🚀 Key Highlights

• Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
• Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors. This update enhances visibility into attacker tradecraft involving bcdedit manipulation, recursive file deletion, remote process execution via WMI, and suspicious process/file activity, improving detection of pre-impact and impact-stage techniques commonly used in disruptive campaigns targeting enterprise environments.
• Detection & Content Improvements: Introduced new data source support, migrated Palo Alto integrations, enhanced detections with MITRE mappings, fixed regex and logic issues, reduced false positives, improved accuracy and performance, updated metadata based on telemetry insights, and refactored multiple analytics and SPL queries for better readability, consistency, and reliability

New Analytic Story - [2]

• Gh0st RAT
• Void Manticore

New Analytics - [2]

• Windows Routing and Remote Access Service Registry Key Change
• Windows Rundll32 with Non-Standard File Extension

Updated Analytics

Based on various other telemetry sources, we have updated a list of detections missing Mitre IDs, updated data sources and detections with the following changes:

• Malicious PowerShell Process - Encoded Command - Updated the broken regex with a more robust one that aims to detect most variation of the EncodedCommand flag [BUG] Malicious PowerShell Process - Encoded Command - regex doesn't make sense #3939)
• Outbound Network Connection from Java Using Default Ports - Remove duplicate entry for javaw.exe and other updates to the SPL structure so that it is more readable.
• Suspicious Rundll32 no Command Line Arguments - Remove the unnecessary usage of regex and moved the filter logic earlier for better performance
• Suspicious SearchProtocolHost no Command Line Arguments - Remove the unnecessary usage of regex and moved the filter logic earlier for better performance
• Windows New Deny Permission Set On Service SD Via Sc.EXE - Updated metadata info, including the FP section based on Athena telemetry.
• Windows New Service Security Descriptor Set Via Sc.EXE - Updated metadata info, including the FP section based on Athena telemetry.
• Detect Large ICMP Traffic / Detect Outbound LDAP Traffic - Update the logic to these by adding a more broad filter for local IPs.
• Detect Computer Changed with Anonymous Account - Updated the logic to be more accurate. (See explanation in [BUG] Logic Problem in Detect Computer Changed with Anonymous Account #3961)
• Windows Privileged Group Modification - Update logic to include EventID 4756 (Fix Add Event ID 4756 to windows_privileged_group_modification detection #3969)
• Windows Scheduled Task Service Spawned Shell - Update and beautify the SPL as well as other metadata and RBA related config.
• Possible Lateral Movement PowerShell Spawn - Fixed FP by adding exclusion for svchost with the schedule service
• Detect Use of cmd exe to Launch Script Interpreters - Fixed FP by adding exclusion for standard execution files paths.
• Scheduled Task Deleted Or Created via CMD - Fixed FP by adding exclusion for standard execution files paths.
• Beautified the SPL of multiple analytics that were leveraging the Palo Alto TA.

Read more

🚀 Key Highlights

• 🤖 Cisco Catalyst SD-WAN Analytics:

Introduced a new analytic story for Cisco Catalyst SD-WAN focused on identifying anomalous control-plane relationships across vManage, vSmart, and edge devices. By leveraging telemetry related to control-connection state changes, peer identity, public IP associations, and system roles, this release detects rare or unexpected peer interactions that may signal misconfigurations, unauthorized infrastructure, or adversary presence within SD-WAN environments. New detections — Cisco SD-WAN Low Frequency Rogue Peer and Cisco SD-WAN Peering Activity — provide visibility into suspicious control-plane communications and abnormal peering patterns that deviate from established network baselines.

New Analytic Story - [1]

• Cisco Catalyst SD-WAN Analytics

New Analytics - [3]

• Cisco SD-WAN - Low Frequency Rogue Peer
• Cisco SD-WAN - Peering Activity
• Curl Execution with Percent Encoded URL

Other Updates

• Added end-to-end YAML formatting/validation (yamlfmt + yamllint) via a new pre-commit hook and CI “YAML Validation” job (validate_yaml.py), updates docs, and auto-formats all detections/analytics (including initial SPL beautification using |- for readability).
• Updates multiple detections to better cover calc-related binaries by adding CalculatorApp.exe/win32calc.exe entries, fixing a LOLBAS network-traffic filter bug (All_Traffic.dest_ip), and enhancing calc DLL side-loading rule metadata (including explicit WindowsCodecs.dll) to address issue #3916.

🚀 Key Highlights

• 🤖 Suspicious MCP Activities:
  Introduced a new analytic story focused on detecting abuse of authorized Model Context Protocol (MCP) server deployments, where legitimate AI tool integrations (filesystem, database, API, and cloud operations) may be weaponized for data exfiltration, privilege escalation, lateral movement, or persistence. This release includes a new MCP Technology Add-on (TA) for parsing MCP server telemetry and adds detections such as MCP Sensitive System File Search, MCP Prompt Injection, MCP Postgres Suspicious Query, MCP GitHub Suspicious Operation, and MCP Filesystem Server Suspicious Extension Write, providing visibility into malicious tool invocation patterns, abnormal data access, and AI-driven attack chains leveraging trusted automation infrastructure.

• 💥 DynoWiper and ZOVWiper (Sandworm Destructive Operations):
  Expanded coverage for the destructive malware families DynoWiper and ZOVWiper, attributed to the Russia-aligned threat group Sandworm, by tagging existing endpoint analytics aligned to their file-overwrite, drive enumeration, and system reboot behaviors. These wipers target critical infrastructure and financial sectors, systematically overwriting data across fixed and removable drives while selectively skipping system directories to maximize operational impact. By mapping current detections to known Sandworm tradecraft, this update strengthens visibility into destructive file modification patterns, large-scale overwrite activity, and pre-reboot execution behaviors associated with modern wiper deployments.

• ☀️ SolarWinds Web Help Desk RCE (CVE-2025-26399) Post-Exploitation:
  Tagged existing analytics to enhance visibility into post-exploitation activity following SolarWinds WHD remote code execution, focusing on suspicious process spawning, privilege escalation, lateral movement, persistence mechanisms, and outbound command-and-control behavior originating from compromised Web Help Desk services.

New Analytic Story - [5]

• DynoWiper
• SolarWinds WHD RCE Post Exploitation
• Suspicious MCP Activities
• XML Runner Loader
• ZOVWiper

New Analytics - [7]

• MCP Filesystem Server Suspicious Extension Write
• MCP Github Suspicious Operation
• MCP Postgres Suspicious Query
• MCP Prompt Injection
• MCP Sensitive System File Search
• Windows Execution of Microsoft MSC File In Suspicious Path
• Windows MMC Loaded Script Engine DLL

Updated Analytics

• CrowdStrike Falcon Stream Alerts (External Contributor : @bpluta-splunk)

Breaking Changes

As previously communicated in the ESCU v5.20.0 release, several detections have been removed. For a complete list of the detections removed in version v5.22.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.24.0, see the List of Detections Scheduled for Removal.

🚀 Key Highlights

• 🔍 New Finding-Based Detections (ES 8.4+):
  Starting with Splunk Enterprise Security 8.4 and above, ESCU introduces Finding-Based Detections, a new analytic type that automatically groups and correlates high volumes of related findings and intermediate at the entity level. This reduces alert noise and helps analysts quickly focus on users or hosts most likely to represent real threats.

• 🛡️ GNU Telnetd CVE-2026-24061 Authentication Bypass:
  Introduced a new analytic story covering CVE-2026-24061, a critical authentication bypass vulnerability in GNU InetUtils telnetd that allows unauthenticated attackers to establish a Telnet session as root. This flaw abuses an unsanitized, attacker-controlled USER environment variable passed to the login process, enabling direct privilege escalation without valid credentials. Added a new detection — Linux Telnet Authentication Bypass — to identify exploitation attempts targeting legacy Unix/Linux systems, embedded devices, network appliances, and operational technology environments where Telnet remains in use.

• 🌐 Windows Chromium Browser Hijacking Enhancements:
  Expanded browser hijacking coverage with new endpoint detections targeting suspicious Chromium-based browser execution patterns on Windows. Added analytics to identify browsers launched with abnormally small window sizes, disabled popup blocking, disabled logging, suppressed extensions, and headless execution — behaviors commonly associated with ad fraud, credential harvesting, session hijacking, and stealthy user interaction abuse. These detections improve visibility into malicious browser manipulation used by infostealers, loaders, and post-exploitation frameworks.

• 🎯 Expanded Threat Actor and Malware Coverage (VoidLink, Storm-0501, StealC):
  Tagged a broad set of existing analytics and improved detection coverage for several high-impact threats. Added comprehensive coverage for VoidLink, a cloud-native Linux malware framework leveraging a modular C2 architecture, rootkit functionality, and advanced evasion techniques to target containerized and cloud environments. Additionally, enhanced analytic stories and tagging for Storm-0501 ransomware activity and the StealC stealer, improving visibility into ransomware execution chains, credential theft, downloader behavior, and post-compromise persistence across Windows and Linux environments.

Total New and Updated Content: [419]

New Analytic Story - [4]

• StealC Stealer
• Storm-0501 Ransomware
• Telnetd CVE-2026-24061
• VoidLink Cloud-Native Linux Malware

Updated Analytic Story - [6]

• Apache Struts Vulnerability
• Brand Monitoring
• Critical Alerts
• JBoss Vulnerability
• Malicious PowerShell
• Scattered Spider

Updated Analytics -[6]

• O365 New MFA Method Registered (External Contributor - @JTweet)
• Set Default PowerShell Execution Policy To Unrestricted or Bypass (External Contributor - @AndreiBanaru)
• Windows Abused Web Services (External Contributor - @aaaAlexanderaaa)
• Services LOLBAS Execution Process Spawn (External Contributor - @DipsyTipsy)

Breaking Changes

• Removed the notable alert actions: meaning these will no longer create notable/findings and will continue create risk events aka intermediate findings
  a. Process Creating LNK file in Suspicious Location

Other Updates

• Updated several analytics and significantly improved performance and efficiency across multiple detections by optimizing search logic (e.g., subsearches, targeted where clauses, and reduced search space), resulting in substantial runtime reductions and clearer user guidance where applicable. Pull request for specific details (#1 and #2)
• Updated analytics to have standardized known false positive sections and filter macros at the end of all searches
• We received reports from a number of customers whereby Removed Searches may still be scheduled to run and their execution would fail silently. However, these searches could not be disabled because they failed to render in the Saved Searches UI. This release includes a fix to savedsearches.conf which ensures that Removed Content still appears in the SavedSearches UI if it had previously been scheduled or modified, allowing these searches to be disabled.

🚀 Key Highlights

• 🌐 Browser Hijacking:
  Introduced a new set of detections focused on browser hijacking techniques that manipulate Chrome configurations, registry settings, and command-line behaviors to persist malicious control, disable updates, and load unauthorized extensions. These detections surface suspicious actions such as disabling Chrome auto-updates, allowlisting or force-loading extensions, and abusing command-line flags to bypass browser security controls. Together, they help security teams identify early indicators of browser compromise, policy tampering, and user-impacting persistence mechanisms commonly leveraged by modern malware.

• ☸️ Cisco Isovalent Suspicious Activity:
  Expanded detection coverage leveraging Cisco Isovalent's kernel-level eBPF telemetry to identify advanced threats targeting Kubernetes and cloud-native environments. New detections focus on high-risk behaviors such as access to cloud metadata services, suspicious process execution, container escape techniques, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network behavior. By correlating low-level runtime signals with rich Kubernetes context, this content enables early detection of in-cluster attacks, lateral movement, and workload compromise before adversaries can escalate or persist.

• 🕵️ Suspicious User Agents:
  Introduced enhanced detection coverage to identify suspicious and default user agent strings commonly used by malware, command-and-control frameworks, remote monitoring and management (RMM) tools, and other potentially unwanted applications. These detections focus on uncovering overlooked or hard-coded user agents frequently left unchanged by adversaries, providing network-level visibility into malicious tooling that blends into normal HTTP traffic. By correlating anomalous user agents across malware, C2 frameworks, PUAs, and RMM software, security teams can more quickly identify and investigate stealthy network activity.

• 🤖 SesameOp & PromptFlux:
  Expanded analytic coverage for emerging malware families that abuse legitimate AI service APIs as command-and-control channels, allowing adversaries to hide malicious activity within trusted cloud traffic. This update tags relevant existing detections and introduces a new detection for Windows Potential AppDomainManager Hijack Artifacts Creation, addressing key persistence and injection techniques leveraged by SesameOp and PromptFlux. Together, these detections help surface anomalous API usage, suspicious persistence artifacts, and post-exploitation behaviors that indicate covert C2 activity masquerading as normal AI service interactions.

• 🔐 Cisco IOS & Secure Firewall Privileged Activity:
  Added new detections and risk-based correlation searches to identify high-risk administrative activity targeting Cisco IOS and Cisco Secure Firewall devices. The new detections focus on privileged command execution over HTTP and anomalous SSH behavior, including connections to non-standard ports and suspicious SSH services. These signals are correlated using the Risk data model to surface higher-fidelity alerts for privileged account creation combined with suspicious HTTP or SSH activity, helping teams identify post-exploitation and persistence attempts on network edge infrastructure.

New Analytic Story - [5]

• Browser Hijacking
• Cisco Isovalent Suspicious Activity
• PromptFlux
• SesameOp
• Suspicious User Agents

New Analytics - [25]

• Cisco Isovalent - Access To Cloud Metadata Service
• Cisco Isovalent - Cron Job Creation
• Cisco Isovalent - Curl Execution With Insecure Flags
• Cisco Isovalent - Kprobe Spike
• Cisco Isovalent - Late Process Execution
• Cisco Isovalent - Non Allowlisted Image Use
• Cisco Isovalent - Nsenter Usage in Kubernetes Pod
• Cisco Isovalent - Pods Running Offensive Tools
• Cisco Isovalent - Potential Escape to Host
• Cisco Isovalent - Shell Execution
• Cisco Privileged Account Creation with HTTP Command Execution
• Cisco Privileged Account Creation with Suspicious SSH Activity
• Cisco Secure Firewall - Privileged Command Execution via HTTP
• Cisco Secure Firewall - SSH Connection to Non-Standard Port
• Cisco Secure Firewall - SSH Connection to sshd_operns
• HTTP C2 Framework User Agent
• HTTP Malware User Agent
• HTTP PUA User Agent
• HTTP RMM User Agent
• HTTP Scripting Tool User Agent
• Windows Chrome Auto-Update Disabled via Registry
• Windows Chrome Enable Extension Loading via Command-Line
• Windows Chrome Extension Allowed Registry Modification
• Windows Chromium Process Loaded Extension via Command-Line
• Windows Potential AppDomainManager Hijack Artifacts Creation

Other Updates

• Performance & Coverage Improvements – Updated several searches by replacing regex-based matching with direct match driven comparisons to significantly improve performance and scalability in large environments, while also refreshing multiple lookup files to ensure accurate and up-to-date detection logic

Breaking Changes

As previously communicated in ESCU v5.18.0, several detections have been removed in v5.20.0:

Read more

🚀 Key Highlights

• 🐀 Castle RAT:
  Expanded coverage for the Castle RAT remote access trojan, which enables adversaries to execute commands, exfiltrate files, log keystrokes, and capture screens during targeted intrusion campaigns. Tagged multiple existing detections related to persistence, task creation, and suspicious process behavior, and introduced new analytics for unusual browser flag launches, ComputerDefaults-based UAC bypass, and handle duplication in known bypass binaries to improve visibility into Castle RAT infection chains, privilege escalation, and long-term access mechanisms.

• 🌐 Research site enhancements:
  We’re excited to also announce that we’ve enhanced research.splunk.com to provide deeper insights and richer context for detection engineers. Each detection entry now includes detailed attack data along with corresponding MITRE ATT&CK techniques, the environment used to generate the data, timestamps of simulated attacks, and tools leveraged during simulation. You can also explore step-by-step details on how to replay these attacks within your own Splunk environment for validation, tuning, and testing. This update is designed to help you better understand adversary behaviors, validate your detections with real-world data, and accelerate the development of high-fidelity detections. We highly recommend checking out the enhanced experience at https://research.splunk.com/attack_data and leveraging this data to strengthen your detection engineering workflows.

New Analytic Story - [1]

• Castle RAT

New Analytics - [3]

• Windows Browser Process Launched with Unusual Flags
• Windows ComputerDefaults Spawning a Process
• Windows Handle Duplication in Known UAC-Bypass Binaries

Other Updates

• Tagged several other detection analytics to Castle RAT
• Updated the Splunkbase link for the Ollama TA data source and TA versions of various data sources

🔴 BREAKING CHANGES:

• As previously communicated in the ESCU v5.16.0 release, several detections have been removed. For a complete list of the detections removed in version v5.18.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.20.0, see the List of Detections Scheduled for Removal

🚀 Key Highlights

• 🧩 Microsoft WSUS CVE-2025-59287 Remote Code Execution:
  Introduced a new analytic story for the exploitation of CVE-2025-59287, a critical WSUS deserialization vulnerability enabling unauthenticated remote code execution. Added a new detection — Windows WSUS Spawning Shell — and tagged related process-based detections to enhance post-exploitation visibility.

• 🛡️ Oracle E-Business Suite Exploitation (TALOS Collaboration):
  Released new Snort-based detections developed with Cisco Talos to identify exploitation attempts against Oracle E-Business Suite. These analytics detect anomalous web requests, payload delivery, and lateral movement behaviors targeting enterprise ERP systems based on Snort alerts.

• 🌐 HTTP Request Smuggling:
  Introduced a new analytic story to detect and investigate HTTP request smuggling techniques that exploit discrepancies in how web servers and proxies handle request sequences. Added detections — HTTP Suspicious Tool User Agent, HTTP Request to Reserved Name, HTTP Rapid POST with Mixed Status Codes, HTTP Possible Request Smuggling, and HTTP Duplicated Header — leveraging searches for indicators like CL.TE, TE.TE, and CL.0 to identify abuse of HTTP parsing logic and potential security control bypasses.

• 💀 Scattered Lapsus$ Hunters and Hellcat Ransomware:
  Tagged a broad set of existing TTPs and added new analytic stories covering the Scattered Lapsus$ Hunters coalition (Scattered Spider, Lapsus$, and Shiny Hunters) and the Hellcat Ransomware RaaS group. These updates enhance visibility into MFA bypass, credential theft, remote access tool abuse, PowerShell infection chains, SSH persistence, and custom ransomware payloads targeting critical infrastructure, telecom, and government sectors.

New Analytic Story - [5]

• HTTP Request Smuggling
• Hellcat Ransomware
• Microsoft WSUS CVE-2025-59287
• Oracle E-Business Suite Exploitation
• Scattered Lapsus$ Hunters

New Analytics - [18]

• Advanced IP or Port Scanner Execution
• Cisco Secure Firewall - Oracle E-Business Suite Correlation
• Cisco Secure Firewall - Oracle E-Business Suite Exploitation
• File Download or Read to Pipe Execution
• HTTP Duplicated Header
• HTTP Possible Request Smuggling
• HTTP Rapid POST with Mixed Status Codes
• HTTP Request to Reserved Name on IIS Server
• HTTP Suspicious Tool User Agent
• Windows Default RDP File Creation By Non MSTSC Process
• Windows Defender ASR or Threat Configuration Tamper
• Windows Process Execution From RDP Share
• Windows WBAdmin File Recovery From Backup
• Windows WSUS Spawning Shell
• Wmiprvse LOLBAS Execution Process Spawn(Search name update: @Shotscape)
• Windows NirSoft Tool Bundle File Created
• Windows PowerShell Process Implementing Manual Base64 Decoder
• Windows PsTools Recon Usage

Other Updates

• Added new and updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic and names. Following are the details about the breaking changes

🔴 BREAKING CHANGES :

• We have deprecated some detections that are scheduled to be removed in 5.20.0 and will be replaced with the following. It is highly recommended to following the deprecated process here to ensure that the detections continue running reliably,

a. Windows Change Default File Association For No File Ext
-> Replacement - Windows Change File Association Command To Notepad
b. Detect Rundll32 Application Control Bypass - setupapi
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
c. Detect Rundll32 Application Control Bypass - syssetup
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32
d. Detect Rundll32 Application Control Bypass - advpack
-> Replacement - Windows Application Whitelisting Bypass Attempt via Rundll32

🚀 Key Highlights

🦙 Suspicious Ollama Activities : Introduced a new analytic story focused on monitoring misuse and abuse of locally hosted LLMs through Ollama. This story includes detections such as Abnormal Network Connectivity, Service Crash or Availability Attack, Excessive API Requests, API Endpoint Scan Reconnaissance, Memory Exhaustion Resource Abuse, Model Exfiltration or Data Leakage, RCE via Model Loading, and Suspicious Prompt Injection or Jailbreak. A dedicated TA-Ollama is developed to parse Ollama server logs, enabling precise detection of adversarial prompt engineering, local model abuse, and AI-powered lateral movement scenarios.

✈️ Suspicious Microsoft 365 Copilot Activities : Added a new analytic story targeting emerging risks in GenAI integration with Microsoft 365 Copilot. Detections include M365 Copilot Application Usage Pattern Anomalies, Failed Authentication Patterns, Non-Compliant Devices Accessing Copilot, and Session Origin Anomalies. These analytics help security teams identify compromised identities, unauthorized device access, and abnormal usage trends associated with enterprise AI assistants.

🔒LokiBot and PromptLock Malware: Expanded coverage for LokiBot, a pervasive credential-stealing Trojan distributed via phishing and malicious attachments. A new detection (Windows Visual Basic Command-Line Compiler DNS Query) was added alongside enhanced tagging across related analytics to better identify suspicious DNS communications and data exfiltration attempts.

In addition, we introduced coverage for PromptLock, the first known GenAI-driven ransomware proof-of-concept discovered by ESET in 2025. PromptLock leverages a local AI model (gpt-oss:20b) via the Ollama API to dynamically generate Lua scripts for multi-platform encryption and exfiltration. These detections focus on anomalous AI invocation patterns, file encryption activity, and use of local LLM APIs for malicious automation.

👻 APT37 (Rustonotto & FadeStealer) and GhostRedirector: Expanded coverage for APT37, adding a new detection for suspicious Windows Cabinet file extraction activity linked to their Rustonotto and FadeStealer toolsets. This update enhances visibility into phishing-based infections, persistence mechanisms, and data exfiltration behavior.
Also introduced a new GhostRedirector and Rungan analytic story to track server compromises involving malicious IIS modules, SQL injection abuse, and stealthy PowerShell activity used to maintain access and manipulate web traffic.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

New Analytic Story - [6]

• APT37 Rustonotto and FadeStealer
• GhostRedirector IIS Module and Rungan Backdoor
• Lokibot
• PromptLock
• Suspicious Microsoft 365 Copilot Activities
• Suspicious Ollama Activities

New Analytics - [19]

• M365 Copilot Application Usage Pattern Anomalies
• M365 Copilot Failed Authentication Patterns
• M365 Copilot Non Compliant Devices Accessing M365 Copilot
• M365 Copilot Session Origin Anomalies
• Web or Application Server Spawning a Shell
• Windows Application Whitelisting Bypass Attempt via Rundll32
• Windows Cabinet File Extraction Via Expand
• Windows Change File Association Command To Notepad
• Windows Set Network Profile Category to Private via Registry
• Windows Symlink Evaluation Change via Fsutil
• Windows Visual Basic Commandline Compiler DNSQuery
• Ollama Abnormal Network Connectivity
• Ollama Abnormal Service Crash Availability Attack
• Ollama Excessive API Requests
• Ollama Possible API Endpoint Scan Reconnaissance
• Ollama Possible Memory Exhaustion Resource Abuse
• Ollama Possible Model Exfiltration Data Leakage
• Ollama Possible RCE via Model Loading
• Ollama Suspicious Prompt Injection Jailbreak

Other Updates

• Updated several detections for which Github issues were reported. Please view this complete list of updates that are made to address false positives, efficiency and improved detection logic

🔴 BREAKING CHANGES :

• Remove the notable alert actions: meaning these will no longer create notable/findings and will continue create risk events aka intermediate findings
  a. Attempt To Add Certificate To Untrusted Store
  b. Windows Archived Collected Data In TEMP Folder
  c. Windows Rundll32 Apply User Settings Changes
  d. Windows Scheduled Task Created Via XML

• Add the notable alert actions: meaning these will now create notable/findings and will continue create risk events aka intermediate findings
  a. Windows Certutil Root Certificate Addition

• As previously communicated in the ESCU v5.14.0 release, several detections have been removed. For a complete list of the detections removed in version v5.16.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.18.0, see the List of Detections Scheduled for Removal