint Scan Reconnaissance
• Ollama Possible Memory Exhaustion Resource Abuse
• Ollama Possible Model Exfiltration Data Leakage
• Ollama Possible RCE via Model Loading
• Ollama Suspicious Prompt Injection Jailbreak

Other Updates

• Updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic

🔴 BREAKING CHANGES :

• Remove the notable alert actions: meaning these will no longer create notable/findings and will continue create risk events aka intermediate findings
  a. Attempt To Add Certificate To Untrusted Store
  b. Windows Archived Collected Data In TEMP Folder
  c. Windows Rundll32 Apply User Settings Changes
  d. Windows Scheduled Task Created Via XML

• Add the notable alert actions: meaning these will now create notable/findings and will continue create risk events aka intermediate findings
  a. Windows Certutil Root Certificate Addition

• As previously communicated in the ESCU v5.14.0 release, several detections have been removed. For a complete list of the detections removed in version v5.16.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.18.0, see the List of Detections Scheduled for Removal

🚀 Key Highlights

ESCU v5.15.2 fixes incorrect reference links, CVE tags, and MITRE mappings introduced for ArcaneDoor in v5.15.0 and adds a new generic analytic story.

New Analytic Story - [1]

• Suspicious Cisco Adaptive Security Appliance Activity

Other Updates

• Tagged detection Cisco ASA - Logging Disabled via CLI to the Suspicious Cisco Adaptive Security Appliance Activity story

🚀 Key Highlights

🚪 ArcaneDoor - A new analytic story to help security teams detect exploitation of Cisco ASA/Firewall zero-day vulnerabilities (CVE-2025-20333 & CVE-2025-20362) tied to recent state-sponsored activity. This story introduces two new detections, focused on identifying suspicious behaviors and behaviors that may indicate attempts to disable or suppress logging. In addition, the Cisco Secure Firewall – Intrusion Events by Threat Activity lookup has been updated with the latest Snort IDs to ensure more accurate coverage of related threats.

New Analytic Stories - [1]

• ArcaneDoor

New Analytics - [2]

• Cisco ASA - Core Syslog Message Volume Drop
• Cisco ASA - Logging Disabled via CLI

Updated Analytics - [1]

• Cisco Secure Firewall - Intrusion Events by Threat Activity
• Linux Auditd Service Started

🚀 Key Highlights

🧠 LAMEHUG: Introduced new detections for the LAMEHUG malware, which leverages outbound requests to Hugging Face APIs (e.g., Qwen 2.5-Coder-32B-Instruct) to generate AI-driven Windows command chains. Common behaviors include execution of systeminfo, net start, tasklist, dsquery, and recursive file copy operations into %ProgramData%\info\. Initial delivery vectors often involve phishing ZIPs with .pif binaries disguised as PDF or image viewers.

🕵️ ObjectivyStealer: Tagged relevant existing content to cover behaviors associated with ObjectivyStealer, a stealthy information-stealing malware targeting web browsers, messaging apps, cryptocurrency wallets, and local system files. It evades detection by operating from user profile or temp directories and maintains persistence using registry run keys or scheduled tasks. This mapping enhances detection of credential theft, session hijacking, and encrypted exfiltration to remote C2 infrastructure.

🛡️ Secret Blizzard: Added detections for suspicious use of certutil.exe to install root certificates from temp directories using the -addstore root command. This tactic, seen in post-exploitation scenarios, may be used to intercept HTTPS traffic, impersonate trusted services, or bypass endpoint defenses. These analytics detect certificate installation from .tmp files, use of the -f (force) and -Enterprise flags, and other high-risk trust modifications that can lead to persistent compromise.

📨 NotDoor Malware: Introduced a new analytic story focused on detecting NotDoor, a malicious Outlook macro backdoor linked to APT28 (Fancy Bear). This story adds detections for suspicious Outlook macro creation, persistence via LoadMacroProviderOnBoot, and disabling of security dialogs — all techniques leveraged by NotDoor to exfiltrate data, upload files, and execute remote commands via email-based triggers.

New Analytic Story - [5]

• 0bj3ctivity Stealer
• LAMEHUG
• NotDoor Malware
• PathWiper
• Secret Blizzard

New Analytics - [19]

• Linux Magic SysRq Key Abuse(External Contributor: @CheraghiMilad)
• Windows AI Platform DNS Query
• Windows Certutil Root Certificate Addition
• Windows DLL Module Loaded in Temp Dir
• Windows Excel ActiveMicrosoftApp Child Process
• Windows File Collection Via Copy Utilities
• Windows Net System Service Discovery
• Windows Outlook Dialogs Disabled from Unusual Process
• Windows Outlook LoadMacroProviderOnBoot Persistence
• Windows Outlook Macro Created by Suspicious Process
• Windows Outlook Macro Security Modified
• Windows Set Private Network Profile via Registry
• Windows SpeechRuntime COM Hijacking DLL Load
• Windows SpeechRuntime Suspicious Child Process
• Windows Wmic CPU Discovery
• Windows Wmic DiskDrive Discovery
• Windows Wmic Memory Chip Discovery
• Windows Wmic Network Discovery
• Windows Wmic Systeminfo Discovery

Other Updates

• As previously communicated in the ESCU v5.12.0 release, several detections have been removed. For a complete list of the detections removed in version v5.14.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.16.0, see the List of Detections Scheduled for Removal

Key highlights

ESCU 5.13 is a rapid‑response release addressing active exploitation of Cisco Smart Install (CVE‑2018‑0171) by Static Tundra, a Russian state‑sponsored espionage group linked to FSB Center 16 and known for long‑term compromises of network devices. The actor is abusing a seven‑year‑old, already‑patched flaw on unpatched or EOL IOS/IOS XE gear to steal configurations and establish persistent access, including bespoke SNMP tooling and historic firmware implants such as SYNful Knock.

To mitigate this campaign, the Splunk Threat Research Team operationalized Cisco Talos’ PCAP patterns and tradecraft into high‑signal detections on cisco:ios telemetry. These detections surface Smart Install ingress on TCP/4786 and oversized SMI packets, follow‑on configuration/persistence actions (privileged account creation, SNMP community changes, interface modifications), and TFTP staging/exfiltration, with Cisco Secure Firewall mappings for unified triage.

This release provides security teams actionable hunts and earlier containment checks for a critical blind spot that typically sits outside EDR and has been abused for long‑dwell espionage (while engineering teams concurrently begin remediation in line with Talos/Cisco guidance to patch or disable Smart Install, adopt SNMPv3, and harden management access). Given the campaign’s global scope (telecom, higher education, manufacturing across North America, Asia, Africa, and Europe) and the likelihood of similar activity by other state actors, this coverage is broadly applicable.

Enabled by our ongoing Cisco + Splunk Better Together collaboration, customers can rapidly receive high fidelity hunts to detect earlier, verify remediation, and reduce mean time to detection and containment, cutting dwell time across IOS/IOS XE and other current and legacy environments. Kudos to Cisco Talos for surfacing this emerging tradecraft and the Splunk Threat Research Team who rapidly operationalized this intelligence into actionable detections across Cisco product suite!

Here’s a summary of the latest updates:

Cisco Smart Install Remote Code Execution (CVE-2018-0171): Introduced a new analytic story built using cisco:ios logs and network traffic pcap samples from Cisco Talos to detect exploitation attempts known to be used by Static Tundra. Detections include suspicious Smart Install traffic, privileged account creation, SNMP configuration changes, and TFTP-based data exfiltration on vulnerable Cisco devices. You can read more about it in this recent Talos blog.

New Analytic Story - [1]

Cisco Smart Install Remote Code Execution CVE-2018-0171

New Analytics - [8]

Cisco Configuration Archive Logging Analysis
Cisco IOS Suspicious Privileged Account Creation
Cisco Network Interface Modifications
Cisco SNMP Community String Configuration Changes
Cisco Secure Firewall - Static Tundra Smart Install Abuse
Cisco Smart Install Oversized Packet Detection
Cisco Smart Install Port Discovery and Status
Cisco TFTP Server Configuration for Data Exfiltration

Updated Analytics - [1]

Cisco Secure Firewall - Intrusion Events by Threat Activity

🚀 Key Highlights

🛡️ Medusa Rootkit (UNC3886): Introduced a new analytic story for Medusa Rootkit, a stealthy malware leveraged by UNC3886 to maintain persistence on Linux 🐧 and Windows 🪟 systems. This release adds detections for Linux GDrive Binary Activity, Linux Medusa Rootkit, Windows GDrive Binary Activity, and Windows Suspicious VMware Tools Child Process, while also mapping other existing detections to this threat actor.

📦 MSIX Package Abuse: We added a new analytic story covering abuse of Microsoft MSIX application packages, leveraging telemetry from AppXDeploymentServer/Operational logs 📑. This story introduces detections for suspicious MSIX behaviors, including Windows Advanced Installer MSIX with AI_STUBS Execution, Unsigned Package Installation, PowerShell MSIX Package Installation, and interactions with Windows Apps directories 📂, providing visibility into application sideloading and potential malware delivery.

🖥️ Windows RDP Artifacts & Defense Evasion: A new analytic story focused on RDP activity 💻 followed by artifact cleanup 🧹 or evasion techniques. Windows RDP usage generates forensic artifacts such as Default.rdp files 📄 and bitmap caches 🖼️ that can reveal details about accessed systems. This release adds detections for RDP file creation, deletion, and un-hiding events, bitmap cache file activity, RDP server registry entry creation/deletion, and RDP client launched with admin session, while tagging existing detections to ensure comprehensive monitoring of both RDP usage and evasion behavior.

📚 New Analytic Stories – [3]

• MSIX Package Abuse
• Medusa Rootkit
• Windows RDP Artifacts and Defense Evasion

♻️ Updated Analytic Story – [1]

• China-Nexus Threat Activity

🆕 New Analytics – [22]

• Linux Gdrive Binary Activity
• Linux Medusa Rootkit
• Windows Advanced Installer MSIX with AI_STUBS Execution
• Windows AppX Deployment Full Trust Package Installation
• Windows AppX Deployment Package Installation Success
• Windows AppX Deployment Unsigned Package Installation
• Windows Default RDP File Creation
• Windows Default Rdp File Deletion
• Windows Default Rdp File Unhidden
• Windows Developer-Signed MSIX Package Installation
• Windows Gdrive Binary Activity
• Windows MSIX Package Interaction
• Windows PowerShell MSIX Package Installation
• Windows PowerShell Script From WindowsApps Directory
• Windows RDP Bitmap Cache File Creation
• Windows RDP Cache File Deletion
• Windows RDP Client Launched with Admin Session
• Windows RDP Login Session Was Established
• Windows RDP Server Registry Deletion
• Windows RDP Server Registry Entry Created
• Windows Rdp AutomaticDestinations Deletion
• Windows Suspicious VMWare Tools Child Process

⚠️ Other Updates

As previously communicated in the ESCU v5.10.0 release, several detections have been removed.
For a complete list of the detections removed in version v5.12.0, refer to the List of Removed Detections.

Additionally, a new set of detections has been deprecated.
For details on detections scheduled for removal in ESCU v5.14.0, see the List of Detections Scheduled for Removal.

Key highlights

• 🔐 Interlock Ransomware & NaiLaoLocker: Interlock Ransomware exhibits unexpected file encryption patterns—such as anomalous PowerShell or CMD processes spawned from Office apps—and large-scale file renaming, while NaiLaoLocker employs multi-threaded AES-256-CBC encryption with SM2 key wrapping via DLL side-loading and mutex creation to evade re-execution; we mapped all existing detections to both malware and updated the ransomware extensions and notes lookup files.
• 🐀 Interlock RAT: Interlock RAT is a modular, stealthy backdoor first observed in mid-2024 that uses encrypted C2 communications and fake browser-update installers to gain persistence, capture keystrokes, and exfiltrate data; we mapped existing detections to this RAT to surface indicators like anomalous network beaconing, persistence artifacts, and credential-theft behaviors.
• Scattered Spider (UNC3944/Scatter Swine/Oktapus/Octo Tempest/Storm-0875/Muddled Libra): Scattered Spider is an extortion-focused group using SIM-swap attacks, push-bombing MFA fatigue, and social engineering to deploy legitimate remote-access tools (e.g., TeamViewer, AnyDesk, Ngrok) for data theft and ransomware deployment; we mapped existing detections to this actor, covering behaviors such as MFA bombing prompts, unauthorized remote-access tool execution, and cloud API abuse.

New Analytic Stories - [4]

• Interlock Ransomware
• Interlock Rat
• NailaoLocker Ransomware
• Scattered Spider

New Analytics - [2]

• Splunk AppDynamics Secure Application Alerts
• Windows Rundll32 Load DLL in Temp Dir

Updated Analytics - [3]

• Cobalt Strike Named Pipes (External Contributor : @atgithub11)
• O365 BEC Email Hiding Rule Created (External Contributor : @0xC0FFEEEE)
• Azure AD Multiple Denied MFA Requests For User (External Contributor : @jakeenea51)