---
title: Splunk Threat Hunting
layout: page
date: 2025-01-15
updated: 2025-08-24
---

- [Generate ad_users.csv](ldap-ad-users)
- [Generate ldap_assets.csv](ldap-ad-computers)
- [Generate cmdb_ci_list_lookup.csv](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow)
- [Domain Admins Report](domain-admin-report)
- [Protected Group Monitoring](protected-group-monitoring)
- [3LOSH IoC](3losh-ioc)
- [AD Account Deletion](ad-account-deletion)
- [AD Database Dump](ad-database-dump)
- [AD Database Read](ad-database-read)
- [AD integrated DNS zone export](ad-integrated-dns-zone-export)
- [AD Password Policy Change](ad-password-policy-change)
- [AD Password Policy Modified](ad-password-policy-modified)
- [AWS AssumeRoot API operation](aws-assumeroot-api-operation)
- [Account Discovery Using DIR, WHOAMI, and NET](account-discovery-using-dir-whoami-and-net)
- [Account Lockout in Administrator Groups](account-lockout-in-administrator-groups)
- [AppLocker Audit](applocker-audit)
- [Anonymous Authentication Attempt from Foreign IP](anonymous-authentication-attempt-from-foreign-ip)
- [Authentication Against a New Domain Controller](authentication-against-a-new-domain-controller)
- [Authentication from Foreign IP](authentication-from-foreign-ip)
- [VPN Web Traffic from Foreign IP](vpn-web-traffic-from-foreign-ip)
- [BadRabbit IoC](badrabbit-ioc)
- [Basic Brute Force Detection](basic-brute-force-detection)
- [Basic Scanning](basic-scanning)
- [LoLBin execution](lolbin-execution)
- [Non-Chrome process accessing Chrome registry](non-chrome-process-accessing-chrome-registry)
- [Chrome spawned from user profile](chrome-spawned-from-user-profile)
- [Clear-text password search](clear-text-password-search)
- [ClickFix detection](clickfix-detection)
- [dllFake IoC](dllfake-ioc)
- [Internal Proxies Creation](internal-proxies-creation)
- [CVE-2023-23397 Outlook SMB](cve-2023-23397-outlook-smb)
- [Cloudflared/Tailscaled tunnel detection](cloudflared-tailscaled-tunnel-detection)
- [Cobalt Strike IOC](cobalt-strike-ioc)
- [cmd.exe/powershell.exe auto-start](cmd-exe-powershell-exe-auto-start)
- [Credential Manager/SAM Dump](credential-manager-sam-dump)
- [DCSync detection](dcsync-detection)
- [Defender Incident](defender-incident)
- [Defender traffic blocked by Windows Firewall](defender-traffic-blocked-by-windows-firewall)
- [Domain Administrator enabled/disabled](domain-administrator-enabled-disabled)
- [Deprioritise Windows Defender](deprioritise-windows-defender)
- [Disable Microsoft Defender](disable-microsoft-defender)
- [Disable Microsoft Defender (Powershell Script)](disable-microsoft-defender-powershell-script)
- [Disable Microsoft Defender (Registry)](disable-microsoft-defender-registry)
- [EvilProxy IoC](evilproxy-ioc)
- [Excessive AWS WAF Blocked Events](excessive-aws-waf-blocked-events)
- [Excessive Account Lockout](excessive-account-lockout)
- [Excessive Blocked Websites](excessive-blocked-websites)
- [Excessive RDP](excessive-rdp)
- [File hiding using attrib.exe observed](file-hiding-using-attrib-exe-observed)
- [FileFix detection](filefix-detection)
- [Gootloader IOC](gootloader-ioc)
- [Headless Browser](headless-browser)
- [ie4uinit.exe/msxsl.exe abuse](ie4uinit-exe-msxsl-exe-abuse)
- [Impacket detection](impacket-detection)
- [InnoDownloadPlugin user-agent observed](innodownloadplugin-user-agent-observed)
- [Kerberos Certificate Spoofing](kerberos-certificate-spoofing)
- [Kerberos TGT request without password](kerberos-tgt-request-without-password)
- [Kerberos Pre-Authentication Flag Disabled in UserAccountControl](kerberos-pre-authentication-flag-disabled-in-useraccountcontrol)
- [Kerberos TGT request with weak encryption](kerberos-tgt-request-with-weak-encryption)
- [Kerberos service ticket request with weak encryption](kerberos-service-ticket-request-with-weak-encryption)
- [Kernel driver service was installed](kernel-driver-service-was-installed)
- [LSASS.exe Read](lsass-exe-read)
- [LSASS.exe driver loading](lsass-exe-driver-loading)
- [Large Powershell Module](large-powershell-module)
- [LockBit 3.0](lockbit-3-0)
- [Logon from External Network](logon-from-external-network)
- [Logon with NewCredentials type](logon-with-newcredentials-type)
- [Malicious Host Threat Intelligence](malicious-host-threat-intelligence)
- [Microsoft Public Symbol download](microsoft-public-symbol-download)
- [Monthly Inactive Accounts Report](monthly-inactive-accounts-report)
- [Multiple Account Passwords changed by an Administrator](multiple-account-passwords-changed-by-an-administrator)
- [Named pipe usage](named-pipe-usage)
- [New Interactive Logon from a Service Account](new-interactive-logon-from-a-service-account)
- [New Network Share detected](new-network-share-detected)
- [NodeJS spawning cmd.exe](nodejs-spawning-cmd-exe)
- [OneNote IOC](onenote-ioc)
- [Open Port 53](open-port-53)
- [Plaintext credential](plaintext-credential)
- [Possible ShareFinder/Netscan/Sharphound/CobaltStrike Usage](possible-sharefinder-netscan-sharphound-cobaltstrike-usage)
- [PowerShell Web Downloads](powershell-web-downloads)
- [PowerShell Web Downloads (Operational)](powershell-web-downloads-operational)
- [Protected Group Monitoring](protected-group-monitoring)
- [Privileged Group Monitoring](privileged-group-monitoring)
- [Privileged Service with SeDebugPrivilege was called](privileged-service-with-sedebugprivilege-was-called)
- [Qbot IoC](qbot-ioc)
- [Rclone/Restic Exfiltration](rclone-restic-exfiltration)
- [Reboot to safe mode](reboot-to-safe-mode)
- [Regasm.exe execution](regasm-exe-execution)
- [Regsvcs.exe process injection](regsvcs-exe-process-injection)
- [Remote Desktop tool installation/execution](remote-desktop-tool-installation-execution)
- [Remote Desktop tool auto-start](remote-desktop-tool-auto-start)
- [Remote Desktop tool scheduled task](remote-desktop-tool-scheduled-task)
- [RestartManager abuse](restartmanager-abuse)
- [Restricted Admin Mode Detection](restricted-admin-mode-detection)
- [Root certificate installation](root-certificate-installation)
- [Rundll32 Dumping LSASS Memory](rundll32-dumping-lsass-memory)
- [Rundll32 Scheduled Task](rundll32-scheduled-task)
- [SIDHistory compromise](sidhistory-compromise)
- [SQL Server spawning Cmd.exe](sql-server-spawning-cmd-exe)
- [Splunk Events Deletion](splunk-events-deletion)
- [SafeDllSearchMode is modified](safedllsearchmode-is-modified)
- [Suspicious Logon/Logoff Events](suspicious-logon-logoff-events)
- [Suspicious Netscaler CLI](suspicious-netscaler-cli)
- [Suspicious Network Settings](suspicious-network-settings)
- [Suspicious WMI](suspicious-wmi)
- [User Account Control (UAC) policy change](uac-policy-change)
- [UPnP enablement](upnp-enablement)
- [Unauthorised Reverse Proxy Tunnel](unauthorised-reverse-proxy-tunnel)
- [Unauthorised Computer Account Creation](unauthorised-computer-account-creation)
- [Unusual Scheduled Task](unusual-scheduled-task)
- [Unusual User Agent](unusual-user-agent)
- [Unusual printui.exe path](unusual-printui-exe-path)
- [User Login with Local Credentials](user-login-with-local-credentials)
- [VSCode tunnel](vscode-tunnel)
- [Veeam credential extraction](veeam-credential-extraction)
- [Volt Typhoon IOC](volt-typhoon-ioc)
- [Volume Shadow Copy](volume-shadow-copy)
- [Volume Shadow Delete](volume-shadow-delete)
- [Windows Event Log Clearing Events](windows-event-log-clearing-events)
- [Windows Recovery Environment disabled](windows-recovery-environment-disabled)
- [Windows System Event Log Clearing Events](windows-system-event-log-clearing-events)
- [Windows Firewall Modification](windows-firewall-modification)
- [Windows JScript execution](windows-jscript-execution)
- [Windows Sandbox execution](windows-sandbox-execution)
- [Windows Script Executed from ZIP](windows-script-executed-from-zip)
- [WinRAR Spawning Shell Application](winrar-spawning-shell-application)