Splunk Threat Research Team's Blog Posts

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content.

FIN7 Tools Resurface in the Field – Splinter or Copycat?
Security
8 Minute Read

FIN7 Tools Resurface in the Field – Splinter or Copycat?

The Splunk Threat Research team addresses the two tools used by the well-organized and highly-skilled criminal group FIN7 — JSS Loader and Remcos.
Detecting IcedID... Could It Be A Trickbot Copycat?
Security
12 Minute Read

Detecting IcedID... Could It Be A Trickbot Copycat?

IcedID is a trojan that has been used in recent malicious campaigns and with new defense bypass methods.
Active Directory Discovery Detection: Threat Research Release, September 2021
Security
15 Minute Read

Active Directory Discovery Detection: Threat Research Release, September 2021

In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.
Investigating GSuite Phishing Attacks with Splunk
Security
6 Minute Read

Investigating GSuite Phishing Attacks with Splunk

Splunk Threat Research Team (STRT) recently observed a phishing campaign using GSuite Drive file-sharing as a phishing vector. Learn more and deploy detections to prevent them in your environment.
Hunting for Malicious PowerShell using Script Block Logging
Security
6 Minute Read

Hunting for Malicious PowerShell using Script Block Logging

The Splunk Threat Research Team recently began evaluating ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging to assist enterprise defenders in finding malicious PowerShell scripts.
PowerShell Detections — Threat Research Release, August 2021
Security
4 Minute Read

PowerShell Detections — Threat Research Release, August 2021

Adversaries are using PowerShell attacks, but luckily the Splunk Threat Research Team (STRT) has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell.