The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your environment. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases) and housed on the Splunk Security Content website as well as the Security Content GitHub repository.
This blog provides a roundup of the security content developed by the STRT from the previous quarters, all of which is available today via the Enterprise Security Content Update app.
Q4 Content Q3 Content Q2 Content Q1 Content
Looking for the latest security content? Head here for the latest Security Content from STRT.
Below you will find a brief table of contents, followed by an overview of all the security content developed from November 2023 - January 2024. (Prefer a video update? Watch our on-demand Tech Talk “Using the Splunk Threat Research Team’s Latest Security Content.”)
DarkGate is a malware that employs multi-stage payloads and leverages obfuscated AutoIt scripting to exfiltrate sensitive data and establish command and control communications. This analytic story includes detections to help uncover and investigate activities that could be indicative of DarkGate’s presence. Check out “Enter The Gates: An Analysis of the DarkGate AutoIt Loader” to learn more.
PlugX, also known as “PlugX RAT” or “Kaba,” is a covert malware that’s known for its ability to elude detection and its association with cyber espionage activities. You can read the Splunk Threat Research Team’s analysis of a specific PlugX variant here and find detections in the PlugX analytic story to search for activities related to:
The Rhysida Ransomware analytic story includes detections designed to identify unusual behaviors potentially associated with Rhysidia, a ransomware that stealthily infiltrates systems and employs sophisticated encryption tactics to lock access to critical files and databases.
The Office 365 Account Takeover and Office 365 Persistence Mechanisms analytic stories include detections to monitor for activities and anomalies indicative of potential initial access techniques and persistence techniques within Office 365 environments. These detections can also be used to help detect attacks similar to the recent Midnight Blizzard incident that the Splunk Threat Research Team covered in this blog.
The Windows Attack Surface Reduction (ASR) analytic story contains detections for events related to Windows ASR (a feature of Windows Defender Exploit Guard) that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Learn more about this content in “Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk.”
Lastly, the team created two new analytic stories to help detect tactics and techniques adversaries may use in an effort to exploit Kubernetes environments: the Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring and Kubernetes Security analytic stories.
In November, CVE-2023-47246 was identified to affect on-premise versions of SysAid prior to 23.3.36. The Splunk Threat Research Team tagged detections into a new SysAid On-Prem Software CVE-2023-47246 Vulnerability analytic story to support the identification of initial access and some post-exploitation activities.
Additionally, the team created the CISA AA23-347A analytic story to help detect and investigate activities that may be related to cyber tactics and techniques employed by Russia’s Foreign Intelligence Service (SVR).
January saw the creation of three new analytic stories related to newly-identified exploits. First, the Ivanti Connect Secure VPN Vulnerabilities analytic story includes analytics and hunting queries to support defenders against CVE-2023-46805 (an authentication-bypass vulnerability) and CVE-2024-21887 (a command-injection vulnerability).
Next, the Confluence Data Center and Confluence Server Vulnerabilities analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server, such as CVE-2023-22527.
Lastly, the Jenkins Server Vulnerabilities analytic story includes detections to help defend against Jenkins server vulnerabilities, including CVE-2024-2389.
To learn more about these vulnerabilities and detection content, check out the following blogs:
Below you will find an overview of all the security content developed from August-October 2023. Here's a brief table of contents:
NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT’s presence. Check out More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities to learn more!
The Ave Maria RAT, also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. You can read the STRT analysis of the Warzone RAT and find detections in the Warzon RAT analytic story to search for activities related to:
In August, a new nation-state activity group was identified. Tracked as Flax Typhoon, based in China, the group is targeting dozens of organizations in Taiwan. The Flax Typhoon analytic story released by STRT helps identify the tactics technique and procedures (TTPs) associated with this nation-state group.
CERT-UA has unveiled a cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails. In September, the STRT team released the Forest Blizzard analytic story to identify these emails - which once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. This activity has been purportedly linked to APT28 or Fancy Bear - linked to Russia’s GRU.
Learn more about Forest Blizzard: Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs.
Lastly, adversaries may tamper with Subject Interface Packages (SIPs) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In October, we released Subvert Trust Controls SIP and Trust Provider Hijacking analytic story to detect and defend against provider hijacking.
A critical vulnerability was discovered in ShareFile’s Storage Zones Controller software (CVE-2023-24489). The STRT team released the Citrix ShareFile RCE CVE-2023-24489 analytic story to address this vulnerability.
CVE-2023-22515 was discovered affecting on-premises instances of Confluence Server and Confluence Data Center. The STRT released Privilege Escalation Vulnerability Confluence Data Center and Server analytic story to detect activity related to the vulnerability.
Additionally, CVE-2023-46747 was identified affecting F5’s BIG-IP Virtual Edition, which could allow remote, unauthenticated attackers to execute system commands. F5 Authentication Bypass with TMUI analytic story was created to remediate and detect threats effectively.
In October, CVE-2023-4966 was identified to affect both NetScaler ADC and NetScaler Gateway. The STRT identified that the vulnerability can result in unauthorized data disclosure if exploited and as a result, crafted an analytic story.
Two vulnerabilities were identified with Adobe ColdFusion, known as CVE-2023-29298 & CVE-2023-26360, which allow attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation.
In August, Ivanti Sentry, which enables remote workers to use any mobile device or PC to securely connect, disclosed two vulnerabilities affecting the Ivanti Sentry administration interface and Endpoint Manager Mobile (EPMM) product. The STRT released Ivanti Sentry Authentication Bypass CVE-2023-38035 and Ivanti EPMM Remote Unauthenticated Access to address these vulnerabilities.
Progress Software released on September 27th a critical security advisory affecting multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. WS FTP Server Critical Vulnerabilities address both CVE-2023-40044 and CVE-2023-42657. This vulnerability follows an increase in use of file sharing programs for malicious intent, especially following the May 2023 ransomware attack, which utilized the file sharing application, MOVEit.
Read the blog from STRT highlighting further information about CVE-2023-40044.
Microsoft SharePoint Server vulnerability CVE-2023-29357, identified in September, allows for an elevation of privilege due to improper handling of authentication tokens. The analytic story, Microsoft SharePoint Server Elevation of Privilege, identifies attempts to exploit this vulnerability.
Cisco identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). The Cisco IOS XE Software Web Management User Interface vulnerability analytic story detects activity of attackers gaining full control of the compromised device and allowing possible subsequent unauthorized activity.
Finally, the STRT team also released:
Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog on Investigations with Playbooks to learn how playbooks can perform a general investigation on key aspects of a windows device using windows remote management.
This August also marked the deadline for those in the US Federal Civilian space to meet Enterprise Logging Level 3 requirements as part of the recent M-21-31 OMB Mandate. In light of this, we show how adopting a SOAR Maturity Model can help users meet the technical requirements of the mandate and better align to the MITRE D3FEND framework.
Below you will find an overview of all the security content developed from May-July 2023.
Amadey malware is a botnet that is being utilized as Malware as a Service (MaaS) and distributing malware such as RedLine Stealer. You can read the STRT analysis of Amadey in and find detections in the Amadey analytic story to search for activities related to the malware.
In May, The DFIR Report released information on a destructive malware campaign that utilizes Truebot, FlawedGrace and MBR killer malware. The STRT developed the Graceful Wipe Out Attack analytic story to detect and investigate unusual activities related to the campaign.
Vulnerabilities within Active Directory can provide a number of attack paths for attackers. Privilege escalation attacks in Active Directory (AD) typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages AD. Security teams should monitor for privilege escalation attacks in Active Directory to identify breaches before attackers achieve operational success. The Azure Active Directory Privilege Escalation and Active Directory Privilege Escalation analytic stories provide detetions to monitor for activities and techniques associated with privilege escalation attacks within Active Directory tenants.
Earlier this year BlackLotus, a UEFI bootkit, was reported for bypassing Secure Boot on Windows 11 systems. The STRT developed the Windows BootKits analytic story to detect and defend against bootkit attacks.
RedLine Stealer malware was making headlines in May for being delivered through display ads and Google Chrome extensions. The STRT provided an analysis of RedLine Stealer in this blog and developed the related analytic story for detecting and investigating unusual activities that can be related to the RedLine Stealer trojan.
CVE-2023-20887 was released in early June for a critical vulnerability impacting VMware Aria Operations for Networks, formerly vRealize Network Insight. To help defend against this vulnerability, the STRT developed an analytic story to detect potential exploitation attempts that align with the characteristics of CVE-2023-20887.
In early June a critical zero-day vulnerability was discovered in the MOVEit Transfer file transfer software and tracked as CVE-2023-34362. The Windows MOVEit Transfer Writing ASPX detection looks for the creation of new ASPX files in the MOVEit Transfer application’s “wwwroot” directory, which is an activity indicative of the MOVEit Transfer vulnerability.
Volt Typhoon is a People’s Republic of China (PRC) state-sponsored cyber actor whose recent activity resulted in a joint Cybersecurity Advisory. The Splunk Threat Research Team developed the Volt Typhoon analytic story with detections to look for suspicious process execution, LOLBin execution, command-line activity and more associated activities that the Volt Typhoon group can use to target critical infrastructure organizations.
CVE-2023-27350 is an authentication bypass vulnerability in the PaperCut NG print management software for which the FBI and CISA issued a joint advisory. The STRT created a blog highlighting information about the vulnerability as well as a corresponding analytic story for defenders to detect associated exploitation attempts and known indicators of compromise.
The Snake implant is a highly advanced cyber espionage tool, developed and employed by Russia's Federal Security Service's (FSB) Center 16 for persistent intelligence gathering on important targets, and it has been identified in over 50 countries. The Splunk Threat Research Team utilized ChatGPT to develop Atomic Simulations and subsequent detections for activities related to Snake malware.
Splunk developed a deep learning based detection that monitors your DNS traffic looking for signs of low throughput DNS exfiltration. The detection has an accuracy of 99.97% ensuring almost all suspicious DNS exfiltration requests are detected.
Most machine learning models investigate the latest DNS request without attaching any valuable context of communication history between the host and the domain. Instead of considering a short time window, which may be insufficient for low throughput DNS exfiltration, we consider a recent history of past ’x’ events. The deep learning model not only creates features to represent the current DNS request but also creates aggregated features over recent history of events.
The model is deployed using the Splunk App for Data Science and Data Learning (DSDL) and you can find further details in the Detect DNS Data Exfiltration Using Deep Learning blog and the team also recorded an overview of the detection that you can watch here:
Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog to learn how playbooks can help you to...
Below you will find an overview of all the security content developed from February - April, 2023. Principal Threat Researcher, Michael Haag, also provides an overview of the STRT Q1 content on a Security Tech Talk, which can be viewed here.
AsyncRAT is an open source remote administration tool project on GitHub that has become a popular tool used maliciously by attackers. The Splunk Threat Research Team explored an AsyncRAT OneNote campaign to develop the AsyncRAT analytic story to detect and investigate unusual activities that might be related to the malware. Learn more about AsyncRAT and the OneNote campaign by reading this blog or watching the video.
Earlier this year Winter Vivern was making headlines, and the STRT developed an analytic story to examine multiple timeout executions, scheduled task creations, screenshots, downloading files through PowerShell, and other indicators of activities related to the malware. Watch an overview video of the analytic story below.
The Sandworm Tools analytic story includes detections focused on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction and other indicators related to the Sandworm Team threat group.
Compromised user account attacks occur when cybercriminals gain access to accounts through techniques like brute force, social engineering, phishing and credential stuffing to pose as the real user and access sensitive data or use stolen information to access further accounts within the organization. The Compromised User Account analytic story provides detections to monitor for these types of activities and techniques.
The Splunk Threat Research Team wrote a blog describing common digital certificate abuses and developed the Windows Certificate Services analytic story for detecting certificate services abuse on Windows and defending against adversaries stealing sensitive information. Watch the video below to learn more about defending against certificate services abuses.
Sneaky Active Directory Persistence Tricks are techniques that are still utilized even eight years after they were initially described in a blog by Sean Metcalf. These techniques abuse legitimate administrative functionality.
The corresponding analytic story developed by the STRT groups detections for techniques described in the original blog as well as other high-impact attacks against Active Directory networks. The team would like to thank Dean Luxton and Steven Dick for contributing detections to this analytic story.
Learn more about Sneaky Active Directory Persistence Tricks in the overview video below.
BishopFox Sliver is an open-source adversary emulation framework that has increasingly been exploited by adversaries for malicious activities. The STRT developed an analytic story to provide visibility into the latest adversary TTPs related to Sliver.
SwiftSlicer wiper is a destructive malware discovered by ESET. The Splunk Threat Research Team (STRT) developed an analytic story to help detect and investigate unusual activities that might be related to the malware. The team also wrote a blog highlighting the team’s analysis, detections, and mitigation measures.
AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. The STRT provides findings on this destructive payload in:
Fortinet released security updates for its FortiNAC product addressing critical vulnerabilities that may allow unauthenticated attackers to write arbitrary files on the system and, as a result, obtain remote code execution in the context of the root user (Horizon3.ai). The STRT developed the analytic story Fortinet FortiNAC CVE-2022-39952 to help defend against this critical vulnerability.
CVE-2023-21716 is a remote code execution vulnerability in Microsoft Word released in February. The analytic story developed by the STRT provides content to assist organizations in identifying potential RTF (rich text file) RCE abuse on endpoints.
A patch for CVE-2023-23397 was released to address a critical elevation of privilege (EoP) vulnerability impacting Microsoft Outlook for Windows. Detections from the STRT help identify behaviors related to this vulnerability.
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems, known as BlackLotus, was reported by ESET in March. The STRT developed content to aid teams in detecting suspicious bootloaders and understanding the diverse techniques utilized by the BlackLotus campaign.
In March, it was reported that an active intrusion campaign was targeting 3CX software and their customers. The STRT created a blog highlighting information and the corresponding analytic story to equip defenders with the necessary tools and strategies to counteract the campaign.
The Splunk Machine Learning for Security team developed two new detections last quarter. Both detections use a pre-trained deep learning model developed with the Splunk App for Data Science and Deep Learning. The two detections are:
Learn more about the latter detection by watching our on-demand tech talk.
Splunk is pleased to announce the first in a series of Response Packs focused on different use-cases, the first of which focuses on Enrichment. These new response packs feature modular, Lego-like playbooks that operate on different tiers depending on your desired use. Additionally, we have also begun to map our playbooks to MITRE D3FEND techniques where applicable.
The three collections in this pack are:
You can choose to use the Connector-based input playbooks in your own use-cases, or choose to use the Dynamic playbooks that automatically detect artifacts, route them to the Input playbooks, and conclude workbook tasks. Here is a full list of the 10 new playbooks:
Task based playbooks:
Input/output playbooks:
You'll see these playbooks show up if you are running the community repo on versions of SOAR 6.0 and above. Be sure to check out our recent blog on Identifier Reputation Analysis and be on the lookout for new blogs and videos highlighting how these playbooks work over the coming months.
In addition to the security content provided above, the Splunk Threat Research Team developed content related to malicious drivers"
Thanks for reading! Stay tuned to for more Content Updates every quarter.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.