segmentation faults may occur due to other causes, so this search may produce false positives

t1499.004
endpoint
splunk

Techniques

T1499.004

Sample rules

Splunk DOS Via Dump SPL Command

source: splunk
technicques:
- T1499.004

Description

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon.

Detection logic

`splunk_crash_log` "*Segmentation fault*" 
| stats count by host _time 
| `splunk_dos_via_dump_spl_command_filter`