Security

September 03, 2024

3 Minute Read

Splunk Security Content for Threat Detection & Response: Q2 Roundup

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.

This blog post covers security content developed May - July 2024. Jump straight to the updates below, or read on to learn more about:

How Splunk develops security content
The types of content we deliver
How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.

Types of Security Content

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How to get Security Content

Take advantage of security content in two ways:

Both apps allow you to deploy the over 1,700 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: Q2 Roundup

Below you will find a brief table of contents, followed by an overview of the security content developed from May - July 2024.

Adversary Tradecraft Analytic Stories

Emerging Threats Analytic Stories

Overview: Adversary Tradecraft Analytic Stories

Linux.Gomir is a backdoor malware designed to infiltrate and compromise systems covertly. Linux.Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker, as well as downloading and installing further malicious payloads to facilitate broader cyber-espionage or destructive activities. You can read the Splunk Threat Research Team’s analysis of Linux.Gomir here and find relevant detections in the Gomir analytics story.

AcidPour Wiper is a destructive malware designed to irreversibly delete data from targeted systems, rendering them inoperable. Unlike typical ransomware, AcidPour focuses on data destruction rather than financial gain. It targets critical sectors of the storage media, overwriting files to make recovery nearly impossible. The AcidPour analytics story includes detections to help identify unusual activities that may relate to this threat. To learn more, check out “AcidPour Wiper Malware: Threat Analysis and Detections.”

The Gozi Malware analytics story covers the detection and analysis of Gozi malware, also known as Ursnif or ISFB. Gozi is one of the oldest and most persistent banking trojans, with a history dating back to 2000. Recent variants like Dreambot, IAP, RM2, RM3, and LDR4 demonstrate its ongoing development and threat.

The ShrinkLocker analytics story helps identify activities that may be related to ShrinkLocker, a new ransomware that uses Windows BitLocker to encrypt files by creating new boot partitions. It targets non-boot partitions, shrinks them, and creates new boot volumes. Instead of a ransom note, it uses boot partition labels to communicate with victims.

Overview: Emerging Threats Analytic Stories

The CrushFTP Vulnerabilities analytics story helps detect activity related to CVE-2024-4040, a vulnerability in CrushFTP that allows unauthenticated remote attackers to execute arbitrary code, bypass authentication mechanisms, and access files outside of the VFS Sandbox. Check out “Security Insights: Detecting CVE-2024-4040 Exploitation in CrushFTP” to learn more.

The Ivanti EPM Vulnerabilities analytic story covers vulnerabilities identified in Ivanti Endpoint Manager (EPM), including but not limited to SQL injection, remote code execution, and privilege escalation. These vulnerabilities can potentially be exploited by adversaries to gain unauthorized access, execute arbitrary code, and compromise the security of managed endpoints.

The MOVEit Transfer Authentication Bypass analytic story addresses CVE-2024-5806, a critical authentication bypass vulnerability in Progress MOVEit Transfer. The vulnerability allows attackers to impersonate any valid user on the system without proper credentials, potentially leading to unauthorized access, data theft, and system compromise.

The VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 analytic story contains security content to help detect activity potentially related to CVE-2024-37085, which allows attackers with sufficient AD permissions to gain full access to ESXi hosts by recreating the ‘ESX Admins’ group after deletion.

Previous Security Content Roundups

Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Supercharge Cybersecurity Investigations with Splunk and Graphistry: A Powerful Combination for Interactive Graph Exploration

In this blog post, we'll dive deeper into how combining Splunk and Graphistry can help you unlock new capabilities for your cybersecurity investigations and gain better resilience for your organization.

Security 2 Min Read

Between Two Alerts: Get Started with Splunk for Security

Read how the Splunk Security Essentials (SSE) app can help you answer common security questions with more than 120 pre-loaded correlation searches, and maps to more than 450 pieces of content from Splunk premium products.

Security 2 Min Read

Staff Picks for Splunk Security Reading July 2022

Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk