By Splunk Threat Research Team August 29, 2023
Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.
This blog post covers all the security content developed May-July2023. Jump straight to the updates below, or read on to learn more about:
- How Splunk develops security content
- The types of content we deliver
- How to access security content
See the latest Splunk Security Content >
Splunk continuously monitors the threat landscape to develop, test, and deliver security content in the form of detection searches, ML detections, and SOAR playbooks to help identify and respond to vulnerabilities and cyber attacks within your environment.
Types of Security Content
Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment.
Analytic Stories
All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases). All analytic stories are housed in two areas: the Splunk Security Content website and our Security Content GitHub repository.
Machine Learning Detections
Machine and deep learning detections are created to learn from data, identify patterns, and make decisions to help alert you to threats and anomalous behavior buried within vast amounts of data.
SOAR Playbook Packs
A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.
How To Get Security Content
Take advantage of security content through the Enterprise Security Content Update (ESCU) app or the Splunk Security Essentials (SSE) app. Both apps allow you to deploy the over 1,300 out-of-the-box searches to start detecting, investigating and responding to threats. Pre-built Splunk SOAR playbooks can be found on https://research.splunk.com/playbooks/.
And with that information, we can move onto the latest content. Let's take a look!
Splunk Security Content: Q2 Roundup
Below you will find an overview of all the security content developed from May-July 2023.
Adversary Tradecraft Analytic Stories
Amadey malware is a botnet that is being utilized as Malware as a Service (MaaS) and distributing malware such as RedLine Stealer. You can read the STRT analysis of Amadey in and find detections in the Amadey analytic story to search for activities related to the malware.
In May, The DFIR Report released information on a destructive malware campaign that utilizes Truebot, FlawedGrace and MBR killer malware. The STRT developed the Graceful Wipe Out Attack analytic story to detect and investigate unusual activities related to the campaign.
Vulnerabilities within Active Directory can provide a number of attack paths for attackers. Privilege escalation attacks in Active Directory (AD) typically involve abusing misconfigurations to gain elevated privileges, such as Global Administrator access. Once an attacker has escalated their privileges and taken full control of a tenant, they may abuse every service that leverages AD. Security teams should monitor for privilege escalation attacks in Active Directory to identify breaches before attackers achieve operational success. The Azure Active Directory Privilege Escalation and Active Directory Privilege Escalation analytic stories provide detetions to monitor for activities and techniques associated with privilege escalation attacks within Active Directory tenants.
Earlier this year BlackLotus, a UEFI bootkit, was reported for bypassing Secure Boot on Windows 11 systems. The STRT developed the Windows BootKits analytic story to detect and defend against bootkit attacks.
Ransomware Analytic Story
RedLine Stealer malware was making headlines in May for being delivered through display ads and Google Chrome extensions. The STRT provided an analysis of RedLine Stealer in this blog and developed the related analytic story for detecting and investigating unusual activities that can be related to the RedLine Stealer trojan.
Emerging Threats Analytic Stories
CVE-2023-20887 was released in early June for a critical vulnerability impacting VMware Aria Operations for Networks, formerly vRealize Network Insight. To help defend against this vulnerability, the STRT developed an analytic story to detect potential exploitation attempts that align with the characteristics of CVE-2023-20887.
In early June a critical zero-day vulnerability was discovered in the MOVEit Transfer file transfer software and tracked as CVE-2023-34362. The Windows MOVEit Transfer Writing ASPX detection looks for the creation of new ASPX files in the MOVEit Transfer application’s “wwwroot” directory, which is an activity indicative of the MOVEit Transfer vulnerability.
Volt Typhoon is a People’s Republic of China (PRC) state-sponsored cyber actor whose recent activity resulted in a joint Cybersecurity Advisory. The Splunk Threat Research Team developed the Volt Typhoon analytic story with detections to look for suspicious process execution, LOLBin execution, command-line activity and more associated activities that the Volt Typhoon group can use to target critical infrastructure organizations.
CVE-2023-27350 is an authentication bypass vulnerability in the PaperCut NG print management software for which the FBI and CISA issued a joint advisory. The STRT created a blog highlighting information about the vulnerability as well as a corresponding analytic story for defenders to detect associated exploitation attempts and known indicators of compromise.
The Snake implant is a highly advanced cyber espionage tool, developed and employed by Russia's Federal Security Service's (FSB) Center 16 for persistent intelligence gathering on important targets, and it has been identified in over 50 countries. The Splunk Threat Research Team utilized ChatGPT to develop Atomic Simulations and subsequent detections for activities related to Snake malware.
Machine Learning Detection
Splunk developed a deep learning based detection that monitors your DNS traffic looking for signs of low throughput DNS exfiltration. The detection has an accuracy of 99.97% ensuring almost all suspicious DNS exfiltration requests are detected.
Most machine learning models investigate the latest DNS request without attaching any valuable context of communication history between the host and the domain. Instead of considering a short time window, which may be insufficient for low throughput DNS exfiltration, we consider a recent history of past ’x’ events. The deep learning model not only creates features to represent the current DNS request but also creates aggregated features over recent history of events.
The model is deployed using the Splunk App for Data Science and Data Learning (DSDL) and you can find further details in the Detect DNS Data Exfiltration Using Deep Learning blog and the team also recorded an overview of the detection that you can watch below.
SOAR Playbooks
Adding to our playbook of the month series, the Splunk team showcases how playbooks can improve your approach to threat hunting and investigations. Check out the blog to learn how playbooks can help you to...
- Automatically hunt for indicators of compromise.
- Identify those threats in your environment.
- Learn the details of the affected machine.
- Better explore the affected file system.
Previous Security Content Roundups
Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!