Threat Hunting
Searching for advanced, persistent threats and sophisticated adversaries, as well as sweeping for indicators of compromise and indicators of attack.
Article Type: Topic
- Assessing and expanding MITRE ATT&CK coverage in Splunk Enterprise SecurityThe MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not.
- Detecting AWS security hub alertsThese searches help you uncover alerts from AWS Security Hub, which collects and consolidates findings from AWS security services enabled in your environment.
- Detecting BlackMatter ransomwareYou need to be able to detect and investigate unusual activities that might relate to BlackMatter ransomware.
- Detecting Clop ransomwareYou need to be able to detect and investigate unusual activities that might relate to the Clop ransomware.
- Detecting DarkSide ransomwareYou need to be able to detect and investigate unusual activities that might relate to DarkSide ransomware, and these searches help you to do that.
- Detecting FIN7 attacksDetect activities that relate to FIN7 JS implant and its JSSLoader, with searches you can run in Splunk to look for FIN7's payload, data collection and script execution.
- Detecting indicators of Remcos RAT malwareHow to use Splunk software to monitor for Remcos exploitation, with processes to help you find file writes associated with its payload, screen capture and more.
- Detecting Log4j remote code executionYou are a security analyst who needs to look for the presence of Log4j executing remote code in your systems.
- Detecting Netsh attacksYou need to be able to detect activities and various techniques associated with the abuse of Netsh.
- Detecting Office 365 attacksThese searches help you detect attacks against Microsoft 365.
- Detecting password spraying attacks within Active Directory environmentsHow to identify instances where a user, host, or process attempts to authenticate using an unusually high number of unique users in AD environments.
- Detecting print spooler attacksHow to use Splunk to detect print spooler attacks by examining program and binary executions, connections between infected machines and other devices, and more.
- Detecting ransomware activities within AWS environmentsHow to detect when users in your AWS environment are performing activities that are commonly associated with ransomware attacks.
- Detecting REvil ransomware infectionsInvestigate ransomware by attempting to reconstruct the events that led to the system being infected and learn the full scope of the security breach.
- Detecting usage of popular Linux post-exploitation toolsHow to use Splunk searches to detect instances where malicious actors have used tools to search for opportunities to exploit Linux hosts.
- Detecting Windows file extension abuseDetect Windows file extension abuse with searches you can run in Splunk to identify signatures of the techniques used in these attacks.
- Monitoring AWS S3 for suspicious activitiesThese searches allow you to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors.
- Monitoring command line interface actionsYou can use Splunk to view command line strings, calculate their length, and determine how much time has passed since their related processes ran.
- Monitoring for signs of a Windows privilege escalation attackUse these procedures in Splunk to detect and investigate behaviors that attackers may use to elevate their privileges in your Windows environment.
- Monitoring use of Git repositoriesYou can use Splunk software for statistical analyses like frequency, patterns of access, and time of day information.
- Getting started with MITRE ATT&CK in Enterprise Security and Security EssentialsThe MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not.