this is a hunting search it should be focused on affected products, otherwise it is likely to produce false positives.

Techniques

T1499

Sample rules

Splunk Improperly Formatted Parameter Crashes splunkd

source: splunk
technicques:
- T1499

Description

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search="*makeresults*"AND Search_Activity.search="*ingestpreview*transforms*") Search_Activity.search_type=adhoc Search_Activity.search!="*splunk_improperly_formatted_parameter_crashes_splunkd_filter*" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type 
| `drop_dm_object_name(Search_Activity)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_improperly_formatted_parameter_crashes_splunkd_filter`