Splunk Threat Research Team
Dark Crystal RAT Agent Deep Dive
The Splunk Threat Research Team (STRT) analyzed and developed Splunk analytics for this RAT to help defenders identify signs of compromise within their networks.
Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis
The Splunk Threat Research Team shares how they utilized public research to capture Brute Ratel Badgers (agents) and create a Yara rule to help identify more on VirusTotal.
Machine Learning in Security: NLP Based Risky SPL Detection with a Pre-trained Model
The Splunk Threat Research Team shares a closer look at a hunting analytic and two machine learning-based detections that help find users running highly suspicious risky SPL commands.
Follina for Protocol Handlers
The Splunk Threat Research Team shares how to identify protocol handlers on an endpoint, different ways to simulate adversary tradecraft that utilizes a protocol handler, and a piece of inspiring hunting content to help defenders identify protocol handlers being used in their environment.
AppLocker Rules as Defense Evasion: Complete Analysis
The Splunk Threat Research Team analyzes 'Azorult loader' (a payload that imports its own AppLocker rules) to understand the tactics and techniques that may help defend against these types of threats.
ML Detection of Risky Command Exploit
Discover how to use machine learning algorithms to develop methods for detecting misuse or abuse of risky SPL commands to further pinpoint a true security threat.
Introducing Splunk Attack Range v2.0
The Splunk Attack Range project has officially reached the v2.0 release with a host of new features – get all the details from the Splunk Threat Research Team.
Threat Update: Industroyer2
The Splunk Threat Research Team offers an analysis of relevant detection opportunities of one of the new malicious payloads found by the Ukranian CERT named 'Industroyer2.'
Threat Update: AcidRain Wiper
The Splunk Threat Research Team shares the details on the new malicious payload named AcidRain, designed to wipe modem or router devices (CPEs).
Springing 4 Shells: The Tale of Two Spring CVEs
The Splunk Threat Research Team (STRT) shares detection opportunities in different stages of successful Spring4Shell exploitation.
Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022
Learn more about the Splunk Threat Research Team's new analytic story to help SOC analysts detect adversaries abusing the Kerberos protocol to attack Windows Active Directory environments
Threat Update: Cyclops Blink
The Splunk Threat Research Team shares the latest on the payload named Cyclops Blink, which seems to target Customer Premise Equipment devices (CPE) generally prevalent in commercial and residential locations enabling internet connectivity.
CI/CD Detection Engineering: Dockerizing for Scale, Part 4
Get the latest from the Splunk Threat Research Team on CI/CD Detection Engineering.
STRT-TA03 CPE - Destructive Software
The Splunk Threat Research Team is monitoring several malicious payloads targeting Customer Premise Equipment (CPE) devices. These are defined as devices that are at customer (Commercial, Residential) premises and that provide connectivity and services to the internet backbone
You Bet Your Lsass: Hunting LSASS Access
Dive in as the Splunk Threat Research Team shares how Mimikatz, and a few other tools found in Atomic Red Team, access credentials via LSASS memory.
Threat Update: CaddyWiper
Get a breakdown of the features of the new malicious payload used against Ukraine, CaddyWiper.
Living Off The Land: Threat Research February 2022 Release
In this February 2022 release, the Splunk Threat Research Team (STRT) focused on comparing currently created living off the land security content with Sigma and the LOLBas project.
Threat Update DoubleZero Destructor
The Splunk Threat Research Team shares a closer look at a new malicious payload named DoubleZero Destructor (CERT-UA #4243).
