Techniques
Sample rules
Splunk RCE PDFgen Render
- source: splunk
- technicques:
Description
This is a hunting search designed to find and discover exploitation attempts against Splunk pdfgen render endpoint which results in remote
Detection logic
index=_internal sourcetype=splunk_pdfgen _raw IN ("*base64*", "*lambda*", "*system*")
| stats count min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host, _raw
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_rce_pdfgen_render_filter`