Splunk Security Content for Threat Detection & Response: August Recap

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.11.0, v5.12.0, v5.13.0). With these releases, there are 8 new analytics and 32 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

• A rapid‑response release addressing active exploitation of Cisco Smart Install (CVE‑2018‑0171) by Static Tundra, a Russian state‑sponsored espionage group linked to FSB Center 16 and known for long‑term compromises of network devices. To mitigate this campaign, the Splunk Threat Research Team operationalized Cisco Talos’ PCAP patterns and tradecraft into high‑signal detections on cisco:ios telemetry. These detections surface Smart Install ingress on TCP/4786 and oversized SMI packets, follow‑on configuration/persistence actions (privileged account creation, SNMP community changes, interface modifications), and TFTP staging/exfiltration, with Cisco Secure Firewall mappings for unified triage.  The new analytic story is built using cisco:ios logs and network traffic pcap samples from Cisco Talos to detect exploitation attempts known to be used by  Static Tundra. Detections include suspicious Smart Install traffic, privileged account creation, SNMP configuration changes, and TFTP-based data exfiltration on vulnerable Cisco devices. 

• Medusa Rootkit (UNC3886): A new analytic story for Medusa Rootkit, a stealthy malware leveraged by UNC3886 to maintain persistence on Linux and Windows systems. This release adds detections for Linux GDrive Binary Activity, Linux Medusa Rootkit, Windows GDrive Binary Activity, and Windows Suspicious VMware Tools Child Process, while also mapping other existing detections to this threat actor.

• MSIX Package Abuse: A new analytic story covering abuse of Microsoft MSIX application packages, leveraging telemetry from AppXDeploymentServer/Operational logs. This story introduces detections for suspicious MSIX behaviors, including Windows Advanced Installer MSIX with AI_STUBS Execution, Unsigned Package Installation, PowerShell MSIX Package Installation, and interactions with Windows Apps directories, providing visibility into application sideloading and potential malware delivery.

• Windows RDP Artifacts & Defense Evasion: A new analytic story focused on RDP activity followed by artifact cleanup or evasion techniques. Windows RDP usage generates forensic artifacts such as Default.rdp files and bitmap caches that can reveal details about accessed systems. This release adds detections for RDP file creation, deletion, and un-hiding events, bitmap cache file activity, RDP server registry entry creation/deletion, and RDP client launched with admin session, while tagging existing detections to ensure comprehensive monitoring of both RDP usage and evasion behavior.

• Interlock Ransomware & NaiLaoLocker: Interlock Ransomware exhibits unexpected file encryption patterns—such as anomalous PowerShell or CMD processes spawned from Office apps—and large-scale file renaming, while NaiLaoLocker employs multi-threaded AES-256-CBC encryption with SM2 key wrapping via DLL side-loading and mutex creation to evade re-execution; we mapped all existing detections to both malware and updated the ransomware extensions and notes lookup files.

•  Interlock RAT: Interlock RAT is a modular, stealthy backdoor first observed in mid-2024 that uses encrypted C2 communications and fake browser-update installers to gain persistence, capture keystrokes, and exfiltrate data; we mapped existing detections to this RAT to surface indicators like anomalous network beaconing, persistence artifacts, and credential-theft behaviors.

• Scattered Spider (UNC3944/Scatter Swine/Oktapus/Octo Tempest/Storm-0875/Muddled Libra): Scattered Spider is an extortion-focused group using SIM-swap attacks, push-bombing MFA fatigue, and social engineering to deploy legitimate remote-access tools (e.g., TeamViewer, AnyDesk, Ngrok) for data theft and ransomware deployment; we mapped existing detections to this actor, covering behaviors such as MFA bombing prompts, unauthorized remote-access tool execution, and cloud API abuse.

This demo video showcases Xworm attacks and Splunk detections finding the different ways it executes on an OS.