Patrick Bareiß

The Attack Range solves two main challenges in development of detections: - quickly build a small pre configured lab infrastructure as close as possible to your production environment - perform attack simulation using Atomic Red Team github.com/splunk/attack_…

@d1rkmtr You name yourself an open source develop in LinkedIn. Then you should be able to make a PR to github.com/magicsword-io/…

@DWdoesDFIR Atomic Red Team is getting installed on the Linux and windows server. MLTK need to be installed manually.

@bareiss_patrick Okay that’s what I got spun up. Does that include all tools like atomic red team and MLTK.

@bareiss_patrick was playing around with Ludus and Splunk attack range. Was able to deploy (to the best of my ability lol) does this deploy the entire range? I only got 3 devices when running.

🚨 SAP NetWeaver Webshells Spotted: CVE-2025-31324 in the Wild 🚨 Multiple reports confirmed active exploitation of SAP NetWeaver Visual Composer vulnerabilities (CVE-2025-31324). Attackers are dropping lightweight JSP webshells like the ones shared by Onapsis, captured by ShellSweepX below 👇 — easy to miss, devastating if ignored. 🧹 Enter ShellSweepX — an open-source project from Splunk Threat Research Team built to help defenders proactively hunt, detect, and analyze webshells across their environments. How ShellSweepX helps defenders: 🔹 Wide Coverage Uses 300+ webshell-focused YARA rules across JSP, PHP, ASPX, and others — not just signatures, but entropy, anomaly, and obfuscation detection. 🔹 Lightweight, Flexible, and Scalable ShellSweepX offers agent-based deployment across endpoints with a centralized management server to orchestrate sweeps. It supports webshell file collection, scheduled scans, and makes sweeping hundreds or thousands of systems seamless via API or web UI — all without heavy infrastructure requirements. 🔹 Integrated Threat Hunting Detailed triage output lets you pivot immediately: showing entropy, size, matches, metadata, and AI-assisted file analysis to catch even stealthy or customized webshells. 🔹 Automation-Ready Built with a REST API and frontend dashboard, ShellSweepX enables automatic sweeps, centralized hunting campaigns, and seamless integration into your existing IR playbooks and workflows. Ref: Onapsis: onapsis.com/blog/active-ex… Rapid7: rapid7.com/blog/post/2025… 🔥 Full project and how to get started: 👉 ShellSweep: github.com/splunk/ShellSw… 👉 ShellSweepX Blog: splunk.com/en_us/blog/sec…

Looking to secure your homelab #Kubernetes? This guide covers: • Container security: Static code analysis, scanning, minimal base images • Kubernetes hardening: RBAC, API security, etcd protection • Testing tools: kube-bench, checkov, red-kube buff.ly/9iaxULG

SQL Server can be exploited for system access, persistence, and code execution. Our STRT team's blog shows how attackers abuse stored procedures, CLR assemblies, and registry modifications—while providing detection rules to catch them in action. buff.ly/3TSJh6Q

Latin American banking trojan Grandoreiro expands globally, targeting 1,500+ banks with: • Sophisticated string encryption • Domain generation algorithm for C2 comms • Anti-sandbox techniques • Registry persistence • Outlook mail harvesting buff.ly/EimaGMN

Critical RCE vulnerabilities in Ingress-Nginx Controller (CVE-2025-1974, CVSS 9.8) affect versions ≤1.12.0 and ≤1.11.4. The webhook service (port 8443) is exploitable. Check your cluster with: kubectl get ValidatingWebhookConfiguration -A buff.ly/DTKxvSK

Excited to share this blog about our improved research.splunk.com! 📓splunk.com/en_us/blog/sec… Already seeing 20K+ active users in just 30 days since soft launch! Huge shoutout to @TyneDarke and the marketing team for this amazing piece, and to Lou Stella, @bareiss_patrick, @SnekCharmerr & the entire #STRT! 🧵1/4

New Splunk Attack Range got me like : lol github.com/splunk/attack_…

🚨 Big News for Splunk Attack Range Users! 🚨 We’ve just dropped a major update— @Snort 3 is now integrated into the Splunk Attack Range! 🎉🐍 Amazing work by @bareiss_patrick ! If you haven’t tried out Attack Range yet, it’s a breeze to get started! 🍃 Clone the repo: github.com/splunk/attack_… 📥 Run: python attack_range.py configure to easily select server OSs, enable Snort3 or Zeek, and more! 💻⚙️ And guess what? Some extra goodies like BadBlood, domain-joined systems, and Kali are all waiting. 🎁💣 It’s like making it rain for your test environment! ☔💸 Once you’ve got everything set up, you’ll be diving into a fresh batch of data in Splunk in no time! 📊🔍 Happy hunting, and may the logs be ever in your favor! 🕵️‍♂️🔐

🚨LOLRMM Update 🚂 You thought we were done? Nope. 🔥 Deduplication efforts are in the works 🔥 Experts (@_josehelps) are reviewing the site code to ensure we deliver the most epic LOLRMM experience. 🔥 More and more RMMs are being completed (@Kostastsale @nas_bench ) 🔥 Who wants more Sigma rules? Because, we got them. Autogenerated + easily found on individual RMM pages. Hoping the efforts are final soon and we can get this out the door! Be warned, it's a lot of data and we'll need lots of community ❤️ to make this 100%. Teaser:

Will be showing open source "Splunk Attack Range" at Black Hat Arsenal 2024 in Las Vegas with my colleague Patrick Bareiß @bareiss_patrick #strt #splunkattackrange #splunk #splunkthreatresearchteam #blackhatusa #blackhatarsenal #blackhat #splunk-attack-range-38161" target="_blank" rel="nofollow noopener">blackhat.com/us-24/arsenal/…

happy to share our latest #STRT Blog on #SnakeKeylogger! This includes the intriguing loader variant, Malware Analysis, TTPs we've extracted and a comprehensive list of our developed detections! 😊 #splunk #RE #int3 #blueteam #detectionengineering splunk.com/en_us/blog/sec…

🚨 #Splunk Threat Research Team Release 4.18.0!🚨 ✨ Key Updates: 🛡️ Kubernetes Security: Advanced detections for containerized environment threats, including unusual access and abuse scenarios. 🔒 Enhanced MFA Security in PingID: 4 new detections by Steven D., addressing critical aspects of digital authentication security. 🧩 Rhysida Ransomware Analytic Story: In-depth analytics for detecting Rhysida group behaviors and tactics. 🔄 Updated Analytics & Stories: Including NjRAT, RedLine Stealer, and firewall modifications. 🔍 Dive into detailed detections for Kubernetes abuses, multi-factor authentication challenges, and ransomware tactics. Release: github.com/splunk/securit… Content: Research.Splunk.com

Excited to share the #STRT blog for #plugx malware. This blog includes deep dive analysis of this plugx variant, splunk detections and a python tool to extract the config and the headless payload. I hope it helps 😊 #malware #splunk #RE #blueteam int3 splunk.com/en_us/blog/sec…

Learn how the Splunk Threat Research Team is revolutionizing detection engineering efficiency. Get a sneak peek into Security Content v4.0's features. Essential reading for detection engineers, security analysts, and team leaders. splunk.com/en_us/blog/sec…

happy to share the #STRT blog for detections and analysis of #asyncrat campaign. We also include some tips how you can extract the actual payload in its .bat script loader. 🙂 #asyncrat #malware #int3 #SplunkBlogs #splunk #RE splunk.com/en_us/blog/sec…

I didn't want to mention it, but after my last SANS preso on hunting drivers, I've decided to build a site similar to LOLBAS project presenting all known vulnerable Windows drivers. More to come. Until then, give it a follow. github.com/LOLDrivers-Pro…

Splunk STRT researchers describe the different tactics, techniques and procedures mapped to the ATT&CK framework leveraged by Agent Tesla remote access trojan. splunk.com/en_us/blog/sec…