Detecting Remcos Tool Used by FIN7 with Splunk
The following is a walkthrough of Remcos executed via Attack Range Local. We will go over some of the multiple and intrusive operations this remote access tool can execute at compromised hosts.
FIN7 Tools Resurface in the Field – Splinter or Copycat?
The Splunk Threat Research team addresses the two tools used by the well-organized and highly-skilled criminal group FIN7 — JSS Loader and Remcos.
Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID is a trojan that has been used in recent malicious campaigns and with new defense bypass methods.
Active Directory Discovery Detection: Threat Research Release, September 2021
In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.
Investigating GSuite Phishing Attacks with Splunk
Splunk Threat Research Team (STRT) recently observed a phishing campaign using GSuite Drive file-sharing as a phishing vector. Learn more and deploy detections to prevent them in your environment.
Hunting for Malicious PowerShell using Script Block Logging
The Splunk Threat Research Team recently began evaluating ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging to assist enterprise defenders in finding malicious PowerShell scripts.
PowerShell Detections — Threat Research Release, August 2021
Adversaries are using PowerShell attacks, but luckily the Splunk Threat Research Team (STRT) has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell.
Threat Advisory: Telegram Crypto Botnet STRT-TA01
The Splunk Threat Research Team (STRT) has detected the resurface of a Crypto Botnet using Telegram, a widely used messaging application that can create bots and execute code remotely. Learn more about the indicators of the botnet operation and use our pre-built and tested detections to find them in your environment.
Trickbot Detections: Threat Research Release, July 2021
The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.
Conti Threat Research Update and Detections
In this blog, the Splunk Threat Research team will show you how to use Splunk Attack Range to simulate cyber attacks from the Conti Ransomware group. It will also have pre-built detections that you can use to detect them in your environment.
Detecting SeriousSAM CVE-2021-36934 With Splunk
SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.
Detecting Trickbot with Splunk
The Splunk Threat Research Team has assessed several samples of Trickbot, a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. Use our pre-built Splunk detections to detect Trickbots.
Data Exfiltration Detections: Threat Research Release, June 2021
Check out detections from the Splunk Threat Research team to detect data exfiltration – also known as data extrusion, data exportation, and data theft – in your environment.
REvil Ransomware Threat Research Update and Detections
On July 2, 2021, REvil group used Kaseya to distribute malware to its on-premises customers. Splunk has pushed out guidance to help understand and detect REvil. Learn more about the REvil ransomeware group, their tactics, and how to detect them using Splunk.
I Pity the Spool: Detecting PrintNightmare CVE-2021-34527
Read on for details around Detect PrintNightmare (CVE-2021-34527), a critical vulnerability that affects the Print Spooler service and can perform remote code execution.
Detecting Password Spraying Attacks: Threat Research Release May 2021
The Splunk Threat Research team walks you through a new analytic story to help SOC analysts detect adversaries executing password spraying attacks, and highlights a few detections from the May 2021 releases.
DarkSide Ransomware: Splunk Threat Update and Detections
Splunk Threat Research Team (STRT) replicated the DarkSide Ransomware Attack and has released an Analytic Story with several detection searches directed at community shared IOCs.
Clop Ransomware Detection: Threat Research Release, April 2021
Discover how the Splunk Threat Research Team focused their research efforts on Clop Ransomware detections to help organizations detect abnormal behavior faster before it becomes detrimental.
