Techniques
Sample rules
Splunk risky Command Abuse disclosed february 2023
- source: splunk
- technicques:
- T1548
- T1202
Description
This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com
Detection logic
| tstats fillnull_value="N/A" count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type
| `drop_dm_object_name(Search_Activity)`
| lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata
| where splunk_risky_command != "false"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_risky_command_abuse_disclosed_february_2023_filter`