LoFP LoFP / this search will hunt for exploitation attempts against splunk pdfgen render function, and not all requests are necesarily malicious so there will be false positives.

Techniques

Sample rules

Splunk RCE PDFgen Render

Description

This is a hunting search designed to find and discover exploitation attempts against Splunk pdfgen render endpoint which results in remote

Detection logic

index=_internal sourcetype=splunk_pdfgen _raw IN ("*base64*", "*lambda*", "*system*") 
| stats count min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host, _raw 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_rce_pdfgen_render_filter`