Home

Awesome

Threat Hunting with Splunk

Awesome Splunk SPL queries that can be used to detect the latest vulnerability exploitation attempts &, threat hunt for MITRE ATT&CK TTPs. I'm including queries with regular expressions, so detection will be possible even if you haven't parsed the logs properly.

MITRE ATT&CK TTP & Detection Analytics

TTPMITRE ATT&CKDetection SPL
T1053.003Scheduled Task/Job: CronT1053.003 Detection SPL
T1190Exploit Public-Facing ApplicationT1190 Detection SPL

Vulnerabilities & Detection Analytics

VulnerabilityAdvisoryDetection SPL
CVE-2022-42889CVE-2022-42889 AdvisoryText4Shell Detection SPL
CVE-2022-41082CVE-2022-41082 AdvisoryMicrosoft Exchange 0day Detection SPL
CVE-2022-22954CVE-2022-22954 AdvisoryCVE-2022-22954 Detection SPL
CVE-2022-22965CVE-2022-22965 AdvisoryCVE-2022-22965 Detection SPL
CVE-2022-22963CVE-2022-22963 AdvisoryCVE-2022-22963 Detection SPL
CVE-2022-2185CVE-2022-2185 AdvisoryGitLab Malicious Project Upload Detection SPL
CVE-2022-33891CVE-2022-33891 AdvisoryApache Spark Command Injection Detection SPL

Malware Detection Analytics

MalwareReferenceDetection SPL
BPFDoorBPFDoor ATT&CK Community PresentationBPFDoor Detection SPL
VIRTUALPITA & VIRTUALPIEMandiant Report - Investigating Novel Malware Persistence Within ESXi HypervisorsDetection SPL
Linux Ransomware/WiperLinux Ransomware Report from UPTYCSRansomware Detection SPL
RTM Locker for Linux/ESXiRTM Locker Ransomware as a Service (RaaS) Now on Linux - UptycsRTM Locker/Ransomware Detection SPL
ARCANEDOOR - LINE RUNNER, LINE DANCER, CVE-2024-20353, CVE-2024-20359ArcaneDoor - New espionage-focused campaign found targeting perimeter network devicesARCANEDOOR - LINE RUNNER & LINE DANCER - CVE-2024-20353 - CVE-2024-20359 Detection SPL