splunk · patel-bhavin · Jan 12, 2026 · Dec 19, 2025 · Dec 20, 2025 · Dec 22, 2025
@@ -16,16 +16,20 @@ description: The following analytic detects emails containing attachments with s
 data_source: []
 search: |
   | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user,
-  All_Email.file_name All_Email.message_id
+  as lastTime from datamodel=Email.All_Email where All_Email.file_name="*"
+
+  by All_Email.src_user All_Email.file_name All_Email.file_size All_Email.message_id
+     All_Email.message_info All_Email.process All_Email.process_id All_Email.orig_dest
+     All_Email.orig_recipient
+
+  | `drop_dm_object_name(All_Email)`
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `drop_dm_object_name("All_Email")`
   | lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious
   | search suspicious=true
   | `suspicious_email_attachment_extensions_filter`
-how_to_implement: "You need to ingest data from emails. Specifically, the sender's
-  address and the file names of any attachments must be mapped to the Email data model.\n
+how_to_implement: |
+  You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model.
   **Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in
   your environment, a Playbook called \"Suspicious Email Attachment Investigate and
   Delete\" can be configured to run when any results are found by this detection search.
@@ -38,23 +42,23 @@ how_to_implement: "You need to ingest data from emails. Specifically, the sender
 known_false_positives: None identified
 references: []
 rba:
-  message: Suspicious attachment from $src_user$
+  message: Email attachment $file_name$ with suspicious extension from $src_user$
   risk_objects:
   - field: user
     type: user
     score: 25
   threat_objects: []
 tags:
   analytic_story:
-  - Data Destruction
-  - Emotet Malware DHS Report TA18-201A
-  - Hermetic Wiper
-  - Suspicious Emails
+    - Data Destruction
+    - Emotet Malware DHS Report TA18-201A
+    - Hermetic Wiper
+    - Suspicious Emails
   asset_type: Endpoint
   mitre_attack_id:
-  - T1566.001
+    - T1566.001
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
@@ -1,11 +1,12 @@
 name: Detect RTLO In File Name
 id: 468b7e11-d362-43b8-b6ec-7a2d3b246678
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2026-01-10'
 author: Steven Dick
 status: production
 type: TTP
-description: The following analytic identifies the use of the right-to-left override
+description: |
+  The following analytic identifies the use of the right-to-left override
   (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel,
   specifically focusing on file creation events and file names containing the RTLO
   character (U+202E). This activity is significant because adversaries use RTLO to
@@ -14,67 +15,81 @@ description: The following analytic identifies the use of the right-to-left over
   to the execution of harmful files and potential system compromise.
 data_source:
 - Sysmon EventID 11
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem
-  where Filesystem.file_name!=unknown by Filesystem.action Filesystem.dest Filesystem.file_access_time
-  Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name
-  Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
-  Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex
-  file_name =  "\\x{202E}" | rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)"
-  | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 |
-  fields - RTLO* | `detect_rtlo_in_file_name_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
+search: |
+  | tstats `security_content_summariesonly`
+    count min(_time) as firstTime 
+          max(_time) as lastTime
+          values(Filesystem.file_create_time) as file_create_time
+
+  from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown
+
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time
+     Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
+     Filesystem.file_name Filesystem.file_path Filesystem.file_acl
+     Filesystem.file_size Filesystem.process_guid Filesystem.process_id
+     Filesystem.user Filesystem.vendor_product
+
+  | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | regex file_name = "\\x{202E}"
+  | rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)"
+  | eval file_name_with_RTLO=file_name
+  | eval file_name=RTLO_file_1.RTLO_file_2
+  | fields - RTLO*
+  | `detect_rtlo_in_file_name_filter`
+how_to_implement: |
+  To successfully implement this search you need to be ingesting information
   on process that includes the full command line of the process being launched on
   your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
   confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
   endpoint product.
-known_false_positives: Implementation in regions that use right to left in native
-  language.
+known_false_positives: |
+  Implementation in regions that use right to left in native language.
 references:
-- https://attack.mitre.org/techniques/T1036/002/
-- https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/
-- https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
+  - https://attack.mitre.org/techniques/T1036/002/
+  - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/
+  - https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
 drilldown_searches:
-- name: View the detection results for - "$user$" and "$dest$"
-  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$" and "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
-    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
-    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
-    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$user$" and "$dest$"
+    search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+      "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.
   risk_objects:
-  - field: user
-    type: user
-    score: 40
-  - field: dest
-    type: system
-    score: 40
+    - field: user
+      type: user
+      score: 40
+    - field: dest
+      type: system
+      score: 40
   threat_objects:
-  - field: file_name
-    type: file_name
+    - field: file_name
+      type: file_name
 tags:
   analytic_story:
-  - Spearphishing Attachments
+    - Spearphishing Attachments
   asset_type: Endpoint
   mitre_attack_id:
-  - T1036.002
+    - T1036.002
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log
+      source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+      sourcetype: XmlWinEventLog
@@ -1,53 +1,61 @@
 name: DLLHost with no Command Line Arguments with Network
 id: f1c07594-a141-11eb-8407-acde48001122
-version: 13
-date: '2025-06-30'
+version: 14
+date: '2026-01-01'
 author: Steven Dick, Michael Haag, Splunk
 status: production
 type: TTP
 description: |
   The following analytic detects instances of DLLHost.exe running without
   command line arguments while establishing a network connection.
-  This behavior is identified using Endpoint Detection and Response (EDR) telemetry, 
-  focusing on process execution and network activity data. 
-  It is significant because DLLHost.exe typically runs with specific arguments, 
-  and its absence can indicate malicious activity, such as Cobalt Strike usage. 
-  If confirmed malicious, this activity could allow attackers to execute code, 
+  This behavior is identified using Endpoint Detection and Response (EDR) telemetry,
+  focusing on process execution and network activity data.
+  It is significant because DLLHost.exe typically runs with specific arguments,
+  and its absence can indicate malicious activity, such as Cobalt Strike usage.
+  If confirmed malicious, this activity could allow attackers to execute code,
   move laterally, or exfiltrate data, posing a severe threat to the network's security.
 data_source:
 - Sysmon EventID 1 AND Sysmon EventID 3
 search: |
   | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Processes where 
-  Processes.process_name=dllhost.exe
-  Processes.action!="blocked" 
-  by host _time span=1h 
-  Processes.action Processes.dest Processes.original_file_name
-  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
-  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
-  Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` 
+  as lastTime FROM datamodel=Endpoint.Processes where
+  (
+    Processes.process_name=dllhost.exe
+    OR
+    Processes.original_file_name=dllhost.exe
+  )
+  Processes.process IN (
+    "*dllhost",
+    "*dllhost.exe",
+    "*dllhost.exe\""
+  )
+  by host _time span=1h
+     Processes.action Processes.dest Processes.original_file_name
+     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+     Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+     Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+     Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` 
-  | regex process="(?i)(dllhost\.exe.{0,4}$)"
-  | rename dest as src 
-  | join host process_id [
+  | `security_content_ctime(lastTime)`
+  | rename dest as src
+  | join host process_id
+  [
     | tstats `security_content_summariesonly`
-      count 
-      latest(All_Traffic.dest) as dest 
-      latest(All_Traffic.dest_ip) as dest_ip 
-      latest(All_Traffic.dest_port) as dest_port 
-      FROM datamodel=Network_Traffic.All_Traffic where 
-        All_Traffic.dest_port != 0 
-        by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in 
-           All_Traffic.bytes_out All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port 
-           All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src 
-           All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user 
+      count
+      latest(All_Traffic.dest) as dest
+      latest(All_Traffic.dest_ip) as dest_ip
+      latest(All_Traffic.dest_port) as dest_port
+      FROM datamodel=Network_Traffic.All_Traffic where
+        All_Traffic.dest_port != 0
+        by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in
+           All_Traffic.bytes_out All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port
+           All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
+           All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user
            All_Traffic.vendor_product All_Traffic.direction All_Traffic.process_id
     | `drop_dm_object_name(All_Traffic)`
-  ] 
+  ]
   | `dllhost_with_no_command_line_arguments_with_network_filter`
 how_to_implement: |
   The detection is based on data that originates from Endpoint Detection

@@ -1,8 +1,8 @@
 name: Rundll32 with no Command Line Arguments with Network
 id: 35307032-a12d-11eb-835f-acde48001122
-version: 12
-date: '2025-05-02'
-author: Steven Dick,  Michael Haag, Splunk
+version: 13
+date: '2026-01-01'
+author: Steven Dick, Michael Haag, Splunk
 status: production
 type: TTP
 description: The following analytic detects the execution of rundll32.exe without
@@ -15,24 +15,38 @@ description: The following analytic detects the execution of rundll32.exe withou
   of the system.
 data_source:
 - Sysmon EventID 1 AND Sysmon EventID 3
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!="blocked"
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime FROM datamodel=Endpoint.Processes where
+  `process_rundll32`
+  Processes.process IN (
+    "*rundll32",
+    "*rundll32.exe",
+    "*rundll32.exe\""
+  )
   by host _time span=1h Processes.action Processes.dest Processes.original_file_name
-  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
-  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
-  Processes.user Processes.user_id Processes.vendor_product
-  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | regex process="(?i)(rundll32\.exe.{0,4}$)" | rename dest as src | join host process_id
-  [| tstats `security_content_summariesonly` count 
-  FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host
-  All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
-  All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
-  All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
-  All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
-  All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] 
-  | `rundll32_with_no_command_line_arguments_with_network_filter`'
+     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+     Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+     Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+     Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | rename dest as src
+  | join host process_id
+  [
+    | tstats `security_content_summariesonly` count
+    FROM datamodel=Network_Traffic.All_Traffic where
+    All_Traffic.dest_port != 0
+    by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
+       All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
+       All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
+       All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
+       All_Traffic.process_id
+    | `drop_dm_object_name(All_Traffic)`
+  ]
+  | `rundll32_with_no_command_line_arguments_with_network_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,