Splunk Security Content for Threat Detection & Response: Q3 Roundup

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details. 

This blog post covers security content developed August - October 2024. Jump straight to the updates below, or read on to learn more about:

• How Splunk develops security content
• The types of content we deliver
• How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.  

Types of Security Content 

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior. 

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs 

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How to get Security Content

Take advantage of security content in two ways: 

• Enterprise Security Content Update (ESCU) app 
• Splunk Security Essentials (SSE) app

Both apps allow you to deploy the over 1,700 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: Q3 Roundup

Below you will find a brief table of contents, followed by an overview of the security content developed from August - October 2024.

Table of Contents

Adversary Tradecraft Analytic Stories

• ValleyRAT
• Handala Wiper
• MoonPeak
• CISA AA24-241A
• BlackSuit Ransomware

Emerging Threats Analytic Stories

• Ivanti Virtual Traffic Manager CVE-2024-7593
• Compromised Windows Host
• Compromised Linux Host
  

Overview: Adversary Tradecraft Analytic Stories

The Splunk Threat Research Team conducted an analysis of ValleyRAT, a remote access Trojan that hides itself by loading its components in stages, which helps it evade detection. The ValleyRAT analytics story includes detections to help identify activities indicative of this malware, including modifications to the Windows Registry, suspicious process file paths, and more. 

The Handala Wiper analytics story provides detections to help monitor for activities related to a malware strain that has been used in campaigns attributed to the Handala Hacking Team. To learn more, check out the blog “Handala’s Wiper: Threat Analysis and Detections,” which includes a summary of the Handala Hacking Team, an in-depth analysis of the campaign’s attack chain, an overview of the security content included in this analytics story, and more.

The MoonPeak analytics story supports detecting and investigating activities linked to the MoonPeak malware, which is designed to infiltrate targeted systems, establish persistence, and communicate with command-and-control (C2) servers.

The CISA AA24-241A analytics story features detections to help detect tactics, techniques, and procedures (TTPs) included in CISA Alert AA24-241A: “Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations.”

Lastly, the BlackSuit Ransomware analytics story addresses TTPs related to this particular threat, such as Remote System Discovery, OS Credential Dumping, Steal or Forge Kerberos Tickets, and more.

Overview: Emerging Threats Analytic Stories

The Ivanti Virtual Traffic Manager CVE-2024-7593 analytics story includes security content to help detect the creation of new Ivanti administrator accounts that may be used for malicious purposes. This content was created in response to CVE-2024-7593, a critical authentication bypass vulnerability in Ivanti Virtual Traffic Manager that the company disclosed in August.

The Splunk Threat Research Team also released two new analytic stories designed to help identify compromised hosts: one for compromised Windows hosts and another for compromised Linux hosts.

Previous Security Content Roundups

Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!