Previous Security Content Roundups from the Splunk Threat Research Team (STRT)

The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your environment. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases) and housed on the Splunk Security Content website as well as the Security Content GitHub repository.

This blog provides a roundup of the security content developed by the STRT from the previous quarters, all of which is available today via the Enterprise Security Content Update app.  

Q1 Content Q4 Content Q2 Content Q3 Content

Looking for the latest security content? Head here for the latest Security Content from STRT.

Splunk Security Content: Q1 Roundup

Below you will find a brief table of contents, followed by an overview of all the security content developed from February - April 2024.

Adversary Tradecraft Analytic Stories

• Snake Keylogger
• Office 365 Collection Techniques
• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats
• Phemedrone Stealer

Emerging Threats Analytic Stories

• ConnectWise ScreenConnect Vulnerabilities
• WordPress Vulnerabilities
• JetBrains TeamCity Vulnerabilities
• APT29 Diplomatic Deceptions with WINELOADER
• Outlook RCE CVE-2024-21378

Overview: Adversary Tradecraft Analytic Stories

Snake Keylogger is a malware that secretly records infected devices’ keystrokes. You can read the Splunk Threat Research Team’s analysis of Snake Keylogger and find detections in the Snake Keylogger analytic story to search for activities related to:

• Masquerading
• Registry keys used for persistence
• Query Registry
• And more

The Office 365 Collection Techniques analytic story includes detections to monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments. To learn more, check out:

• Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard 
• Hunting M365 Invaders: Dissecting Email Collection Techniques

Administrators use Windows AppLocker to specify who is allowed to run particular applications in their organization. This analytic story contains detections for events related to monitoring and managing AppLocker policies, including:

• Unauthorized software installations.
• Enforcing best practices for software usage.
• And more.

Lastly, the Okta Account Takeover analytic story contains detections designed to identify unauthorized access and potential takeover attempts of Okta accounts. The Zscaler Browser Proxy Threats analytic story helps you detect and investigate unusual activities related to Zscaler.

Overview: Emerging Threats Analytic Stories

The Phemedrone Stealer analytic story helps detect activity related to Phemedrone, a sophisticated malware used to steal sensitive data. Check out Unveiling Phemedrone Stealer: Threat Analysis and Detections to learn more.

The JetBrains TeamCity Vulnerabilities analytic story provides content to help defenders detect and respond to activities related to CVE-2024-27198 and CVE-2024-27199, which make it possible for unauthenticated attackers to gain administrative control or execute code remotely on affected TeamCity servers.

For more information on these vulnerabilities and the analytic story created by the Splunk Threat Research Team, read Security Insights: JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199.

In February 2024, Mandiant identified that APT29 was using a backdoor called WINELOADER to target German political parties. To help defenders detect and respond to this threat, the Splunk Threat Research Team created this analytic story. For additional details, check out From Water to Wine: An Analysis of WINELOADER.

The Outlook RCE CVE-2024-21378 analytic story contains security content to help detect activity potentially related to the CVE-2024-21378 vulnerability, which allows attackers to execute code remotely upon successful authentication.

Lastly, this analytic story provides detections related ConnectWise ScreenConnect vulnerabilities, while this analytic story includes detections to help address known vulnerabilities in WordPress plugins and themes.

Splunk Security Content: Q4 Roundup

Below you will find a brief table of contents, followed by an overview of all the security content developed from November 2023 - January 2024. (Prefer a video update? Watch our on-demand Tech Talk “Using the Splunk Threat Research Team’s Latest Security Content.”)

Adversary Tradecraft Analytic Stories

• DarkGate Malware
  
• PlugX
  
• Rhysida Ransomware
  
• Office 365 Account Takeover
  
• Office 365 Persistence Mechanisms
  
• Windows Attack Surface Reduction
  
• Kubernetes Security
  
• Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
  

Emerging Threats Analytic Stories

• SysAid On-Prem Software CVE-2023-47246 Vulnerability
  
• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
  
• CISA AA23-347A
  
• Ivanti Connect Secure VPN Vulnerabilities
  
• Confluence Data Center and Confluence Server Vulnerabilities
  
• Jenkins Server Vulnerabilities

Overview: Adversary Tradecraft Analytic Stories

DarkGate is a malware that employs multi-stage payloads and leverages obfuscated AutoIt scripting to exfiltrate sensitive data and establish command and control communications. This analytic story includes detections to help uncover and investigate activities that could be indicative of DarkGate’s presence. Check out “Enter The Gates: An Analysis of the DarkGate AutoIt Loader” to learn more.

PlugX, also known as “PlugX RAT” or “Kaba,” is a covert malware that’s known for its ability to elude detection and its association with cyber espionage activities. You can read the Splunk Threat Research Team’s analysis of a specific PlugX variant here and find detections in the PlugX analytic story to search for activities related to:

• Remote desktop protocol
  
• Remote services
  
• Phishing
  
• Masquerading
  
• And more
  

The Rhysida Ransomware analytic story includes detections designed to identify unusual behaviors potentially associated with Rhysidia, a ransomware that stealthily infiltrates systems and employs sophisticated encryption tactics to lock access to critical files and databases.

The Office 365 Account Takeover and Office 365 Persistence Mechanisms analytic stories include detections to monitor for activities and anomalies indicative of potential initial access techniques and persistence techniques within Office 365 environments. These detections can also be used to help detect attacks similar to the recent Midnight Blizzard incident that the Splunk Threat Research Team covered in this blog.

The Windows Attack Surface Reduction (ASR) analytic story contains detections for events related to Windows ASR (a feature of Windows Defender Exploit Guard) that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Learn more about this content in “Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk.”

Lastly, the team created two new analytic stories to help detect tactics and techniques adversaries may use in an effort to exploit Kubernetes environments: the Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring and Kubernetes Security analytic stories.

Overview: Emerging Threats Analytic Stories

In November, CVE-2023-47246 was identified to affect on-premise versions of SysAid prior to 23.3.36. The Splunk Threat Research Team tagged detections into a new SysAid On-Prem Software CVE-2023-47246 Vulnerability analytic story to support the identification of initial access and some post-exploitation activities.

Additionally, the team created the CISA AA23-347A analytic story to help detect and investigate activities that may be related to cyber tactics and techniques employed by Russia’s Foreign Intelligence Service (SVR). 

January saw the creation of three new analytic stories related to newly-identified exploits. First, the Ivanti Connect Secure VPN Vulnerabilities analytic story includes analytics and hunting queries to support defenders against CVE-2023-46805 (an authentication-bypass vulnerability) and CVE-2024-21887 (a command-injection vulnerability). 

Next, the Confluence Data Center and Confluence Server Vulnerabilities analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server, such as CVE-2023-22527. 

Lastly, the Jenkins Server Vulnerabilities analytic story includes detections to help defend against Jenkins server vulnerabilities, including CVE-2024-2389. 

To learn more about these vulnerabilities and detection content, check out the following blogs:

• Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE
  
• Security Insights: Tracking Confluence CVE-2023-22527
  
• Security Insights: Jenkins CVE-2024-23897 RCE
  

Splunk Security Content: Q3 Roundup

Below you will find an overview of all the security content developed from August-October 2023. Here's a brief table of contents:  

Adversary Tradecraft Analytic Stories

• NjRAT
• Warzone RAT
  
• Flax Typhoon
  
• Forest Blizzard
  
• Subvert Trust Controls SIP and Trust Provider Hijacking

Emerging Threats Analytic Stories 

• Citrix ShareFile RCE CVE-2023-24489
  
• CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
  
• F5 Authentication Bypass with TMUI
  
• Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
  
• Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 & CVE-2023-26360
  
• Ivanti Sentry Authentication Bypass CVE-2023-38035
  
• WS FTP Server Critical Vulnerabilities
  
• Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
  
• Cisco IOS XE Software Web Management User Interface vulnerability
  
• Ivanti EPMM Remote Unauthenticated Access
  
• Windows Error Reporting Service Elevation of Privilege Vulnerability
  
• Juniper JunOS Remote Code Execution
  
• JetBrains TeamCity Unauthenticated RCE

Adversary Tradecraft Analytic Stories

NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT’s presence. Check out More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities to learn more!

The Ave Maria RAT, also known as “Warzone RAT,” is a malware that gains unauthorized access or remote control over a victim’s or targeted computer system. You can read the STRT analysis of the Warzone RAT and find detections in the Warzon RAT analytic story to search for activities related to:

• Suspicious process execution
• Command-line activity
• And more
  

In August, a new nation-state activity group was identified. Tracked as Flax Typhoon, based in China, the group is targeting dozens of organizations in Taiwan. The Flax Typhoon analytic story released by STRT helps identify the tactics technique and procedures (TTPs) associated with this nation-state group. 

CERT-UA has unveiled a cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails. In September, the STRT team released the Forest Blizzard analytic story to identify these emails - which once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. This activity has been purportedly linked to APT28 or Fancy Bear -  linked to Russia’s GRU.

Learn more about Forest Blizzard: Mockbin and the Art of Deception: Tracing Adversaries, Going Headless and Mocking APIs.

Lastly, adversaries may tamper with Subject Interface Packages (SIPs) and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In October, we released Subvert Trust Controls SIP and Trust Provider Hijacking analytic story to detect and defend against provider hijacking. 

Emerging Threats Analytic Stories 

A critical vulnerability was discovered in ShareFile’s Storage Zones Controller software (CVE-2023-24489). The STRT team released the Citrix ShareFile RCE CVE-2023-24489 analytic story to address this vulnerability.

CVE-2023-22515 was discovered affecting on-premises instances of Confluence Server and Confluence Data Center. The STRT released Privilege Escalation Vulnerability Confluence Data Center and Server analytic story to detect activity related to the vulnerability.  

Additionally, CVE-2023-46747 was identified affecting F5’s BIG-IP Virtual Edition, which could allow remote, unauthenticated attackers to execute system commands. F5 Authentication Bypass with TMUI analytic story was created to remediate and detect threats effectively.

In October, CVE-2023-4966 was identified to affect both NetScaler ADC and NetScaler Gateway. The STRT identified that the vulnerability can result in unauthorized data disclosure if exploited and as a result, crafted an analytic story. 

Two vulnerabilities were identified with Adobe ColdFusion, known as CVE-2023-29298 & CVE-2023-26360, which allow attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation.

In August, Ivanti Sentry, which enables remote workers to use any mobile device or PC to securely connect, disclosed two vulnerabilities affecting the Ivanti Sentry administration interface and Endpoint Manager Mobile (EPMM) product. The STRT released Ivanti Sentry Authentication Bypass CVE-2023-38035 and Ivanti EPMM Remote Unauthenticated Access to address these vulnerabilities. 

Progress Software released on September 27th a critical security advisory affecting multiple vulnerabilities in WS_FTP Server, a widely-used secure file transfer solution. WS FTP Server Critical Vulnerabilities address both CVE-2023-40044 and CVE-2023-42657. This vulnerability follows an increase in use of file sharing programs for malicious intent, especially following the May 2023 ransomware attack, which utilized the file sharing application, MOVEit. 

Read the blog from STRT highlighting further information about CVE-2023-40044. 

Microsoft SharePoint Server vulnerability CVE-2023-29357, identified in September, allows for an elevation of privilege due to improper handling of authentication tokens. The analytic story, Microsoft SharePoint Server Elevation of Privilege, identifies attempts to exploit this vulnerability.

Cisco identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198). The Cisco IOS XE Software Web Management User Interface vulnerability analytic story detects activity of  attackers gaining full control of the compromised device and allowing possible subsequent unauthorized activity.

Finally, the STRT team also released:

• Windows Error Reporting Service Elevation of Privilege Vulnerability to address CVE-2023-36874, a zero-day exploit targeting the WER service, allowing attackers to execute unauthorized code with elevated privileges.

• Juniper JunOS Remote Code Execution to address multiple critical vulnerabilities in the J-Web component of Junos OS on SRX and EX Series devices.

• JetBrains TeamCity Unauthenticated RCE to identify CVE-2023-42793, which affected all versions of TeamCity On-Premises up to 2023.05.3 allowing unauthenticated attackers to execute remote code and gain administrative control of the TeamCity server, posing a significant risk for supply chain attacks.

The Latest in Splunk SOAR

Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog on Investigations with Playbooks to learn how playbooks can perform a general investigation on key aspects of a windows device using windows remote management.

This August also marked the deadline for those in the US Federal Civilian space to meet Enterprise Logging Level 3 requirements as part of the recent M-21-31 OMB Mandate. In light of this, we show how adopting a SOAR Maturity Model can help users meet the technical requirements of the mandate and better align to the MITRE D3FEND framework.

Splunk Security Content: Q2 Roundup

Below you will find an overview of all the security content developed from May-July 2023.

Adversary Tradecraft Analytic Stories

Amadey malware is a botnet that is being utilized as Malware as a Service (MaaS) and distributing malware such as RedLine Stealer. You can read the STRT analysis of Amadey in and find detections in the Amadey analytic story to search for activities related to the malware. 

In May, The DFIR Report released information on a destructive malware campaign that utilizes Truebot, FlawedGrace and MBR killer malware. The STRT developed the Graceful Wipe Out Attack analytic story to detect and investigate unusual activities related to the campaign. 

Vulnerabilities within Active Directory can provide a number of attack paths for attackers.  Privilege escalation attacks in Active Directory (AD) typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages AD. Security teams should monitor for privilege escalation attacks in Active Directory to identify breaches before attackers achieve operational success. The Azure Active Directory Privilege Escalation and Active Directory Privilege Escalation analytic stories provide detetions to monitor for activities and techniques associated with privilege escalation attacks within Active Directory tenants. 

Earlier this year BlackLotus, a UEFI bootkit, was reported for bypassing Secure Boot on Windows 11 systems. The STRT developed the Windows BootKits analytic story to detect and defend against bootkit attacks. 

Ransomware Analytic Story

RedLine Stealer malware was making headlines in May for being delivered through display ads and Google Chrome extensions. The STRT provided an analysis of RedLine Stealer in this blog and developed the related analytic story for detecting and investigating unusual activities that can be related to the RedLine Stealer trojan.

Emerging Threats Analytic Stories

CVE-2023-20887 was released in early June for a critical vulnerability impacting VMware Aria Operations for Networks, formerly vRealize Network Insight. To help defend against this vulnerability, the STRT developed an analytic story to detect potential exploitation attempts that align with the characteristics of CVE-2023-20887.  

In early June a critical zero-day vulnerability was discovered in the MOVEit Transfer file transfer software and tracked as CVE-2023-34362. The Windows MOVEit Transfer Writing ASPX detection looks for the creation of new ASPX files in the MOVEit Transfer application’s “wwwroot” directory, which is an activity indicative of the MOVEit Transfer vulnerability. 

Volt Typhoon is a People’s Republic of China (PRC) state-sponsored cyber actor whose recent activity resulted in a joint Cybersecurity Advisory. The Splunk Threat Research Team developed the Volt Typhoon analytic story with detections to look for suspicious process execution, LOLBin execution, command-line activity and more associated activities that the Volt Typhoon group can use to target critical infrastructure organizations. 

CVE-2023-27350 is an authentication bypass vulnerability in the PaperCut NG print management software for which the FBI and CISA issued a joint advisory. The STRT created a blog highlighting information about the vulnerability as well as a corresponding analytic story for defenders to detect associated exploitation attempts and known indicators of compromise.   

The Snake implant is a highly advanced cyber espionage tool, developed and employed by Russia's Federal Security Service's (FSB) Center 16 for persistent intelligence gathering on important targets, and it has been identified in over 50 countries. The Splunk Threat Research Team utilized ChatGPT to develop Atomic Simulations and subsequent detections for activities related to Snake malware.

Machine Learning Detection

Splunk developed a deep learning based detection that monitors your DNS traffic looking for signs of low throughput DNS exfiltration. The detection has an accuracy of 99.97% ensuring almost all suspicious DNS exfiltration requests are detected.  

Most machine learning models investigate the latest DNS request without attaching any valuable context of communication history between the host and the domain. Instead of considering a short time window, which may be insufficient for low throughput DNS exfiltration, we consider a recent history of past ’x’ events. The deep learning model not only creates features to represent the current DNS request but also creates aggregated features over recent history of events. 

The model is deployed using the Splunk App for Data Science and Data Learning (DSDL) and you can find further details in the Detect DNS Data Exfiltration Using Deep Learning blog and the team also recorded an overview of the detection that you can watch here:

SOAR Playbooks

Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog to learn how playbooks can help you to...

• Automatically hunt for indicators of compromise.
• Identify those threats in your environment.
• Learn the details of the affected machine.
• Better explore the affected file system.

Thanks for reading! Stay tuned to for more Content Updates every quarter.