Security

August 26, 2025

5 Minute Read

Splunk Security Content for Threat Detection & Response: August 2025 Update

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.

This blog post covers security content developed covers security content developed May 2025 - July 2025. Jump straight to the updates below, or read on to learn more about:

How Splunk develops security content
The types of content we deliver
How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.

Types of Security Content

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior.

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How To Get Security Content

Take advantage of security content in two ways:

Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: May 2025 - July 2025

Below you will find a brief table of contents, followed by an overview of the security content developed from May 2025 - July 2025.

Adversary Tradecraft Analytic Stories

Emerging Threats Analytic Stories

Overview: Adversary Tradecraft Analytic Stories

The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:

Cisco and Splunk: Better Together

Cisco Secure Firewall - Remote Access Software Usage Traffic detects network traffic associated with known remote access software applications that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Cisco Secure Firewall Threat Defense Connection Event. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. The team also released the blog Cisco Secure Firewall Threat Defense Detections for Splunk.

Additionally, the analytic story Cisco Network Visibility Module Analytics provides a suite of detections built to analyze endpoint-based network telemetry captured by the Cisco Network Visibility Module (NVM). It focuses on identifying suspicious and potentially malicious activity such as process injection, unauthorized downloads, network connections by non-network-aware processes, and potential command-and-control (C2) behavior, etc. Leveraging the rich metadata from NVM, including process names, command-line arguments, user context, and module information, these detections provide high-fidelity insights into host behavior and outbound network activity. Read more here.

In addition to collaborating more closely with Cisco, the analytics story focusing on XWorm, enables teams to detect and investigate unusual activities that might relate to the presence of the XWorm remote access trojan (RAT). XWorm is a sophisticated and stealthy malware variant often used in data theft operations. Its capabilities include keylogging, screen capturing, remote desktop control, and data exfiltration, all of which can operate undetected. By utilizing advanced search queries and behavioral analytics, you can uncover anomalies such as unauthorized remote connections, unusual process behavior, or unexpected outbound traffic patterns. These indicators often signal the early stages of compromise, enabling rapid response before significant damage occurs. Implementing detection rules and correlating threat intelligence with system logs further enhances your ability to pinpoint XWorm activity.

The team analyzed a malware sample of Disk Wiper designed to irreversibly erase data on infected systems. Once executed, it overwrites or corrupts disk partitions, rendering files and operating systems unusable. Often deployed in targeted attacks or sabotage campaigns, it aims to cripple victims by destroying critical data rather than stealing it. Analysis on VirusTotal shows multiple detections labeling it as “Trojan.Wiper” or “DiskWiper,” indicating destructive intent and possible use of raw disk access to bypass file-level recovery. Such tools are frequently employed in cyber warfare, ransomware incidents (as fake “wipers”), or hacktivist attacks to maximize damage and disruption.

The team also identified an emerging threat of Fake CAPTCHA and ClickFix campaigns that exploit users' familiarity with verification systems to deliver malware through clipboard manipulation techniques. First observed in early 2024 and increasing through 2025, these campaigns use deceptive interfaces that mimic legitimate CAPTCHA systems to trick users into executing malicious commands. Read more about this campaign in the blog published by the STRT Beyond The Click: Unveiling Fake CAPTCHA Campaigns.

Overview: Emerging Threats Analytic Stories

The team released new analytic stories and detections to enhance coverage for Microsoft SharePoint Vulnerabilities given that Microsoft SharePoint is a widely deployed collaboration platform in enterprise environments, making it an attractive target for threat actors. Recent vulnerabilities have enabled attackers to compromise SharePoint servers through various attack vectors. The analytic story addresses critical vulnerabilities in Microsoft SharePoint that allow attackers to gain unauthorized access, execute code remotely, and elevate privileges. It includes detections for known exploit patterns and post-exploitation activities to help organizations identify and respond to SharePoint-targeted attacks. The team also published further research in the blog Beyond the Patch: SharePoint Exploits and the Hidden Threat of IIS Module Persistence.

Attackers are actively targeting SAP NetWeaver environments through newly disclosed vulnerabilities like CVE-2025-31324, affecting the Visual Composer service. Successful exploitation can lead to remote code execution (RCE) and the deployment of webshells, giving adversaries persistent access to SAP systems. This story provides detections for reconnaissance patterns (e.g., HEAD requests receiving HTTP 200 responses) and potential exploitation behavior (e.g., POST requests leading to successful uploads), empowering defenders to quickly identify compromise attempts and mitigate them before escalation.

The team also published the following blogs:

Previous Security Content Roundups

Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Your Roadmap to Success with Risk-Based Alerting

Splunker Haylee Mills dives deeper into the four levels of the Splunk Risk-Based Alerting journey.

Security 3 Min Read

Contextualize your data with threat intelligence information from Project Honey Pot

Security 13 Min Read

Picture Paints a Thousand Codes: Dissecting Image-Based Steganography in a .NET (Quasar) RAT Loader

Uncover how to identify malicious executable loaders that use steganography to deliver payloads such as Quasar RAT.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.

Learn more about Splunk

Subscribe to our blog

Get the latest articles from Splunk straight to your inbox.

Connect with Splunk on X

Follow @Splunk

Connect with Splunk on Instagram