Splunk Security Content for Threat Detection & Response: February 2025 Update

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details. 

This blog post covers security content developed November 2024 - January 2025. Jump straight to the updates below, or read on to learn more about:

• How Splunk develops security content
• The types of content we deliver
• How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.  

Types of Security Content 

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior. 

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs 

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How to get Security Content

Take advantage of security content in two ways: 

• Enterprise Security Content Update (ESCU) app 
• Splunk Security Essentials (SSE) app

Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: November 2024 - January 2025

Below you will find a brief table of contents, followed by an overview of the security content developed from November 2024 - January 2025.

Table of Contents

Adversary Tradecraft Analytic Stories

• Backdoor Pingpong
• Crypto Stealer
• Defense Evasion or Unauthorized Access Via SDDL Tampering
• Derusbi
• Earth Estries
• Nexus APT Threat Activity
• WinDealer RAT
• XorDDos
• Lumma Stealer
• PXA Stealer
• Critical Alerts

Emerging Threats Analytic Stories

• Cleo File Transfer Software
• Meduza Stealer
• Braodo Stealer

Overview: Adversary Tradecraft Analytic Stories

The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:

• Backdoor Pingpong, which is a legacy threat that provides unauthorized remote access to compromised systems
• Crypto Stealer, which is designed to exfiltrate cryptocurrency-related data from compromised systems
• Derusbi, a sophisticated threat often linked to advanced persistence threats
• WinDealer RAT, which attackers use for data theft and unauthorized system control
• XorDDos, a Linux malware that’s used to facilitate high-capacity Distributed Denial of Service (DDoS) attacks
• Lumma Stealer, an information-stealing malware that uses several obfuscation techniques like base64 encoding and clipboard manipulation to evade detection
• PXA Stealer, a data-stealing malware that’s especially stealthy due to its ability to evade antivirus software

The team also created new content focusing on specific threat actors: Earth Estries and Nexus. The Earth Estries analytic story includes searches to help teams identify activities that may relate to the cyber espionage-focused campaigns that Earth Estries is known for. The Nexus APT Threat Activity analytic story helps monitor for indicators potentially related to this group’s efforts to target high-value sectors.

In addition, the Splunk Threat Research Team provided a deep dive into Security Descriptor Definition Language (SDDL) controls and how adversaries leverage SDDL misconfigurations for nefarious purposes. You can get the full details in the blog “Hey SDDL SDDL: Breaking Down Windows Security One ACE at a Time.” This blog also covers available security content from the Defense Evasion or Unauthorized Access Via SDDL Tampering analytic story to help identify malicious SDDL misconfigurations.

Lastly, the Critical Alerts analytic story provides detections designed to monitor critical alerts data from various security sources in Splunk, which can help teams identify potential threats sooner.

Overview: Emerging Threats Analytic Stories

The Meduza Stealer analytic story includes detections to help identify activity related to this stealer, which targets sensitive information like login credentials and financial details. Learn more about this threat in the blog “Meduza Stealer Analysis: A Closer Look at its Techniques and Attack Vector.”

The Braodo Stealer analytic story includes detections to help identify the Braodo Stealer malware, which is designed to steal sensitive information like credentials, cookies, and system data. To learn more about this threat and the security content included in this analytic story, check out the blog ”Cracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader.”

Finally, the team created the Cleo File Transfer Software analytic story to help identify activity related to CVE-2024-50623, a vulnerability that can lead to exploitation of versions of Cleo Harmony, VLTrader, and LexiCom.

Previous Security Content Roundups

Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!