Following is a summary of the latest updates:

• Castle RAT: Expanded coverage for the Castle RAT remote access trojan, which enables adversaries to execute commands, exfiltrate files, log keystrokes, and capture screens during targeted intrusion campaigns. Tagged multiple existing detections related to persistence, task creation, and suspicious process behavior, and introduced new analytics for unusual browser flag launches, ComputerDefaults-based UAC bypass, and handle duplication in known bypass binaries to improve visibility into Castle RAT infection chains, privilege escalation, and long-term access mechanisms.
• We're excited to also announce that we've enhanced research.splunk.com to provide deeper insights and richer context for detection engineers. Each detection entry now includes detailed attack data along with corresponding MITRE ATT&CK techniques, the environment used to generate the data, time-stamps of simulated attacks, and tools leveraged during simulation. You can also explore step-by-step details on how to replay these attacks within your own Splunk environment for validation, tuning, and testing. This update is designed to help you better understand adversary behaviors, validate your detections with real-world data, and accelerate the development of high-fidelity detections. We highly recommend checking out the enhanced experience at

  https://research.splunk.com/attack_data

  and leveraging this data to strengthen your detection engineering workflows.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

Breaking Changes: As previously communicated in the ESCU v5.16.0 release, several detections have been removed. For a complete list of the detections removed in version v5.18.0, refer to the List of Removed Detections. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections have been deprecated. For details on detections scheduled for removal in ESCU version v5.20.0, see the List of Detections Scheduled for Removal.