Splunk Security Content for Threat Detection & Response: October Recap

In October, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.16, v5.17). With these releases, there are 37 new analytics and 11 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• Suspicious Ollama Activities: A new analytic story focused on monitoring misuse and abuse of locally hosted LLMs through Ollama. This story includes detections such as Abnormal Network Connectivity, Service Crash or Availability Attack, Excessive API Requests, API Endpoint Scan Reconnaissance, Memory Exhaustion Resource Abuse, Model Exfiltration or Data Leakage, RCE via Model Loading, and Suspicious Prompt Injection or Jailbreak. A dedicated TA-Ollama has been developed to parse Ollama server logs, enabling precise detection of adversarial prompt engineering, local model abuse, and AI-powered lateral movement scenarios. For more information, check out Introducing the Splunk Technology Add-on for Ollama: Illuminating Shadow AI Deployments.

  Video
  https://www.youtube.com/embed/6zLxiwb5Yeo?si=cdBYWi-W5QDtDw6k

• Suspicious Microsoft 365 Copilot Activities: A new analytic story targeting emerging risks in GenAI integration with Microsoft 365 Copilot. Detections include M365 Copilot Application Usage Pattern Anomalies, Failed Authentication Patterns, Non-Compliant Devices Accessing Copilot, and Session Origin Anomalies. These analytics help security teams identify compromised identities, unauthorized device access, and abnormal usage trends associated with enterprise AI assistants.

• LokiBot and PromptLock Malware: Expanded coverage for LokiBot, a pervasive credential-stealing Trojan distributed via phishing and malicious attachments. A new detection (Windows Visual Basic Command-Line Compiler DNS Query) was added alongside enhanced tagging across related analytics to better identify suspicious DNS communications and data exfiltration attempts. The team introduced coverage for PromptLock, the first known GenAI-driven ransomware proof-of-concept discovered by ESET in 2025. PromptLock leverages a local AI model (gpt-oss:20b) via the Ollama API to dynamically generate Lua scripts for multi-platform encryption and exfiltration.

• APT37 (Rustonotto & FadeStealer) and GhostRedirector: Expanded coverage for APT37, adding a new detection for suspicious Windows Cabinet file extraction activity linked to their Rustonotto and FadeStealer toolsets. This update enhances visibility into phishing-based infections, persistence mechanisms, and data exfiltration behavior. The team also introduced a new GhostRedirector and Rungan analytic story to track server compromises involving malicious IIS modules, SQL injection abuse, and stealthy PowerShell activity used to maintain access and manipulate web traffic.

• Microsoft WSUS CVE-2025-59287 Remote Code Execution: A new analytic story for the exploitation of CVE-2025-59287, a critical WSUS deserialization vulnerability enabling unauthenticated remote code execution. Added a new detection - Windows WSUS Spawning Shell - and tagged related process-based detections to enhance post-exploitation visibility.

• Oracle E-Business Suite Exploitation: A new Snort-based detections developed with Cisco Talos to identify exploitation attempts against Oracle E-Business Suite. These analytics detect anomalous web requests, payload delivery, and lateral movement behaviors targeting enterprise ERP systems based on Snort Alerts

• HTTP Request Smuggling: A new analytic story to detect and investigate HTTP request smuggling techniques that exploit discrepancies in how web servers and proxies handle request sequences. Added detections - HTTP Suspicious Tool User Agent, HTTP Request to Reserved Name, HTTP Rapid POST with Mixed Status Codes, HTTP Possible Request Smuggling, and HTTP Duplicated Header - leveraging searches for indicators like CL.TE, TE.TE, and CL.0 to identify abuse of HTTP parsing logic and potential security control bypasses.

• Scattered Lapsus$ Hunters and Hellcat Ransomware: Tagged a broad set of existing TTPs and added new analytic stories covering the Scattered Lapsus$ Hunters coalition (Scattered Spider, Lapsus$, and Shiny Hunters) and the Hellcat Ransomware RaaS group. These updates enhance visibility into MFA bypass, credential theft, remote access tool abuse, PowerShell infection chains, SSH persistence, and custom ransomware payloads targeting critical infrastructure, telecom, and government sectors.

For all our tools and security content, please visit research.splunk.com.