{"id":13520636,"url":"https://github.com/west-wind/Threat-Hunting-With-Splunk","last_synced_at":"2025-03-31T18:31:11.039Z","repository":{"id":42591508,"uuid":"480727617","full_name":"west-wind/Threat-Hunting-With-Splunk","owner":"west-wind","description":"Awesome Splunk SPL hunt queries that can be used to detect the latest vulnerability exploitation attempts \u0026 subsequent compromise","archived":false,"fork":false,"pushed_at":"2024-04-29T19:21:28.000Z","size":55,"stargazers_count":48,"open_issues_count":0,"forks_count":6,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-04-29T20:32:27.495Z","etag":null,"topics":["arcanedoor","bpfdoor","bpfdoor-detection","cve-2024-20353","cve-2024-20359","detection","detection-engineering","esxi-malware","esxi-ransomware","line-dancer","line-runner","mitre-attack","rtm-locker","splunk","text4shell","vulnerability"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/west-wind.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-12T08:52:15.000Z","updated_at":"2024-08-01T06:47:42.968Z","dependencies_parsed_at":"2024-04-29T20:32:05.674Z","dependency_job_id":"645a1f4a-bdfa-413f-9364-32ce6e36a7e7","html_url":"https://github.com/west-wind/Threat-Hunting-With-Splunk","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/west-wind%2FThreat-Hunting-With-Splunk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/west-wind%2FThreat-Hunting-With-Splunk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/west-wind%2FThreat-Hunting-With-Splunk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/west-wind%2FThreat-Hunting-With-Splunk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/west-wind","download_url":"https://codeload.github.com/west-wind/Threat-Hunting-With-Splunk/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246517743,"owners_count":20790479,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arcanedoor","bpfdoor","bpfdoor-detection","cve-2024-20353","cve-2024-20359","detection","detection-engineering","esxi-malware","esxi-ransomware","line-dancer","line-runner","mitre-attack","rtm-locker","splunk","text4shell","vulnerability"],"created_at":"2024-08-01T06:00:19.201Z","updated_at":"2025-03-31T18:31:10.774Z","avatar_url":"https://github.com/west-wind.png","language":null,"funding_links":[],"categories":["Detection Content \u0026 Signatures"],"sub_categories":[],"readme":"# Threat Hunting with Splunk\nAwesome Splunk SPL queries that can be used to detect the latest vulnerability exploitation attempts \u0026, threat hunt for MITRE ATT\u0026CK TTPs. I'm including queries with regular expressions, so detection will be possible even if you haven't parsed the logs properly. \n\n## MITRE ATT\u0026CK TTP \u0026 Detection Analytics\n\n| TTP | MITRE ATT\u0026CK | Detection SPL |\n|----------|:-------------:|------:|\n| T1053.003 |  [Scheduled Task/Job: Cron](https://attack.mitre.org/techniques/T1053/003/) | [T1053.003 Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/MITRE/T1053.003.spl) |\n| T1190 |  [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/) | [T1190 Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/MITRE/T1190.spl) |\n\n\n## Vulnerabilities \u0026 Detection Analytics\n\n| Vulnerability | Advisory | Detection SPL |\n|----------|:-------------:|------:|\n| CVE-2022-42889 |  [CVE-2022-42889 Advisory](https://nvd.nist.gov/vuln/detail/CVE-2022-42889) | [Text4Shell Detection SPL](https://github.com/west-wind/CVE-2022-42889#detection-splunk-query) |\n| CVE-2022-41082 |  [CVE-2022-41082 Advisory](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/) | [Microsoft Exchange 0day Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2022-41082) |\n| CVE-2022-22954 |  [CVE-2022-22954 Advisory](https://github.com/advisories/GHSA-q7xc-35g4-g566) | [CVE-2022-22954 Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2022-22954) |\n| CVE-2022-22965 |  [CVE-2022-22965 Advisory](https://github.com/advisories/GHSA-36p3-wjmg-h94x) | [CVE-2022-22965 Detection SPL](https://github.com/west-wind/Spring4Shell-Detection) |\n| CVE-2022-22963 |  [CVE-2022-22963 Advisory](https://nvd.nist.gov/vuln/detail/CVE-2022-22963) | [CVE-2022-22963 Detection SPL](https://github.com/west-wind/Spring4Shell-Detection/blob/main/README.md#detection-for-cve-2022-22963-not-spring4shell) |\n| CVE-2022-2185 |  [CVE-2022-2185 Advisory](https://nvd.nist.gov/vuln/detail/CVE-2022-2185) | [GitLab Malicious Project Upload Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2022-2185) |\n| CVE-2022-33891 |  [CVE-2022-33891 Advisory](https://nvd.nist.gov/vuln/detail/CVE-2022-33891) | [Apache Spark Command Injection Detection SPL](https://github.com/west-wind/CVE-2022-33891) |\n\n## Malware Detection Analytics\n\n| Malware | Reference | Detection SPL |\n|----------|:-------------:|------:|\n| BPFDoor |  [BPFDoor ATT\u0026CK Community Presentation](https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf) | [BPFDoor Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/BPFDoor) |\n| VIRTUALPITA \u0026 VIRTUALPIE |  [Mandiant Report - Investigating Novel Malware Persistence Within ESXi Hypervisors](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence) | [Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/VirtualPITA%20\u0026%20VirtualPIE) |\n| Linux Ransomware/Wiper |  [Linux Ransomware Report from UPTYCS](https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development) | [Ransomware Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/Linux%20Ransomware) |\n| RTM Locker for Linux/ESXi |  [RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs](https://www-uptycs-com.cdn.ampproject.org/c/s/www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux?hs_amp=true) | [RTM Locker/Ransomware Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/RTM%20Locker%20for%20ESXi) |\n| ARCANEDOOR - LINE RUNNER, LINE DANCER, CVE-2024-20353, CVE-2024-20359 |  [ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices](https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns) | [ARCANEDOOR - LINE RUNNER \u0026 LINE DANCER - CVE-2024-20353 - CVE-2024-20359 Detection SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/ARCANEDOOR.md) |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwest-wind%2FThreat-Hunting-With-Splunk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwest-wind%2FThreat-Hunting-With-Splunk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwest-wind%2FThreat-Hunting-With-Splunk/lists"}