Skip to main content
false
Splunk Threat Research Team

Splunk Threat Research Team

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

Security 6 Min Read

Hunting for Malicious PowerShell using Script Block Logging

The Splunk Threat Research Team recently began evaluating ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging to assist enterprise defenders in finding malicious PowerShell scripts.
Security 4 Min Read

PowerShell Detections — Threat Research Release, August 2021

Adversaries are using PowerShell attacks, but luckily the Splunk Threat Research Team (STRT) has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell.
Security 6 Min Read

Threat Advisory: Telegram Crypto Botnet STRT-TA01

The Splunk Threat Research Team (STRT) has detected the resurface of a Crypto Botnet using Telegram, a widely used messaging application that can create bots and execute code remotely. Learn more about the indicators of the botnet operation and use our pre-built and tested detections to find them in your environment.
Security 4 Min Read

Trickbot Detections: Threat Research Release, July 2021

The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.
Security 5 Min Read

Conti Threat Research Update and Detections

In this blog, the Splunk Threat Research team will show you how to use Splunk Attack Range to simulate cyber attacks from the Conti Ransomware group. It will also have pre-built detections that you can use to detect them in your environment.
Security 4 Min Read

Detecting SeriousSAM CVE-2021-36934 With Splunk

SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.
Security 6 Min Read

Detecting Trickbot with Splunk

The Splunk Threat Research Team has assessed several samples of Trickbot, a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. Use our pre-built Splunk detections to detect Trickbots.
Security 5 Min Read

Data Exfiltration Detections: Threat Research Release, June 2021

Check out detections from the Splunk Threat Research team to detect data exfiltration – also known as data extrusion, data exportation, and data theft – in your environment.
Security 8 Min Read

REvil Ransomware Threat Research Update and Detections

On July 2, 2021, REvil group used Kaseya to distribute malware to its on-premises customers. Splunk has pushed out guidance to help understand and detect REvil. Learn more about the REvil ransomeware group, their tactics, and how to detect them using Splunk.
Security 7 Min Read

I Pity the Spool: Detecting PrintNightmare CVE-2021-34527

Read on for details around Detect PrintNightmare (CVE-2021-34527), a critical vulnerability that affects the Print Spooler service and can perform remote code execution.
Security 5 Min Read

Detecting Password Spraying Attacks: Threat Research Release May 2021

The Splunk Threat Research team walks you through a new analytic story to help SOC analysts detect adversaries executing password spraying attacks, and highlights a few detections from the May 2021 releases.
Security 6 Min Read

DarkSide Ransomware: Splunk Threat Update and Detections

Splunk Threat Research Team (STRT) replicated the DarkSide Ransomware Attack and has released an Analytic Story with several detection searches directed at community shared IOCs.
Security 4 Min Read

Clop Ransomware Detection: Threat Research Release, April 2021

Discover how the Splunk Threat Research Team focused their research efforts on Clop Ransomware detections to help organizations detect abnormal behavior faster before it becomes detrimental.
Security 3 Min Read

Introducing Splunk Attack Range v1.0

The Splunk Attack Range project has officially reached the v1.0 release – read on to learn how we got here, what features we’ve built for v1.0 and what the future looks like for Splunk Attack Range.
Security 5 Min Read

Detecting Clop Ransomware

As ransomware campaigns continue, malicious actors introduce different modus operandi to target their victims. In this blog, we’ll be taking a look at the Clop ransomware. This crimeware was discovered in 2019 and is said to be used for an attack that demanded one of the highest ransom amounts in recorded history.
Security 3 Min Read

Detecting AWS IAM Privilege Escalation

The Splunk Threat Research team develops security research to help SOC analysts detect adversaries attempting to escalate their privileges and gain elevated access to AWS resources. Learn how we simulate these attacks using Atomic Red Team, collect and analyze the AWS cloudtrail logs, and utilize pre-packaged Splunk detections to detect these threats.
Security 4 Min Read

Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021

Learn about the latest emerging threats, such as Cloud Federated Credential Abuse and Cobalt Strike, where bad actors are abusing credential privileges in cloud environments to gain unauthorized access.
Security 4 Min Read

MSHTA and MSBuild Cat Jam: Threat Research Release January 2021

Splunk's Security Research team was busy this past quarter generating attack data for 80% of all our detections. A step forward in validating and testing our security content and ensuring we can continually test detections via continuous integration and continuous delivery (CI/CD).