# Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis

**[splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html](https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html)**

November 16, 2022

By [Splunk Threat Research Team November](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)

16, 2022
Agent Tesla is a remote access trojan (RAT) written for the .NET framework that has
knowingly been in operation since 2014. Threat actors behind this malware have leveraged
many different methods to deliver their payload over time including macro enabled Word
documents, Microsoft Office vulnerabilities, OLE objects and most recently, compiled HTML
help files. Agent Tesla has been in the top 10 most submitted samples in known open
malware source repositories in cyber security communities like Malware Bazaar and Any.run.
It is a full-featured RAT with multiple ways to exfiltrate organization data through keylogging,
screen captures, credential stealing and much more.

In this blog post, the Splunk Threat Research Team (STRT) describes the different tactics,
techniques and procedures mapped to the ATT&CK framework leveraged by this remote
access trojan. Additionally, we will highlight the detection analytics we released that can help
cyber defenders in identifying signs of compromise.

## Analysis

### Identification of Samples


-----

[For this analysis, the STRT started the journey with a sample uploaded by JAMESWT_MHT](https://twitter.com/JAMESWT_MHT/status/1564978411436736512?s=20&t=c6HRwWIpc2WYV9ld6S_62g)
on August 31st to [Malware Bazaar. This sample led us to the “ftp-boloni-ma” tag that](https://bazaar.abuse.ch/)
compiles several samples of a campaign leveraging the Agent Tesla malware. Specifically,
this campaign used a malicious compiled HTML (.CHM) file as a delivery method to drop and
execute its first and second stages and load the remote access trojan.

[High level flow of process execution for this sample is shown on Figure 1:](https://app.any.run/tasks/803bc852-0431-41b2-8270-9c7635ed9cf6/)

Figure 1.1 shows the list of hashes that have this tag.

Security teams that would like to understand how the execution of compiled HTML files looks
like against their prevention or detection controls, we recommend having a look at the
[AtomicTestHarness for](https://github.com/redcanaryco/AtomicTestHarnesses) [CHM and the Atomic Red Team technique T1218.001 built by the](https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/Windows/TestHarnesses/T1218.001_CompiledHTMLFile)
Red Canary team.

### T1566.001 - Spear Phishing Attachment


-----

This Agent Tesla variant uses a compiled HTML file (.chm) to conceal its malicious code and
gain an initial foothold on the victim endpoint. The file has an embedded and obfuscated
JavaScript script that invokes PowerShell to download a second stage.

Figure 1.1 shows the .chm file loading upon execution.

Figure 1.2 shows the obfuscated and deobfuscated versions of the embedded Javascript
code. Once executed, it will invoke PowerShell.exe to download extra content from the
[Internet using the System.Net WebClient class and the DownloadString method.](https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient?view=net)


-----

### The Loader

**T1059.001 - Command and Scripting Interpreter: PowerShell**

The downloaded file, disguised as a text .txt file, is in reality a PowerShell script shown on
Figure 2. This obfuscated second stage script is the one responsible for loading the actual
Agent Tesla malware in memory.

The variable named $TzbW contains a string that when deobfuscated, implements the
tMCfkSD function also shown on Figure 2. This function will in turn deobfuscate and
decompress the array of bytes stored in the variable named $zmOo. This deobfuscated and
decompressed version is the actual .NET assembly Agent Tesla malware that will be
executed in memory using PowerShell reflection.

Figure 2 shows the main parts of this second stage component and the gzip decompression
function.


-----

Figure 2.1 shows a screenshot of a simple python script we wrote to deobfuscate the
PowerShell function Agent Tesla’s second stage uses to decompress and deobfuscate the
binary stored in the $zmOo array byte variable. The python script can be found on Github
[agent_function_loader_deobfus.py](https://github.com/tccontre/KnowledgeBase/blob/main/malware_re_tools/AgentTesla-%20Loader/agent_function_loader_deobfus.py)

This loader will deobfuscate and load the Agent Tesla malware in memory stream using
.NET Reflection. This part of its execution can be considered as fileless malware since it
doesn't drop the AgentTesla malware on the disk but executes it in memory stream.

Figure 2.2 shows the python script we wrote to extract the actual AgentTesla malware binary.
This python script will drop the Agent Tesla malware as agent_unpack.bin in the current
working directory. The script can be found on Github [agent_function_loader_deobfus2.py.](https://github.com/tccontre/KnowledgeBase/blob/main/malware_re_tools/AgentTesla-%20Loader/agent_function_loader_deobfus2.py)


-----

## Agent Tesla Analysis

### Packer/ Obfuscator

The Agent Tesla sample extracted in the second stage component is a .NET compiled binary
[obfuscated with the opensource Obfuscar .NET obfuscator. Using the DIE tool we can](https://github.com/obfuscar/obfuscar)
identify the obfuscation method and the compilation type of this file in Figure 3. Adversaries
will pack or obfuscate their payloads in hope that it evades critical controls like mail
gateways, sandboxes and anti-virus software.


-----

### Discovery - TA0007

**T1033 - System Owner/User Discovery**

On every check in to the command and control server (via the FTP, HTTP or SMTP
protocols), this Agent Tesla sample parses and submites the user name, computer name,
operating system version and total physical memory of the compromised endpoint.


-----

_Figure 4_

### Execution - TA0002

**T1204.002 - Malicious File**

This particular Agent Tesla sample includes the ability to download a remote file from one of
its C2 servers and save it to the hardcoded path “%temp%\LUU”. The final step of the
function will also execute the downloaded file. Unfortunately the URL was inaccessible as of
writing.


-----

Figure 4 shows the code snippet of how it captures the system information of the
compromised machine as part of its C2 communication.

### Persistence - TA0003

**T1547.001 - Registry Run / Startup Folder**

If enabled, Agent Tesla has two built in persistence mechanisms to be able to load itself upon
boot. It is either by dropping a copy of itself in the %startup folder% or by adding registry run
keys.

Figure 5.1 and Figure 5.2 shows a short code snippet how it can create Registry Run Keys
and possible entry on startup folder for its persistence(T1547.001).

_Figure 5.1_


-----

_Figure 5.2_

### Credential Access - TA0006

Agent Tesla implements several techniques to collect sensitive information on the
compromised endpoint.

**T1555.003 - Credentials from Web Browsers**

The first technique is parsing credentials or sensitive browser data. Agent Tesla includes a
list of targeted browsers to parse the login credentials, browser cookies, browser profiles and
grab browser .sqlite database files. Figure 6 shows a short code snippet of the function
renamed as “mw_parsing_browser_db” that contains the list of browsers that Agent Tesla
attempts to parse or copy the “cookies.sqlite” database file.

Below is a complete table list of targeted browsers.

**Targeted Browsers (Browser Name, Browsers Target Directory)**

"Firefox", "%APPDATA%\\Mozilla\\Firefox\\"
"IceCat", "%APPDATA%\\Mozilla\\icecat\\"
"PaleMoon", "%APPDATA%\\Moonchild Productions\\Pale Moon\\"
"SeaMonkey", "%APPDATA%\\Mozilla\\SeaMonkey\\"
"Flock", "%APPDATA%\\Flock\\Browser\\"
"K-Meleon", "%APPDATA%\\K-Meleon\\"
"Postbox", "%APPDATA%\\Postbox\\"
"Thunderbird", "%APPDATA%\\Thunderbird\\"


-----

IceDragon, %APPDATA%\\Comodo\\IceDragon\\
"WaterFox", "%APPDATA%\\Waterfox\\"
"BlackHawk", "%APPDATA%\\NETGATE Technologies\\BlackHawk\\"
"CyberFox", "%APPDATA%\\8pecxstudios\\Cyberfox\\"
"Opera Browser", "%APPDATA%\\Opera Software\\Opera Stable"
"Yandex Browser", "%APPDATA%\\Yandex\\YandexBrowser\\User Data"
"Iridium Browser", "%APPDATA%\\Iridium\\User Data"
"Chromium", "%APPDATA%\\Chromium\\User Data"
"7Star", "%APPDATA%\\7Star\\7Star\\User Data"
"Torch Browser", "%APPDATA%\\Torch\\User Data"
"Cool Novo", "%APPDATA%\\MapleStudio\\ChromePlus\\User Data"
"Kometa", "%APPDATA%\\Kometa\\User Data"
"Amigo", "%APPDATA%\\Amigo\\User Data"
"Brave", "%APPDATA%\\BraveSoftware\\Brave-Browser\\User Data"
"CentBrowser", "%APPDATA%\\CentBrowser\\User Data"
"Chedot", "%APPDATA%\\Chedot\\User Data"
"Orbitum", "%APPDATA%\\Orbitum\\User Data"
"Sputnik", "%APPDATA%\\Sputnik\\Sputnik\\User Data"
"Comodo Dragon", "%APPDATA%\\Comodo\\Dragon\\User Data"
"Vivaldi", "%APPDATA%\\Vivaldi\\User Data"
"Citrio", "%APPDATA%\\CatalinaGroup\\Citrio\\User Data"
"360 Browser", "%APPDATA%\\360Chrome\\Chrome\\User Data"
"Uran", "%APPDATA%\\uCozMedia\\Uran\\User Data"
"Liebao Browser", "%APPDATA%\\liebao\\User Data"
"Elements Browser", "%APPDATA%\\Elements Browser\\User Data"
"Epic Privacy", "%APPDATA%\\Epic Privacy Browser\\User Data"
"Coccoc", "%APPDATA%\\CocCoc\\Browser\\User Data"
"Sleipnir 6", "%APPDATA%\\Fenrir
Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer"
"Opera", "%APPDATA%\\Opera Software\\Opera Stable"
"Comodo Dragon", "%APPDATA%\\"Comodo\\Dragon\\User Data"
"Chrome", "%APPDATA%\\Google\\Chrome\\User Data"
"Yandex", "%APPDATA%\\"Yandex\\YandexBrowser\\User Data"
"SRWare Iron", "%APPDATA%\\"Chromium\\User Data"
"Torch Browser", "%APPDATA%\\"Torch\\User Data"
"Brave Browser", "%APPDATA%\\"BraveSoftware\\Brave-Browser\\User Data"
"CoolNovo", "%APPDATA%\\"MapleStudio\\ChromePlus\\User Data"
"7Star", "%APPDATA%\\"7Star\\7Star\\User Data"
"Epic Privacy Browser", "%APPDATA%\\"Epic Privacy Browser\\User Data"
"Amigo", "%APPDATA%\\"Amigo\\User Data"
"CentBrowser", "%APPDATA%\\"CentBrowser\\User Data"
"CocCoc", "%APPDATA%\\"CocCoc\\Browser\\User Data"
"Chedot", "%APPDATA%\\"Chedot\\User Data"
"Elements Browser", "%APPDATA%\\"Elements Browser\\User Data"
"Kometa", "%APPDATA%\\"Kometa\\User Data"
"Citrio", "%APPDATA%\\"CatalinaGroup\\Citrio\\User Data"
"Coowon", "%APPDATA%\\"Coowon\\Coowon\\User Data"
"Liebao Browser", "%APPDATA%\\"liebao\\User Data"
"QIP Surf", "%APPDATA%\\"QIP Surf\\User Data"
"QQ Browser", "%APPDATA%\\"Tencent\\QQBrowser\\User Data"
"UC Browser", "%APPDATA%\\"UCBrowser\\"
"Orbitum", "%APPDATA%\\"Orbitum\\User Data"


-----

Sputnik, %APPDATA%\\ Sputnik\\Sputnik\\User Data
"uCozMedia", "%APPDATA%\\"uCozMedia\\Uran\\User Data"
"Vivaldi", "%APPDATA%\\"Vivaldi\\User Data"
"QIP Surf", "%APPDATA%\\QIP Surf\\User Data"
"Coowon", "%APPDATA%\\Coowon\\Coowon\\User Data"

### T1555.005 - Password Managers

Aside from stealing browser secrets, it also attempts to steal passwords from commonly
used applications like OpenVpn, FileZilla and Mailbird. It accomplishes this by reading
registry entries, decrypting/decoding or parsing local databases or by reading configuration
files. The table below is the list of the targeted applications that are related to this data
collection.


OPEN VPN

FLASHFXP

WINSCP

NORDVPN

IE EDGE

PALE MOON

FTP CMDER

ICECAT

INCREDIMAIL

PIA


CYBERFOX

POC MAIL

POSTBOX
OUTLOOK

FTP GETTER

RimArts

MAILBIRD

FLOCK BROWSER

OPERA

QQBROWSER

WS_FTP

MS CREDENTIALS

ManagerMULTI-VNC


THUNDERBIRD

UC BROWSERS

MYSQL WORKBENCH

FALKON

APPLE KEYCHAIN

WATERFOX

JDOWNLOADER DB

SMARTFTP

TRILLIAN

COREFTPCLAWS MAIL


FILEZILLA

AEROFOX

BLACKHAWK

EM CLIENT
SEA MONKEY

ICE DRAGON
PSI

DOWNLOADMGR

K-MELEON

FTP NAVI

UBATMAILBIRD


**T1056.001 - KeyLogging**

This Agent Tesla sample is also capable of installing a Keylogger on the compromised host.
It uses the SetWindowsHookEx Windows API to install a hook procedure that monitors lowlevel keyboard input events. Figure 7 shows the code snippet where it setup the windows
hook procedure for keyboard events.


-----

_Figure 7_

### Command And Control - TA0011

**T1090.003 - TOR Proxy**

Agent Tesla also uses TOR proxy for its HTTP requests. It tries to download a TOR
application on a specific TOR website. Figure 8 shows its function that downloads the TOR
browser that will be saved as “tor.zip” file in the%appdata% folder.

_Figure 8_

### Collection - TA0009

**T1113 - Screen Capture**

Figure 9 shows the code snippet of how Agent Tesla software captures the desktop
screenshot of the compromised machine and it will be saved in the memory stream and later
sent to its C2 server.


-----

_Figure 9_

### Exfiltration - TA0010

**T1041 - Exfiltration Over C2 Channel**

During analysis of this Agent Tesla sample it was identified to have 3 ways to exfiltrate stolen
sensitive information of the compromised host. The exfiltrated data may be either sent via
FTP, SMTP and HTTP command and control server. Figure 10 shows the code snippet on
how the agent will set up each method to exfiltrate data.


-----

The remote C2 server was down during the analysis of this sample. STRT experimented with
its SMTP communication to be able to see how the exfiltrated data looks like on the attacker
[side. We used a fake SMTP server by rnwood (smtp4dev) to forward all the exfiltrated data](https://github.com/rnwood/smtp4dev)
of this sample.

### Attacker Perspective

**Data Exfiltration**

Figure 11 shows the email sent by the Agent Tesla to the fake SMTP server containing a .zip
file attachment with the filename format “CO_<username>/<ComputerName>
<DateTime>.zip”.

This .zip file contains the collected browser data, which in our case is the cookie.sqlite file.


-----

In addition, it includes the basic system information which is the UserName, ComputerName,
OSFullName, CPU and RAM.

_Figure 11_

Figure 12 shows the email sent by the Agent Tesla malware related to the desktop
screenshots of the compromised machine. We can see that it has same format email body
that contain system information, except that the format of the desktop screenshot .jpeg file is
“SC_<username>/<ComputerName><DateTime>.jpeg”

_Figure 12_


-----

Lastly Figure 13.1 (notepad++) and 13.2 (firefox) shows the email sent by this sample during
our testing related to its keylogging feature. This malware checks if the log.tmp (keylog file)
in %temp% exists; if not, it will directly send the keystroke that keylogs in its C2, in this case
via SMTP.

Below shows the couple of keys typed by the user and the process related to that keystroke.

_Figure 13.1_


-----

_Figure 13.2_

For this type of exfiltration the subject of the email has a format of
“KL_<username>/<ComputerName>”.

## Detections

Below is the table list for detections that the STRT developed to identify possible Agent Tesla
behavior and malicious .chm behavior.


**Type** **Name** **Technique**
**ID**


**Tactic** **Description**


TTP Detect Html Help
[Spawn Child](https://research.splunk.com/endpoint/723716de-ee55-4cd4-9759-c44e7e55ba4b/)
Process

Anomaly Excessive Usage
Of Taskkill


[T1218.001](https://attack.mitre.org/techniques/T1218/001/) Defense
Evasion

[T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense
Evasion


The following analytic
identifies hh.exe (HTML Help)
execution of a Compiled
HTML Help (CHM) that
spawns a child process.

This analytic identifies
excessive usage of
taskkill.exe application.


-----

TTP Executables Or
[Script Creation In](https://research.splunk.com/endpoint/a7e3f0f0-ae42-11eb-b245-acde48001122/)
Suspicious Path

Anomaly Non Chrome
Process
[Accessing](https://research.splunk.com/endpoint/81263de4-160a-11ec-944f-acde48001122/)
Chrome Default
Dir

Anomaly Non Firefox
[Process Access](https://research.splunk.com/endpoint/e6fc13b0-1609-11ec-b533-acde48001122/)
Firefox Profile Dir

TTP Office Application
Drop Executable

TTP Office Application
[Spawn Rundll32](https://research.splunk.com/endpoint/958751e4-9c5f-11eb-b103-acde48001122/)
Process

TTP Office Document
[Executing Macro](https://research.splunk.com/endpoint/b12c89bc-9d06-11eb-a592-acde48001122/)
Code

Hunting Powershell
Connect To
Internet With
Hidden Window


[T1036](https://attack.mitre.org/techniques/T1036/) Defense
Evasion

[T1555.003](https://attack.mitre.org/techniques/T1555/003/) Credential
Access

[T1555.003](https://attack.mitre.org/techniques/T1555/003/) Credential
Access

[T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial
Access

[T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial
Access

[T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial
Access


[T1059](https://attack.mitre.org/techniques/T1059/) [Execution](https://attack.mitre.org/tactics/TA0002) The following hunting analytic
identifies PowerShell
commands utilizing the
WindowStyle parameter to
hide the window on the
compromised endpoint.


This analytic will identify
suspicious executable or
scripts (known file extensions)
in a list of suspicious file paths
in Windows.

This search is to detect an
anomaly event of a nonchrome process accessing the
files in chrome user default
folder.

This search is to detect an
anomaly event of a non-firefox
process accessing the files in
the profile folder.

This search is to detect a
suspicious MS office
application that drops or
creates executables or scripts
in a Windows Operating
System.

This detection was designed
to identify suspicious spawned
processes of known MS office
applications due to macro or
malicious code.

this detection was designed to
identifies suspicious office
documents

that using macro code.


-----

TTP Scheduled Task
[Deleted Or](https://research.splunk.com/endpoint/d5af132c-7c17-439c-9d31-13d55340f36c/)
Created Via Cmd

TTP Suspicious
Process File Path

TTP Detect Html Help
[Spawn Child](https://research.splunk.com/endpoint/723716de-ee55-4cd4-9759-c44e7e55ba4b/)
Process

TTP Registry Keys
[Used For](https://research.splunk.com/endpoint/c9f4b923-f8af-4155-b697-1354f5bcbc5e/)
Persistence (mod)

Hunting Windows Iso Lnk
File
Creation (mod)

Hunting Windows
Phishing Recent
Iso Exec
Registry (mod)

TTP Powershell
Loading Dotnet
Into Memory Via
Reflection (mod)


[T1053.005](https://attack.mitre.org/techniques/T1053/005/) [Execution,](https://attack.mitre.org/tactics/TA0002)
[Persistence,](https://attack.mitre.org/tactics/TA0003)
Privilege
Escalation

[T1543](https://attack.mitre.org/techniques/T1543/) [Execution,](https://attack.mitre.org/tactics/TA0002)
[Persistence,](https://attack.mitre.org/tactics/TA0003)
Privilege
Escalation

[T1218.001](https://attack.mitre.org/techniques/T1218/001/) Defense
Evasion

[T1546.012](https://attack.mitre.org/techniques/T1546/012/) [Persistence,](https://attack.mitre.org/tactics/TA0003)
Privilege
Escalation

[T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial
Access

[T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial
Access


[T1059.001](https://attack.mitre.org/techniques/T1059/001/) [Execution](https://attack.mitre.org/tactics/TA0002) The following analytic utilizes
PowerShell Script Block
Logging (EventCode=4104) to
identify suspicious PowerShell
execution.


The following analytic
identifies the creation or
deletion of a scheduled task
using schtasks.exe with flags create or delete being passed
on the command-line.

The following analytic will
detect a suspicious process
running in a file path where a
process is not commonly seen
and is most commonly used
by malicious software.

The following analytic
identifies hh.exe (HTML Help)
execution of a Compiled
HTML Help (CHM) that
spawns a child process.

This search looks for
modifications to registry keys
that can be used to elevate
privileges.

The following analytic
identifies the use of a
delivered ISO file that has
been mounted and the
aforementioned lnk or file
opened within it.

The following hunting analytic
identifies registry artifacts
when an ISO container is
opened, clicked or mounted
on the Windows operating
system.


-----

Hunting Windows File
Transfer Protocol
[In Non Common](https://research.splunk.com/endpoint/0f43758f-1fe9-470a-a9e4-780acc4d5407/)
Process
Path(new)

Anomaly Windows Mail
Protocol In Non
Common Process
Path (new)

Anomaly Windows Multi
Hop Proxy Tor
Website
Query (new)


[T1071.003](https://attack.mitre.org/techniques/T1071/003/) Command
and Control

[T1071.003](https://attack.mitre.org/techniques/T1071/003/) Command
and Control

[T1071.003](https://attack.mitre.org/techniques/T1071/003/) Command
and Control


The following analytic
identifies a possible windows
application having a FTP
connection in a non common
installation path in windows
operating system.

The following analytic
identifies a possible windows
application having a SMTP
connection in a non common
installation path in windows
operating system.

The following analytic
identifies a dns query to a
known TOR proxy website.


## Automate with SOAR Playbooks

All of the previously listed detections create entries in the risk index by default, and can be
[used seamlessly with risk notables and the Risk Notable Playbook Pack. The community](https://docs.splunk.com/Documentation/ESSOC/3.51.0/user/Useplaybookpack?_gl=1*1exyg5h*_ga*MTI4MTM3OTkzNi4xNjI2MDI5MzQx*_gid*MTA5MjE4ODYwMi4xNjY3MjM1MTk1*_ga_5EPM2P39FV*MTY2NzIzNTE5NS43OS4xLjE2NjcyMzUyMTAuNDUuMC4w&_ga=2.84261913.1092188602.1667235195-1281379936.1626029341)
Splunk SOAR playbooks below can also be used in conjunction with some of the previously
described analytics:

**Playbook** **Description**


Internal
[Host SSH](https://research.splunk.com/playbooks/internal_host_ssh_investigate)
Investigate

Internal
Host
WinRM
Investigate

Delete
[Detected](https://research.splunk.com/playbooks/delete_detected_files/)
Files


Investigate an internal *nix host using SSH. This pushes a bash script to the
endpoint and runs it, collecting generic information about the processes, user
activity and network activity. This includes the process list, login history, cron
jobs and open sockets. The results are zipped up in .csv files and added to
the vault for an analyst to review.

Performs a general investigation on key aspects of a windows device using
windows remote management. Important files related to the endpoint are
generated, bundled into a zip, and copied to the container vault.

This playbook acts upon events where a file has been determined to be
malicious (ie webshells being dropped on an end host). Before deleting the
file, we run a “more” command on the file in question to extract its contents.
We then run a delete on the file in question.


-----

## Why Should You Care?

With this article the Splunk Threat Research Team (STRT) enables security analysts, blue
teamers and [Splunk customers to identify the Agent Tesla tactics, techniques and](https://www.splunk.com/en_us/customers.html)
procedures. By understanding its behaviors, we were able to generate telemetry and
datasets to develop and test Splunk detections designed to defend and respond against this
type of threats.

## Learn More

[You can find the latest content about security analytic stories on GitHub and in Splunkbase.](https://github.com/splunk/security-content/releases/tag/v3.12.0)
[Splunk Security Essentials also has all these detections now available via push update.](https://splunkbase.splunk.com/app/3435/)

For a full list of security content, check out the [release notes on](https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements) [Splunk Docs.](https://docs.splunk.com/Documentation/ESSOC)

## Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up.
Alternatively, join us on the [Slack channel #security-research. Follow these instructions if you](https://splunk-usergroups.slack.com/)
need an invitation to our Splunk user groups on Slack.

## Contributors

[We would like to thank Teoderick Contreras,](https://twitter.com/tccontre18) [Michael Haag,](https://twitter.com/M_haggis) [Mauricio Velazco and](https://twitter.com/mvelazco) [Lou Stella](mailto:lstella@splunk.com)
for their contributions to this post.


-----