Splunk Threat Research Team's Blog Posts

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content.

Threat Advisory: STRT-TA02 - Destructive Software
Security
11 Minute Read

Threat Advisory: STRT-TA02 - Destructive Software

The focus of this threat advisory is on a recently reported destructive payload by Microsoft MSTIC under the name of WhisperGate. We break down the different components and functions of how this payload works and provide a series of detections to mitigate and defend against this threat.
Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021
Security
9 Minute Read

Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021

Start detection against behaviors and TTPs from a Remcos loader that utilizes DynamicWrapperX (dynwrapx.dll) to execute shellcode and inject Remcos RAT into the target process.
Simulating, Detecting, and Responding to Log4Shell with Splunk
Security
13 Minute Read

Simulating, Detecting, and Responding to Log4Shell with Splunk

Splunk Threat Research Team simulated the Log4j vulnerabilities in the Splunk Attack Range. Using the data collected, we developed 13 new detections and 9 playbooks to help Splunk SOAR customers investigate and respond to this threat.
Active Directory Lateral Movement Detection: Threat Research Release, November 2021
Security
12 Minute Read

Active Directory Lateral Movement Detection: Threat Research Release, November 2021

The Splunk Threat Research Team recently updated the Active Directory Lateral Movement analytic story to help security operations center (SOC) analysts detect adversaries executing these techniques within Windows Active Directory (AD) environments.
Securing DevSecOps - Threat Research Release October 2021
Security
5 Minute Read

Securing DevSecOps - Threat Research Release October 2021

Learn how you can secure your development security operations with pre-built and tested Splunk detections and automated playbooks.
Detecting Remcos Tool Used by FIN7 with Splunk
Security
7 Minute Read

Detecting Remcos Tool Used by FIN7 with Splunk

The following is a walkthrough of Remcos executed via Attack Range Local. We will go over some of the multiple and intrusive operations this remote access tool can execute at compromised hosts.