Splunk Security Content for Threat Detection & Response: September Recap

In September, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.14.0, v5.15.0, v5.15.2). With these releases, there are 21 new analytics and 7 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• New Suspicious Cisco Adaptive Security Appliance Activity analytic story. The new story turns ASA/FTD perimeter telemetry into early warnings for logging suppression, unauthorized configuration changes, anomalous connection patterns, sudden syslog volume drops, and potential C2, strengthening visibility on edge devices where EDR coverage is limited. These improvements provide clearer, more trustworthy alerts and dashboards, faster edge-device triage, and stronger confidence that their controls map correctly to real-world techniques.
• Cisco ASA coverage for the ArcaneDoor campaign. These detections, developed in conjunction with Cisco Talos, deliver high-signal visibility at the network edge, an area that typically sits outside EDR. Built around the real-world exploit path on VPN web services that cover CVE-2025-20333 (RCE), CVE-2025-20362 (unauthorized/privileged access), and the newly disclosed CVE-2025-20363, this story focuses on what intruders actually do on ASA/Secure Firewall during and after exploitation (logging suppression and post-exploitation signals), with refreshed Snort/Intrusion mappings for hunting and triaging.
• Introduced new detections for the LAMEHUG malware, which leverages outbound requests to Hugging Face APIs (e.g., Qwen 2.5-Coder-32B-Instruct) to generate AI-driven Windows command chains. Common behaviors include execution of systeminfo, net start, tasklist, dsquery, and recursive file copy operations into %ProgramData%\info\. Initial delivery vectors often involve phishing ZIPs with .pif binaries disguised as PDF or image viewers.
• The Team tagged relevant existing content to cover behaviors associated with ObjectivyStealer, a stealthy information-stealing malware targeting web browsers, messaging apps, cryptocurrency wallets, and local system files. It evades detection by operating from user profile or temp directories and maintains persistence using registry run keys or scheduled tasks. This mapping enhances detection of credential theft, session hijacking, and encrypted exfiltration to remote C2 infrastructure.
• Secret Blizzard: Added detections for suspicious use of certutil.exe to install root certificates from temp directories using the -addstore root command. This tactic, seen in post-exploitation scenarios, may be used to intercept HTTPS traffic, impersonate trusted services, or bypass endpoint defenses. These analytics detect certificate installation from .tmp files, use of the -f (force) and -Enterprise flags, and other high-risk trust modifications that can lead to persistent compromise.
• Introduced a new analytic story focused on detecting NotDoor, a malicious Outlook macro backdoor linked to APT28 (Fancy Bear). This story adds detections for suspicious Outlook macro creation, persistence via LoadMacroProviderOnBoot, and disabling of security dialogs all techniques leveraged by NotDoor to exfiltrate data, upload files, and execute remote commands via email-based triggers

The team also published a blog focusing on Audit Logs and Microsoft Office365 Copilot Activity Logs using Splunk Add-on for Microsoft Office 365. This Splunk Add-on allows Splunk to pull service status, service messages and management activity logs from Office 365 Management API.

For all our tools and security content, please visit research.splunk.com.