Splunk Security Content for Threat Detection & Response: July Recap

In July, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.9.0 and v5.10). With these releases, there are 64 new analytics and 7 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• Cisco Network Visibility Module Analytics (NVM): A new analytic story leveraging Cisco NVM telemetry to detect suspicious endpoint network behavior. This release includes 14 new analytics and mapped existing detections covering threats such as insecure curl usage, typosquatted Python packages, abuse of native Windows tools like rundll32 and mshta, and anomalous network connections from uncommon or argument-less processes.

• Disk Wiper: A new analytic story focused on identifying destructive malware that irreversibly erases disk data, with tagged detections targeting recursive file deletion and raw access to disk volumes and the primary boot record.

• ​​CrowdStrike EDR Playbook Pack for Splunk SOAR: A new playbook pack that enables automated investigation, enrichment, and response using CrowdStrike Falcon, helping security teams streamline endpoint operations with playbooks for actions like device isolation, process termination, file handling, and denylisting executables.

• Citrix NetScaler CVE-2025-5777 (CitrixBleed 2): A new analytic story addressing CitrixBleed 2, a critical memory disclosure vulnerability actively exploited in the wild since June 2025. This release includes a detection for identifying HTTP requests to the vulnerable /nf/auth/startwebview.do endpoint, helping security teams uncover scanning and exploitation activity targeting Citrix ADC and Gateway appliances. We have also published a detailed technical blog on CitrixBleed 2.

• Microsoft SharePoint Vulnerabilities: A new analytic story focused on detecting exploitation attempts related to CVE-2025-53770, a vulnerability in the ToolPane.aspx endpoint of Microsoft SharePoint. This story includes detections for suspicious requests to the vulnerable endpoint, GET activity to known malicious webshells like spinstall0.aspx, and file creation events indicative of webshell deployment—helping identify both initial exploitation and post-exploitation activity.

• ESXi Post-Compromise Activity: A new analytic story focused on detecting attacker behavior after initial access to ESXi environments. This story includes 24 detections for actions such as VM termination, reverse shells, SSH brute force, system clock tampering, audit log wiping, unauthorized user elevation, and malicious VIB installations—providing broad coverage for common post-compromise tactics.

• Cisco Duo Suspicious Activity: A new analytic story to detect unusual or risky administrative behavior and insecure policy configurations in Cisco Duo environments. This release includes 14 detections covering unusual admin logins by browser, OS, or country, generation of bypass codes, and policy settings that allow risky behavior like skipping 2FA, allowing tampered devices, or permitting outdated Java/Flash use.

• Quasar RAT: A new analytic story focused on detecting activity related to Quasar RAT, a widely used open-source remote access Trojan known for credential theft, surveillance, and lateral movement. This story maps over 20 existing detections to Quasar techniques and adds three new detections targeting unusual access to sensitive configuration and credential storage locations such as FileZilla XML configs, IntelliForms registry entries, and Mozilla NSS libraries—enabling better visibility into post-exploitation behavior and stealthy credential harvesting.

For all our tools and security content, please visit research.splunk.com.