Detecting Threats with Splunk Security Content - Q4 Roundup

The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your environment. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases) and housed on the Splunk Security Content website as well as the Security Content GitHub repository. This blog provides a roundup of the security content developed by the STRT from November 2022 through January 2023, all of which is available today via the Enterprise Security Content Update app. Senior Threat Researcher, Michael Haag, also provides an overview of the STRT Q4 content on a Security Tech Talk, which can be viewed here

Adversary Tradecraft Analytic Stories 

Last quarter, the team developed added detections for the Windows post-exploitation analytic story. These detections identify a variety of Windows post-exploitation tools, particularly related to WinPEAS (local Windows privilege escalation scripts), which are typically used to gain privileges and persistence across Windows endpoints. 

The Metasploit framework for penetration testing has been utilized by both cybercriminals and ethical hackers to identify systematic vulnerabilities on networks and servers. It has become a popular post-exploitation tool for attackers to find vulnerabilities in networks and exploit them, so the STRT developed an analytic story with detections to search for default configurations attributed to and behaviors related to Metasploit. 

In late 2022, CISA issued a cybersecurity advisory after observing suspected advanced persistent threat (APT) activity from Iranian government-sponsored threat actors who exploited the Log4Shell vulnerability in an unpatched VMware Horizon server and moved laterally to continue their objective. The CISA AA22-320A analytic story provides detections for identifying the TTPs outlined in the CISA advisory. 

The STRT released an analytic story encompassing a suite of products, beginning with Ngrok, that are classified as Reverse Network Proxies. These utilities allow for an adversary to create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. Ngrok in particular has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.

In response to a reported 131% increase of account takeover attacks in the first half of 2022 the STRT developed an analytic story for detecting GCP account takeover as well as a blog with even more details for detecting cloud account takeover in Azure Active Directory and AWS in addition to Google Cloud.  

In response to a report from Microsoft which noted that attackers are increasingly leveraging Internet Information Services (IIS) modules the STRT developed the IIS Components analytic story and provided further details in the blog “Fantastic IIS Modules and How to Find Them” to help defenders identify suspicious and malicious behavior on IIS web servers. 

Ransomware Analytic Stories 

It should be no surprise that the STRT is always monitoring and developing detections for the ever-evolving threats related to ransomware. In Q4, the team focused on developing security content for three particular ransomware groups: LockBit, Prestige and Chaos

LockBit has been regularly making headlines since 2019, targeting multiple sectors and organizations of all sizes. The STRT recently added new detections to the LockBit analytic story focused on common tradecraft identified during a ransomware investigation regarding LockBit. 

Chaos ransomware recently came on the scene in 2021 and has been found to be a .NET version of Ryuk ransomware, but upon closer look, this malware sample reveals that it doesn't share much relation to the notorious RYUK ransomware. The STRT has written new content and appended prior content to the ransomware analytic story to help defenders identify this and other ransomware variants.

Prestige ransomware was observed targeting transportation and logistics industries as part of the ongoing Russia-Ukraine war with deployment techniques similar to CaddyWiper and HermeticWiper. Read the Prestige ransomware analytic story for defending against this threat with Splunk. 

Emerging Threats Analytic Stories 

In late 2022, CVE-2022-42889 (Text4Shell) and CVE-2022-40684 (Fortinet Appliance Authentication Bypass) were published and both scored as critical severity. The Splunk Threat Research Team developed analytic stories for each. 

Text4Shell CVE-2022-42889 is a critical vulnerability in Apache Commons Text Library. Apache Commons Text is a Java library described as “a library focused on algorithms working on strings,” and can be considered a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution due to a logic flaw that makes the script, DNS, and URL lookup keys interpolated by default. Those keys allow an attacker to execute arbitrary code via lookups.

Fortinet Appliance Authentication Bypass CVE-2022-40684 was issued after Fortinet patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager project. FortiOS exposes a management web portal that allows a user to configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures.

More Resources from the Splunk Threat Research

In addition to the analytic stories and blogs provided above, the Splunk Threat Research Team wrote a number of blogs in Q4 highlighting other threats and how to defend against them: 

A detection that predicts DGA generated domains using a pre-trained Deep Learning (DL) model was also developed by the Splunk Machine Learning for Security team to help customers defend against adversaries using DGA. To learn more about this detection and machine learning in security, join our Tech Talk on May 2nd. 

How to Get Started with Splunk Security Content 

Take advantage of all the security content developed by the Splunk Threat Research Team through the Enterprise Security Content Update (ESCU) app or the Splunk Security Essentials (SSE) app. Both apps allow you to deploy the over 1,200 detections from the STRT to start detecting, investigating and responding to threats. 


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content