ESCU 5.20 expands detection coverage across endpoint persistence, cloud-native run time threats, network abuse, and adversary tradecraft that blends into legitimate traffic. This release introduces a new Browser Hijacking analytic story that surfaces manipulation of Chrome configuration, registry settings, and command-line flags used to disable updates, force-load extensions, and bypass browser security controls. These detections help SOCs identify early indicators of user-impacting compromise and policy tampering before browser-based persistence becomes entrenched or widely abused for credential theft, traffic interception, or malware delivery.

This release also significantly strengthens visibility into cloud-native and containerized environments with expanded detections leveraging Cisco Isovalent’s kernel-level eBPF telemetry. New analytics surface high-risk behaviors such as access to cloud metadata services, container escape attempts, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network execution. By correlating low-level runtime signals with Kubernetes context, this content enables earlier detection of in-cluster compromise and lateral movement, helping customers identify workload-level attacks that often evade traditional perimeter and host-based controls.

In addition, ESCU 5.20 improves detection of stealthy command-and-control and infrastructure abuse. New analytic stories for Suspicious User Agents and SesameOp / PromptFlux expose malware and C2 frameworks that rely on default or hard-coded user agents or abuse trusted AI service APIs to blend into normal cloud traffic. The release also advances the Splunk + Cisco Better Together strategy with new detections and risk-based correlations for Cisco IOS and Cisco Secure Firewall privileged activity, helping SOCs identify suspicious administrative commands, anomalous SSH behavior, and post-exploitation persistence on network edge devices. Together, these updates help customers reduce blind spots across browsers, containers, networks, and cloud services while improving detection fidelity for threats designed to hide in plain sight.

Following is a summary of the latest updates:

• Browser Hijacking: Introduced a new set of detections focused on browser hijacking techniques that manipulate Chrome configurations, registry settings, and command-line behaviors to persist malicious control, disable updates, and load unauthorized extensions. These detections surface suspicious actions such as disabling Chrome auto-updates, allowlisting or force-loading extensions, and abusing command-line flags to bypass browser security controls. Together, they help security teams identify early indicators of browser compromise, policy tampering, and user-impacting persistence mechanisms commonly leveraged by modern malware.
• Cisco Isovalent Suspicious Activity: Expanded detection coverage leveraging Cisco Isovalent's kernel-level eBPF telemetry to identify advanced threats targeting Kubernetes and cloud-native environments. New detections focus on high-risk behaviors such as access to cloud metadata services, suspicious process execution, container escape techniques, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network behavior. By correlating low-level runtime signals with rich Kubernetes context, this content enables early detection of in-cluster attacks, lateral movement, and workload compromise before adversaries can escalate or persist.
• Suspicious User Agents: Introduced enhanced detection coverage to identify suspicious and default user agent strings commonly used by malware, command-and-control frameworks, remote monitoring and management (RMM) tools, and other potentially unwanted applications. These detections focus on uncovering overlooked or hard-coded user agents frequently left unchanged by adversaries, providing network-level visibility into malicious tooling that blends into normal HTTP traffic. By correlating anomalous user agents across malware, C2 frameworks, PUAs, and RMM software, security teams can more quickly identify and investigate stealthy network activity.
• SesameOp & PromptFlux: Expanded analytic coverage for emerging malware families that abuse legitimate AI service APIs as command-and-control channels, allowing adversaries to hide malicious activity within trusted cloud traffic. This update tags relevant existing detections and introduces a new detection for Windows Potential AppDomainManager Hijack Artifacts Creation, addressing key persistence and injection techniques leveraged by SesameOp and PromptFlux. Together, these detections help surface anomalous API usage, suspicious persistence artifacts, and post-exploitation behaviors that indicate covert C2 activity masquerading as normal AI service interactions.
• Cisco IOS & Secure Firewall Privileged Activity: Added new detections and risk-based correlation searches to identify high-risk administrative activity targeting Cisco IOS and Cisco Secure Firewall devices. The new detections focus on privileged command execution over HTTP and anomalous SSH behavior, including connections to non-standard ports and suspicious SSH services. These signals are correlated using the Risk data model to surface higher-fidelity alerts for privileged account creation combined with suspicious HTTP or SSH activity, helping teams identify post-exploitation and persistence attempts on network edge infrastructure.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.