Splunk Security Content for Threat Detection & Response: November Recap

In November, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security Content Update (ESCU) app (v5.18). With this release, there is 1 new analytic story and 3 new analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

Castle RAT: Expanded coverage for the Castle RAT remote access trojan, which enables adversaries to execute commands, exfiltrate files, log keystrokes, and capture screens during targeted intrusion campaigns. Tagged multiple existing detections related to persistence, task creation, and suspicious process behavior, and introduced new analytics for unusual browser flag launches, ComputerDefaults-based UAC bypass, and handle duplication in known bypass binaries to improve visibility into Castle RAT infection chains, privilege escalation, and long-term access mechanisms. Read more about Castle RAT here.

Video
https://www.youtube.com/embed/79lWr01iWI8?si=GIijnZTX1h7jnrWT

Enhancements to research.splunk.com which now provide deeper insights and richer context for detection engineers. Each detection entry now includes detailed attack data along with corresponding MITRE ATT&CK techniques, the environment used to generate the data, timestamps of simulated attacks, and tools leveraged during simulation. Explore step-by-step details on how to replay these attacks within your own Splunk environment for validation, tuning, and testing. This update is designed to help you better understand adversary behaviors, validate your detections with real-world data, and accelerate the development of high-fidelity detections. Check out this new experience and leverage this data to strengthen your detection engineering workflows.