Splunk Security Content for Threat Detection & Response: May 2025 Update

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details. 

This blog post covers security content developed February 2025 - April 2025. Jump straight to the updates below, or read on to learn more about:

• How Splunk develops security content
• The types of content we deliver
• How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.  

Types of Security Content 

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior. 

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs 

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How To Get Security Content

Take advantage of security content in two ways: 

• Enterprise Security Content Update (ESCU) app 
• Splunk Security Essentials (SSE) app

Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: February 2025 - April 2025

Below you will find a brief table of contents, followed by an overview of the security content developed from February 2025 - April 2025.

Table of Contents

Adversary Tradecraft Analytic Stories

• Remote Monitoring and Management Software (External Contributor: @nterl0k)
  
• Seashell Blizzard
  
• AWS Bedrock Security
  
• Earth Alux
  
• Storm-2460 CLFS Zero Day Exploitation
  
• Water Gamayun
• China-Nexus Threat Activity

Emerging Threats Analytic Stories

• Cisco Secure Firewall Threat Defense Analytics
• SnappyBee
• Cactus Ransomware
• Salt Typhoon
• Termite Ransomware
• VanHelsing Ransomware
• AWS S3 Bucket Security Monitoring
• Apache Tomcat Session Deserialization Attacks
• ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day (Contributor: @AJ King, @Jesse Hunter)
• Medusa Ransomware
• Security Solution Tampering
• Windows Audit Policy Tampering
• Black Basta Ransomware
• GitHub Malicious Activity
• SQL Server Abuse
• SystemBC
• PHP-CGI RCE Attack on Japanese Organizations

Overview: Adversary Tradecraft Analytic Stories

The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:

• Seashell Blizzard: a threat actor known for targeting organizations globally through a sophisticated campaign leveraging Exchange Server vulnerabilities, custom tools, and living-off-the-land techniques for persistent access and data collection.

• AWS Bedrock Security adversaries with compromised AWS credentials can exploit Bedrock services and associated resources to perform malicious activities, extract sensitive data, or disrupt operations.

• Earth Alux a sophisticated espionage threat actor targeting government, technology, logistics, manufacturing, telecommunications, and IT services sectors primarily in the APAC region and Latin America, using advanced techniques for information theft through a combination of webshells, process injection, DLL side-loading, and credential theft.

• Storm-2460, a sophisticated threat actor, has been observed exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS) driver. The attack begins with the exploitation of the CLFS driver vulnerability, which allows the threat actor to gain initial access to the target system

• Water Gamayun: a threat actor that has been active since at least late 2023. They target organizations primarily in the telecommunications and financial sectors through a combination of sophisticated techniques and custom malware.

• China-Nexus Threat Activity, a state-nexus threat group or adversary known to target the telecommunications and technology sectors in multiple countries, including the US, to maintain sustained access as well as conduct espionage. 

Additionally, the team released Remote Monitoring and Management Software to help users analyze unauthorized remote monitoring & management (RMM) tool usage, including detection of 3rd-party software installations like AnyDesk and TeamViewer through phishing/drive-by compromises.

Overview: Emerging Threats Analytic Stories

The team released new analytic stories and detections to enhance coverage for Apache Tomcat Session Deserialization Attacks and Windows shortcut exploit abuse (ZDI-CAN-25373), as well as  expanded ransomware mappings to track emerging threats like Medusa and Salt Typhoon.

The STRT published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.

A new analytic story focusing on GitHub Malicious Activity helps detect potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.

The team introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.

To add addresses the risks associated with S3 bucket misconfigurations and potential hijacking of decommissioned buckets, this story includes baselines and detections that track public S3 buckets before deletion, monitor access attempts to these bucket names, and identify potential hijacking activities, leveraging AWS CloudTrail logs, DNS queries, and web proxy data to ensure robust monitoring and security.

A new analytic story, which includes new detections focused on identifying tampering activities with Cisco Secure Endpoint services cover techniques such as inhibiting system recovery and disabling or modifying security tools, enhancing our ability to detect and respond to potential security threats.

The team also published the following blogs:

• Infostealer Campaign against ISPs
• Cloak and Firewall: Exposing Netsh’s Hidden Command Tricks
• Sinister SQL Queries and How to Catch Them

Previous Security Content Roundups

Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!