Splunk Security Content for Threat Detection & Response: April Recap
Security Splunk Threat Research TeamIn April, the Splunk Threat Research Team (STRT) had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.25 and v5.26). With this release, there are new 6 analytic stories and 13 new analytics now available in Splunk Enterprise Security via the ESCU application update process.
Content Highlights Include:
- macOS Detection Coverage Expansion: Expanded detection coverage for macOS environments with three new analytic stories - macOS Persistence Techniques, macOS Post-Exploitation, and macOS Privilege Escalation - delivering visibility across the full attack lifecycle. This release introduces detections for behaviors such as account creation, Gatekeeper bypass, keychain dumping, LoginHook persistence, kextload abuse, hidden files/directories, log removal, data chunking, network share discovery, and firewall rule enumeration, strengthening defense against stealthy macOS threats and improving monitoring of attacker activity on Apple endpoints.
- Axios Supply Chain Post-Compromise Activity: Expanded detection coverage for Axios-related supply chain post-compromise scenarios by tagging existing analytics that capture behaviors associated with malicious package execution and downstream abuse. This update improves visibility into post-installation script execution, credential access, data exfiltration, and persistence mechanisms often triggered after a compromised dependency is introduced, helping defenders detect and respond to supply chain attacks impacting JavaScript and Node.js ecosystems.
- Ghost RAT: Expanded coverage for Ghost RAT activity by tagging multiple existing analytics related to service creation, registry persistence, command-line execution, and system discovery behaviors, alongside new detections for Windows Remote Access Registry Entry and Windows Rundll32 with Non-Standard File Extension. Additionally, improved detection fidelity with updates to Ping Sleep Batch Command and introduced a new analytic story Ghost RAT, enhancing visibility into stealthy persistence, defense evasion, and command execution techniques commonly used by this malware family.
- Void Manticore Activity Coverage Expansion: Expanded detection coverage for Void Manticore, a threat group associated with destructive and espionage-driven operations, by tagging multiple existing analytics aligned to data destruction, shadow copy deletion, backup recovery tampering, and suspicious script execution behaviors.
For all our tools and security content, please visit research.splunk.com.
Title
Related Articles
Filter
Category
Blog Limit
3
Category
security
Sort Category Shuffle Order
true
Related Articles
What You Need to Know About Boss of the SOC
We introduced a new security activity at .conf2016 called “Boss of the SOC” (or BOTS), born from our belief that learning can be both realistic and fun.
Splunk and Tensorflow for Security: Catching the Fraudster with Behavior Biometrics
Raising the barrier for fraudsters and attackers: how to leverage Splunk and Deep Learning frameworks to discover Behavior Biometrics patterns within user activities
Fantastic IIS Modules and How to Find Them
This blog showcases how to enable and ingest IIS operational logs, utilize PowerShell scripted inputs to ingest installed modules and simulate AppCmd and PowerShell adding new IIS modules and disable HTTP logging using Atomic Red Team.