Techniques
Sample rules
Splunk Endpoint Denial of Service DoS Zip Bomb
- source: splunk
- technicques:
- T1499
Description
This search allows operator to identify Splunk search app crashes resulting from specially crafted ZIP file using file monitoring that affects UF versions 8.1.11 and 8.2 versions below 8.2.7.1. It is not possible to detect Zip Bomb attack before crash. This search will provide Universal Forwarder errors from uploaded binary files (zip compression) which are used for this attack. If an analyst sees results from this search we suggest you investigate and triage what zip file was uploaded, zip compressed files may have different extensions.
Detection logic
`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary*
|stats count by host component event_message
| `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`