Splunk Security Content for Threat Detection & Response: January Recap

In January, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v5.20). With this release, there are 5 new analytic stories and 25 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content Highlights Include:

• Browser Hijacking: Introduced a new set of detections focused on browser hijacking techniques that manipulate Chrome configurations, registry settings, and command-line behaviors to persist malicious control, disable updates, and load unauthorized extensions. These detections surface suspicious actions such as disabling Chrome auto-updates, allowlisting or force-loading extensions, and abusing command-line flags to bypass browser security controls.
• Cisco Isovalent Suspicious Activity: Expanded detection coverage leveraging Cisco Isovalent’s kernel-level eBPF telemetry to identify advanced threats targeting Kubernetes and cloud-native environments. New detections focus on high-risk behaviors such as access to cloud metadata services, suspicious process execution, container escape techniques, offensive tooling in pods, anomalous kprobe activity, and unexpected shell or network behavior.
• Suspicious User Agents: Introduced enhanced detection coverage to identify suspicious and default user agent strings commonly used by malware, command-and-control frameworks, remote monitoring and management (RMM) tools, and other potentially unwanted applications. These detections focus on uncovering overlooked or hard-coded user agents frequently left unchanged by adversaries, providing network-level visibility into malicious tooling that blends into normal HTTP traffic.
• SesameOp & PromptFlux: Expanded analytic coverage for emerging malware families that abuse legitimate AI service APIs as command-and-control channels, allowing adversaries to hide malicious activity within trusted cloud traffic. This update tags relevant existing detections and introduces a new detection for Windows Potential AppDomainManager Hijack Artifacts Creation, addressing key persistence and injection techniques leveraged by SesameOp and PromptFlux.
• Cisco IOS & Secure Firewall Privileged Activity: Added new detections and risk-based correlation searches to identify high-risk administrative activity targeting Cisco IOS and Cisco Secure Firewall devices. The new detections focus on privileged command execution over HTTP and anomalous SSH behavior, including connections to non-standard ports and suspicious SSH services.

Watch a Demo: Defending Against npm Supply Chain Attacks: A Practical Guide to Detection, Emulation, and Analysis

For all our tools and security content, please visit research.splunk.com.