splunk/security_content v5.19.0

on GitHub

🚀 Key Highlights

• 🐚 React2Shell (CVE-2025-55182):
  Introduced a new analytic story, React2Shell, addressing the critical pre-authentication Remote Code Execution (RCE) vulnerability in React Server Components. This vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js 15.x and 16.x versions using the App Router. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing attackers to execute arbitrary JavaScript code on the server without authentication.
  New detections provide coverage for both Windows and Linux environments, focusing on suspicious child processes spawned by Node.js, React, or Next.js server processes, including execution of shells, scripting interpreters, and system utilities commonly abused post-exploitation. Additionally, a network-based detection leverages Cisco Secure Firewall Threat Defense Intrusion Events, which identifies React Server Components remote code execution attempts at the network layer, providing early visibility into exploitation attempts.

• 👾 Tuoni C2 Framework:
  Introduced a new analytic story addressing threats from the Tuoni command-and-control framework, a sophisticated cross-platform red teaming tool increasingly adopted by threat actors for real-world attacks. Tuoni enables adversaries to deploy malicious payloads directly into system memory, bypassing traditional disk-based detection mechanisms. Its modular design supports multiple attack variations and allows operators to maintain persistence and execute commands across Windows, Linux, and macOS environments without leaving significant forensic artifacts. New detections focus on identifying Tuoni's memory-based execution patterns, suspicious process behaviors, and command-and-control communication indicators commonly associated with this framework, providing security teams with visibility into attacks that leverage this emerging threat tool.

• 🔐 Kerberos Coercion with DNS (CVE-2025-33073):
  Introduced comprehensive detection coverage for the recently disclosed CVE-2025-33073 vulnerability, where attackers leverage DNS records to trigger Kerberos authentication from remote hosts—a technique that can lead to credential relay or domain privilege escalation. New detections including Windows Short-Lived DNS Record, Windows Kerberos Coercion via DNS, Windows Credential Target Information Structure in Command Line, and DNS Kerberos Coercion provide end-to-end visibility into DNS-based coercion behaviors across authentication and name resolution events, enabling SOCs to identify identity coercion attacks that often unfold silently inside Active Directory environments.

• 📦 NPM Supply Chain Compromise (Shai-Hulud Campaigns):
  Expanded detection coverage for npm ecosystem supply chain compromises, addressing both the Shai-Hulud 2.0 worm campaign and recurring lifecycle hook abuse patterns. Added analytics to detect malicious npm package installations that execute arbitrary scripts through preinstall, install, postinstall, or prepare hooks—a long-standing risk vector exploited in major incidents from event-stream (2018) to ua-parser-js (2021) and Shai-Hulud (2025). New detections monitor GitHub workflow tampering, credential theft, and cross-platform exfiltration behaviors that often unfold silently inside CI/CD pipelines, giving defenders early visibility into malicious package lifecycle hooks and enhancing the ability to detect supply chain compromise before widespread impact.

• 🖥️ NetSupport RMM Tool Abuse:
  Strengthened detection coverage for malicious use of the NetSupport Manager RMM tool, which adversaries frequently deploy for covert remote access under the guise of legitimate remote-support activity. New analytics identify NetSupport's presence through loaded module patterns, executable masquerading, and registry manipulation, helping distinguish authorized IT administration from unauthorized NetSupport-based intrusions involving renamed binaries, PowerShell-assisted deployment, suspicious startup locations, and stealthy remote control sessions. These detections complement updated credential-theft coverage to surface cases where NetSupport is deployed as part of a broader credential access or persistence chain.

• 🤖 Suspicious Local LLM Frameworks (Shadow AI):
  Added new analytics to address the rise of Shadow AI—unauthorized deployment of local Large Language Model (LLM) frameworks such as Ollama, LM Studio, GPT4All, Jan, llama.cpp, and KoboldCPP inside enterprise environments. These tools allow users to run powerful models locally, creating blind spots for data exfiltration, policy violations, and unmonitored processing of sensitive information. New detections monitor model file downloads (.gguf, .ggml, safetensors), suspicious process execution, and DNS lookups to model repositories, providing defenders with early warning before unmonitored AI runtimes become channels for data exposure or endpoint abuse.

• 🔥 Suspicious Cisco ASA Activity:
  Expanded detection coverage for malicious or unauthorized activity on Cisco Adaptive Security Appliances (ASA), representing the most extensive set of Cisco ASA security analytics released to date. New detections focus on configuration tampering, credential misuse, and covert administrative behaviors often seen in targeted network compromise and firewall takeover scenarios. Analytics surface high-risk events including AAA policy modification, logging filter tampering, logging message suppression, packet capture activation, and device file copy operations—both locally and to remote destinations. Additional detections highlight identity-based abuse such as new local user account creation, user deletion, privilege level changes, and lockout threshold anomalies, along with reconnaissance command usage that may reveal adversary staging or pre-attack mapping. By bringing ASA telemetry into the same analytic ecosystem as NVM, FTD, Duo, Umbrella, and Talos-driven rapid responses, this update enhances visibility into attempts to weaken audit controls, establish persistence, exfiltrate configuration data, or manipulate security boundaries on Cisco ASA devices.

New Analytic Story - [6]

• Kerberos Coercion with DNS
• NPM Supply Chain Compromise
• NetSupport RMM Tool Abuse
• React2Shell
• Suspicious Local LLM Frameworks
• Tuoni

New Analytics - [31]

• Cisco ASA - AAA Policy Tampering
• Cisco ASA - Device File Copy Activity
• Cisco ASA - Device File Copy to Remote Location
• Cisco ASA - Logging Filters Configuration Tampering
• Cisco ASA - Logging Message Suppression
• Cisco ASA - New Local User Account Created
• Cisco ASA - Packet Capture Activity
• Cisco ASA - Reconnaissance Command Activity
• Cisco ASA - User Account Deleted From Local Database
• Cisco ASA - User Account Lockout Threshold Exceeded
• Cisco ASA - User Privilege Level Change
• Cisco Secure Firewall - React Server Components RCE Attempt
• DNS Kerberos Coercion
• GitHub Workflow File Creation or Modification
• LLM Model File Creation
• Linux Suspicious React or Next.js Child Process
• Local LLM Framework DNS Query
• Shai-Hulud 2 Exfiltration Artifact Files
• Shai-Hulud Workflow File Creation or Modification
• Windows Credential Target Information Structure in Commandline
• Windows Executable Masquerading as Benign File Types
• Windows Kerberos Coercion via DNS
• Windows Local LLM Framework Execution
• Windows NetSupport RMM DLL Loaded By Uncommon Process
• Windows PUA Named Pipe
• Windows RMM Named Pipe
• Windows RunMRU Registry Key or Value Deleted
• Windows Short Lived DNS Record
• Windows Suspicious C2 Named Pipe
• Windows Suspicious Named Pipe
• Windows Suspicious React or Next.js Child Process

Other Updates

• Updated 71 existing analytics with improved search logic and expanded coverage
• Updated search logic for Execution of File with Multiple Extensions detection (External Contributor - jakeenea51)
• Updated search logic for Suspicious mshta child process to remove duplicates (External Contributor - DipsyTipsy)
• Added 1 new macro: executable_extensions
• Added 4 new lookups: pua_named_pipes, suspicious_c2_named_pipes, suspicious_named_pipes, suspicious_rmm_named_pipes
• Updated cisco_snort_ids_to_threat_mapping lookup
• Updated 2 Analytic Stories: Suspicious Cisco Adaptive Security Appliance Activity, Suspicious Ollama Activities