Hunting for Malicious PowerShell using Script Block Logging
The Splunk Threat Research Team recently began evaluating ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging to assist enterprise defenders in finding malicious PowerShell scripts.
PowerShell Detections — Threat Research Release, August 2021
Adversaries are using PowerShell attacks, but luckily the Splunk Threat Research Team (STRT) has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell.
Threat Advisory: Telegram Crypto Botnet STRT-TA01
The Splunk Threat Research Team (STRT) has detected the resurface of a Crypto Botnet using Telegram, a widely used messaging application that can create bots and execute code remotely. Learn more about the indicators of the botnet operation and use our pre-built and tested detections to find them in your environment.
Trickbot Detections: Threat Research Release, July 2021
The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.
Conti Threat Research Update and Detections
In this blog, the Splunk Threat Research team will show you how to use Splunk Attack Range to simulate cyber attacks from the Conti Ransomware group. It will also have pre-built detections that you can use to detect them in your environment.
Detecting SeriousSAM CVE-2021-36934 With Splunk
SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.
Detecting Trickbot with Splunk
The Splunk Threat Research Team has assessed several samples of Trickbot, a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. Use our pre-built Splunk detections to detect Trickbots.
Data Exfiltration Detections: Threat Research Release, June 2021
Check out detections from the Splunk Threat Research team to detect data exfiltration – also known as data extrusion, data exportation, and data theft – in your environment.
REvil Ransomware Threat Research Update and Detections
On July 2, 2021, REvil group used Kaseya to distribute malware to its on-premises customers. Splunk has pushed out guidance to help understand and detect REvil. Learn more about the REvil ransomeware group, their tactics, and how to detect them using Splunk.
I Pity the Spool: Detecting PrintNightmare CVE-2021-34527
Read on for details around Detect PrintNightmare (CVE-2021-34527), a critical vulnerability that affects the Print Spooler service and can perform remote code execution.
Detecting Password Spraying Attacks: Threat Research Release May 2021
The Splunk Threat Research team walks you through a new analytic story to help SOC analysts detect adversaries executing password spraying attacks, and highlights a few detections from the May 2021 releases.
DarkSide Ransomware: Splunk Threat Update and Detections
Splunk Threat Research Team (STRT) replicated the DarkSide Ransomware Attack and has released an Analytic Story with several detection searches directed at community shared IOCs.
Clop Ransomware Detection: Threat Research Release, April 2021
Discover how the Splunk Threat Research Team focused their research efforts on Clop Ransomware detections to help organizations detect abnormal behavior faster before it becomes detrimental.
Introducing Splunk Attack Range v1.0
The Splunk Attack Range project has officially reached the v1.0 release – read on to learn how we got here, what features we’ve built for v1.0 and what the future looks like for Splunk Attack Range.
Detecting Clop Ransomware
As ransomware campaigns continue, malicious actors introduce different modus operandi to target their victims. In this blog, we’ll be taking a look at the Clop ransomware. This crimeware was discovered in 2019 and is said to be used for an attack that demanded one of the highest ransom amounts in recorded history.
Detecting AWS IAM Privilege Escalation
The Splunk Threat Research team develops security research to help SOC analysts detect adversaries attempting to escalate their privileges and gain elevated access to AWS resources. Learn how we simulate these attacks using Atomic Red Team, collect and analyze the AWS cloudtrail logs, and utilize pre-packaged Splunk detections to detect these threats.
Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021
Learn about the latest emerging threats, such as Cloud Federated Credential Abuse and Cobalt Strike, where bad actors are abusing credential privileges in cloud environments to gain unauthorized access.
MSHTA and MSBuild Cat Jam: Threat Research Release January 2021
Splunk's Security Research team was busy this past quarter generating attack data for 80% of all our detections. A step forward in validating and testing our security content and ensuring we can continually test detections via continuous integration and continuous delivery (CI/CD).
