/Threat-Hunting-With-Splunk

Awesome Splunk SPL hunt queries that can be used to detect the latest vulnerability exploitation attempts & subsequent compromise

MIT LicenseMIT

Threat Hunting with Splunk

Awesome Splunk SPL queries that can be used to detect the latest vulnerability exploitation attempts &, threat hunt for MITRE ATT&CK TTPs. I'm including queries with regular expressions, so detection will be possible even if you haven't parsed the logs properly.

MITRE ATT&CK TTP & Detection Analytics

TTP MITRE ATT&CK Detection SPL
T1053.003 Scheduled Task/Job: Cron T1053.003 Detection SPL
T1190 Exploit Public-Facing Application T1190 Detection SPL

Vulnerabilities & Detection Analytics

Vulnerability Advisory Detection SPL
CVE-2022-42889 CVE-2022-42889 Advisory Text4Shell Detection SPL
CVE-2022-41082 CVE-2022-41082 Advisory Microsoft Exchange 0day Detection SPL
CVE-2022-22954 CVE-2022-22954 Advisory CVE-2022-22954 Detection SPL
CVE-2022-22965 CVE-2022-22965 Advisory CVE-2022-22965 Detection SPL
CVE-2022-22963 CVE-2022-22963 Advisory CVE-2022-22963 Detection SPL
CVE-2022-2185 CVE-2022-2185 Advisory GitLab Malicious Project Upload Detection SPL
CVE-2022-33891 CVE-2022-33891 Advisory Apache Spark Command Injection Detection SPL

Malware Detection Analytics

Malware Reference Detection SPL
BPFDoor BPFDoor ATT&CK Community Presentation BPFDoor Detection SPL
VIRTUALPITA & VIRTUALPIE Mandiant Report - Investigating Novel Malware Persistence Within ESXi Hypervisors Detection SPL
Linux Ransomware/Wiper Linux Ransomware Report from UPTYCS Ransomware Detection SPL
RTM Locker for Linux/ESXi RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs RTM Locker/Ransomware Detection SPL
ARCANEDOOR - LINE RUNNER, LINE DANCER, CVE-2024-20353, CVE-2024-20359 ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices ARCANEDOOR - LINE RUNNER & LINE DANCER - CVE-2024-20353 - CVE-2024-20359 Detection SPL