Splunk Security Content for Threat Detection & Response: April Recap
Security Splunk Threat Research TeamIn April, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.25 and v5.26). With this release, there are new 6 analytic stories and 13 new analytics now available in Splunk Enterprise Security via the ESCU application update process.
Content Highlights Include:
- macOS Detection Coverage Expansion: Expanded detection coverage for macOS environments with three new analytic stories - macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation - delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
- Axios Supply Chain Post-Compromise Activity: Expanded detection coverage for Axios-related supply chain post-compromise scenarios by tagging existing analytics that capture behaviors associated with malicious package execution and downstream abuse. This update improves visibility into post-installation script execution, credential access, data exfiltration, and persistence mechanisms often triggered after a compromised dependency is introduced, helping defenders detect and respond to supply chain attacks impacting JavaScript and Node.js ecosystems.
- Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
- Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors.
For all our tools and security content, please visit research.splunk.com.
Title
Related Articles
Filter
Category
Blog Limit
3
Category
security
Sort Category Shuffle Order
true
Related Articles
Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
Discover insights from the Splunk Threat Research Team on Microsoft 365 threat detection, focusing on data source analysis and effective methods for hunting initial access threats.
Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
In this Splunk blog post, we aim to equip defenders with the necessary tools and strategies to actively hunt down and counteract this campaign. Additionally, we will offer some resilient analytic ideas that can serve as a foundation for future threat detection and response efforts.
Threat Hunting for Dictionary-DGA with PEAK
Explore applied model-assisted threat hunting for dictionary-based domain generation algorithms using the SURGe Security Research Team's PEAK Threat Hunting Framework.