What's new

ESCU 5.27.0 significantly expands detection coverage across Windows attack tradecraft, Linux privilege escalation, and cloud-delivered security infrastructure, improving visibility into many of the techniques most commonly used in modern intrusion and post-exploitation activity. New analytics for the Linux Copy Fail privilege escalation vulnerability (CVE-2026-31431) help defenders identify attempts to gain root access through controlled modification of setuid binaries, while expanded Windows coverage surfaces behaviors tied to process injection, EDR bypass, persistence abuse, cloud identity manipulation, registry tampering, and modern C2 frameworks. This release also strengthens visibility into emerging attacker tooling such as Cloudflared tunnels, Devtunnels, RMM frameworks, and staged PowerShell execution, helping SOC teams detect stealthy activity that increasingly blends into legitimate administration and cloud workflows.

This release further advances the Splunk + Cisco Better Together strategy with new analytics for Cisco Secure Access, enabling existing network detections to operate against cloud-delivered firewall telemetry validated through simulated attack scenarios. By extending visibility into suspicious SMB, LDAP, ICMP, and brute force activity traversing modern secure access infrastructure, customers gain improved detection coverage across distributed and hybrid environments where traditional perimeter visibility is often reduced. ESCU 5.27.0 also adds focused detections for VIP Keylogger and .NET-based infostealers, improving visibility into registry-staged payloads, script-driven execution of trusted .NET utilities, and in-memory injection behaviors commonly used in credential theft campaigns. Together, these updates help organizations reduce blind spots across endpoint, cloud, and network layers while improving detection fidelity for stealthy attacker tradecraft and post-compromise activity.

Here's a summary of the latest updates:

• Linux Copy Fail Privilege Escalation (CVE-2026-31431): Added a new detection: Linux Auditd Copy Fail Privilege Escalation to identify exploitation of the Copy Fail vulnerability, a Linux kernel flaw that enables unprivileged users to perform controlled writes to file page cache and escalate privileges to root. This analytic leverages auditd telemetry to detect suspicious modification patterns targeting setuid binaries, providing early visibility into local privilege escalation attempts across affected Linux systems.

• Cisco Secure Access Analytics: Introduced a new analytic story for Cisco Secure Access, leveraging firewall telemetry to detect suspicious access patterns. This release includes updates to existing detections: Large ICMP Traffic, Outbound SMB Traffic, Outbound LDAP Traffic, and Windows RDP Network Brute Force Attempts enabling them to operate with Cisco Secure Access Firewall data, validated through simulated attack scenarios to improve visibility into adversary activity traversing modern cloud-delivered security controls.

• Windows Threat Detection Expansion: Significantly expanded coverage across multiple analytic stories with the addition of a broad set of new detections targeting modern Windows attack techniques, including PowerShell abuse, process injection, privilege escalation, registry manipulation, cloud and Azure activity, RMM tool usage, and C2 frameworks such as Cobalt Strike, Metasploit, and custom agents. These analytics enhance visibility into attacker behaviors like defense evasion (EDR bypass, obfuscation, EFI tampering), persistence (scheduled tasks, file association changes, GPO abuse), credential access (LAPS harvesting, keychain-like data access), and lateral movement and exfiltration, while also covering emerging tradecraft such as Cloudflared tunnels, Devtunnels, and supply chain tooling abuse—providing deeper detection across the Windows attack lifecycle.

• VIP Keylogger (.NET Stealer) Detection Coverage: Introduced new analytics to strengthen detection of VIP Keylogger and related .NET-based infostealers by focusing on behavioral indicators of stealthy execution and persistence. New detections: PowerShell Environment Variable Execution, Windows Anomalous Registry Value Length in Environment Key, PowerShell PInvoke Process Injection API Chain, and Windows Proxy Execution of .NET Utilities via Scripts surface patterns such as encoded payload staging in registry keys, script-driven execution of trusted .NET binaries, and in-memory process injection techniques, improving visibility into credential theft operations, obfuscated execution chains, and defense evasion commonly used in modern phishing-delivered stealer campaigns.