Skip to main content


Splunk Lantern

Detecting techniques in the Orangeworm attack group


You work in a hospital that uses outdated and insecure technology. Despite how vocal you've been about the need to upgrade, your hospital uses older operating systems and often neglects to patch computers. You are concerned about the attack group Orangeworm stealing patient information to sell on the black market or to engage in corporate espionage. You are also concerned that the group will infect your network computers and use malware to control medical devices, such as MRI and X-ray machines. 

Data required 

How to use Splunk software for this use case

To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.

Some of the detections that can help you with this use case include:

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Ingesting command-line arguments from endpoint detection and response (EDR) technologies
  • Having an incident response template or automation setup for quarantining a machine as quickly as possible to avoid lateral movement

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Changes in execution patterns: In a typical environment, most endpoint processes listed do not change their execution pattern. While assessing the results of these detections, the analysts should investigate the parent process that originated the execution.
  • Unseen processes: Parent processes like Word.exe, Powerpoint.exe, or a process completely unseen before are the usual indicators of malicious activity.

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.