Splunk Security Content for Threat Detection & Response: April Recap
Security Splunk Threat Research TeamIn April, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.25 and v5.26). With this release, there are new 6 analytic stories and 13 new analytics now available in Splunk Enterprise Security via the ESCU application update process.
Content Highlights Include:
- macOS Detection Coverage Expansion: Expanded detection coverage for macOS environments with three new analytic stories - macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation - delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
- Axios Supply Chain Post-Compromise Activity: Expanded detection coverage for Axios-related supply chain post-compromise scenarios by tagging existing analytics that capture behaviors associated with malicious package execution and downstream abuse. This update improves visibility into post-installation script execution, credential access, data exfiltration, and persistence mechanisms often triggered after a compromised dependency is introduced, helping defenders detect and respond to supply chain attacks impacting JavaScript and Node.js ecosystems.
- Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
- Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors.
For all our tools and security content, please visit research.splunk.com.
Title
Related Articles
Filter
Category
Blog Limit
3
Category
security
Sort Category Shuffle Order
true
Related Articles
You Bet Your Lsass: Hunting LSASS Access
Dive in as the Splunk Threat Research Team shares how Mimikatz, and a few other tools found in Atomic Red Team, access credentials via LSASS memory.
Staff Picks for Splunk Security Reading November 2021
Hello everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, white papers, and customer case studies that we feel are worth a read. We hope you enjoy.
More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities
The Splunk Threat Research Team (STRT) provides a deep-dive analysis of NjRAT (or Bladabindi), a Remote Access Trojan (RAT) discovered in 2012 that's still active today.