this search may produces false positives, analyst most focuse in the use of printf conversion function of eval to craft an expression that splunkd cannot interpret correctly causing it to crash.

t1499.004
endpoint
splunk

Techniques

T1499.004

Sample rules

Splunk DOS via printf search function

source: splunk
technicques:
- T1499.004

Description

This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance.

Detection logic

`audit_searches` "*makeresults * eval * fieldformat *printf*" user!="splunk_system_user" search!="*audit_searches*" 
| stats count by user splunk_server host search 
| convert ctime(*time) 
|`splunk_dos_via_printf_search_function_filter`