We released new analytic stories and detections to strengthen visibility and defense against Apache Tomcat exploitation, Windows shortcut-based zero-day attacks, and various ransomware campaigns. Here's a summary of the latest updates:

• Detection Output Standardization: We've updated the majority of our detections to include a standardized set of output fields within each detection analytic and enhanced our tooling to consistently enforce this structure, thereby improving usability, correlation, and integration across security workflows.

• Apache Tomcat Session Deserialization Attacks: CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat's partial PUT feature disclosed on March 10, 2025. We introduced a new analytic story targeting potential exploitation of Apache Tomcat servers. This story includes detections for suspicious session deserialization attempts and file uploads, techniques commonly used by attackers to gain remote access or execute arbitrary code.

• Windows Shortcut Exploit Abuse: Released a new analytic story to detect emerging exploitation patterns involving Windows LNK files. This includes detections for abuse of SSH ProxyCommand, LNK files with abnormal padding, and Windows Explorer spawning suspicious processes like PowerShell or CMD. These analytics are designed to surface stealthy initial access and execution techniques leveraged in recent zero-day attacks. More details can be found here; ZDI-CAN-25373

• New Ransomware Campaigns: We've expanded our ransomware mapping to include detection coverage for emerging threats such as Medusa Ransomware, Termite, Van Helsing, Salt Typhoon, and Sea Shell Blizzard. These mappings help contextualize detections within current threat actor TTPs and provide better visibility into campaign-specific behaviors

• Windows Firewall Rule Monitoring: We also introduced new detections to monitor firewall-related security events on Windows systems, including Windows Firewall Rule Added, Windows Firewall Rule Deletion, and Windows Firewall Rule Modification, thereby helping security teams track unauthorized or suspicious changes to host-based firewall configurations.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

1. Apache Tomcat Session Deserialization Attacks
2. Medusa Ransomware
3. PHP-CGI RCE Attack on Japanese Organizations
4. Salt Typhoon
5. Seashell Blizzard
6. Termite Ransomware
7. VanHelsing Ransomware
8. ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day (Contributor: @AJ King, @Jesse Hunter)

1. Detect Large ICMP Traffic
2. Tomcat Session Deserialization Attempt
3. Tomcat Session File Upload Attempt
4. Windows AD Self DACL Assignment
5. Windows ConsoleHost History File Deletion
6. Windows Explorer LNK Exploit Process Launch With Padding (Contributor: @AJ King, @Jesse Hunter)
7. Windows Explorer.exe Spawning PowerShell or Cmd (Contributor: @AJ King, @Jesse Hunter)
8. Windows Firewall Rule Added
9. Windows Firewall Rule Deletion
10. Windows Firewall Rule Modification
11. Windows MSTSC RDP Commandline
12. Windows Powershell History File Deletion
13. Windows Process Injection into Commonly Abused Processes (Contributor: @0xC0FFEEEE)
14. Windows Remote Host Computer Management Access
15. Windows SSH Proxy Command (Contributor: @AJ King, @Jesse Hunter)

• Updated ransomware_extensions and remote_access_software lookup with new values.
• Updated a majority of detections to output improved field names, which enhances how they appear in Splunk Enterprise Security. We also added output_fields to the data source objects to enforce output validation for detection analytics.
• Fixed a minor bug that prevented the deprecated and removed content warning banner from displaying correctly on the landing page.