Techniques
Sample rules
Splunk DOS via printf search function
- source: splunk
- technicques:
- T1499.004
Description
This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance.
Detection logic
`audit_searches` "*makeresults * eval * fieldformat *printf*" user!="splunk_system_user" search!="*audit_searches*"
| stats count by user splunk_server host search
| convert ctime(*time)
|`splunk_dos_via_printf_search_function_filter`