What's new

Enterprise Security Content Updates version 5.10.0 was released on July 23rd, 2025 and includes the following enhancements:

Key highlights

We released new analytic stories and detections to strengthen visibility and defense.

Following is a summary of the latest updates:

  • Citrix NetScaler CVE-2025-5777 (CitrixBleed 2): Introduced a new analytic story addressing CitrixBleed 2, a critical memory disclosure vulnerability actively exploited since June 2025. This release includes a detection for identifying HTTP requests to the vulnerable /nf/auth/startwebview.do endpoint, helping security teams uncover scanning and exploitation activity targeting Citrix ADC and Gateway appliances.

  • Microsoft SharePoint Vulnerabilities: Introduced a new analytic story focused on detecting exploitation attempts related to CVE-2025-53770, a vulnerability in the ToolPane.aspx endpoint of Microsoft SharePoint. This story includes detections for suspicious requests to the vulnerable endpoint, GET activity to known malicious webshells such as spinstall0.aspx, and file creation events indicative of webshell deployment that help to identify both initial exploitation and post-exploitation activity.

  • ​​ESXi Post-Compromise Activity: Shipped a new analytic story focused on detecting attacker behavior after initial access to ESXi environments. This story includes 24 detections for actions such as VM termination, reverse shells, SSH brute force, system clock tampering, audit log wiping, unauthorized user elevation, and malicious VIB installations—providing broad coverage for common post-compromise tactics.

  • Cisco Duo Suspicious Activity: Released a new analytic story to detect unusual or risky administrative behavior and insecure policy configurations in Cisco Duo environments. This release includes 14 detections covering unusual admin logins by browser, OS, or country, generation of bypass codes, and policy settings that allow risky behavior like skipping 2FA, allowing tampered devices, or permitting outdated Java/Flash use.

  • Quasar RAT: Released a new analytic story focused on detecting activity related to Quasar RAT, a widely used open-source remote access Trojan known for credential theft, surveillance, and lateral movement. This story maps over 20 existing detections to Quasar techniques and adds three new detections targeting unusual access to sensitive configuration and credential storage locations such as FileZilla XML configs, IntelliForms registry entries, and Mozilla NSS libraries—enabling better visibility into post-exploitation behavior and stealthy credential harvesting.Introduced a comprehensive analytic story aimed at identifying ransomware activities across various platforms. This includes detections for unusual file encryption activities, suspicious process executions, and network communications indicative of ransomware operations.

New analytics

  1. Cisco Duo Admin Login Unusual Browser
  2. Cisco Duo Admin Login Unusual Country
  3. Cisco Duo Admin Login Unusual Os
  4. Cisco Duo Bulk Policy Deletion
  5. Cisco Duo Bypass Code Generation
  6. Cisco Duo Policy Allow Devices Without Screen Lock
  7. Cisco Duo Policy Allow Network Bypass 2FA
  8. Cisco Duo Policy Allow Old Flash
  9. Cisco Duo Policy Allow Old Java
  10. Cisco Duo Policy Allow Tampered Devices
  11. Cisco Duo Policy Bypass 2FA
  12. Cisco Duo Policy Deny Access
  13. Cisco Duo Policy Skip 2FA for Other Countries
  14. Cisco Duo Set User Status to Bypass 2FA
  15. Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
  16. Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
  17. ESXi Account Modified
  18. ESXi Audit Tampering
  19. ESXi Bulk VM Termination
  20. ESXi Download Errors
  21. ESXi Encryption Settings Modified
  22. ESXi External Root Login Activity
  23. ESXi Firewall Disabled
  24. ESXi Lockdown Mode Disabled
  25. ESXi Loghost Config Tampering
  26. ESXi Malicious VIB Forced Install
  27. ESXi Reverse Shell Patterns
  28. ESXi SSH Brute Force
  29. ESXi SSH Enabled
  30. ESXi Sensitive Files Accessed
  31. ESXi Shared or Stolen Root Account
  32. ESXi Shell Access Enabled
  33. ESXi Syslog Config Change
  34. ESXi System Clock Manipulation
  35. ESXi System Information Discovery
  36. ESXi User Granted Admin Role
  37. ESXi VIB Acceptance Level Tampering
  38. ESXi VM Discovery
  39. ESXi VM Exported via Remote Tool
  40. Windows SharePoint Spinstall0 GET Request
  41. Windows SharePoint Spinstall0 Webshell File Creation
  42. Windows SharePoint ToolPane Endpoint Exploitation Attempt
  43. Windows Unusual FileZilla XML Config Access
  44. Windows Unusual Intelliform Storage Registry Access
  45. Windows Unusual Process Load Mozilla NSS-Mozglue Module

Other updates

  • Added a missing data source file for Cisco NVM and updated data source files to use PascalCase for XmlWinEventLog

  • As previously communicated in the ESCU v5.8.0 release, several detections have been removed. For a complete list of the detections removed in version v5.10.0, refer to the List of Removed Detections in v5.10.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.12.0, see the List of Detections Scheduled for Removal in ESCU v5.12.0.