Splunk Pentesting
Last modified: 2023-01-25
Splunk is a tool for monitoring and searching through big data. A default port is 8089.
Default Credentials
admin:changeme
Dorks
In Splunk, click Search & Reporting. Maybe we need to set the “All time” Preset on the right of the search form.
The cheat sheet of searching is below:
# "main" index stores all the processed data
index="main" earliest=0
# Identify all SourceType
index="main" earliest=0 | stats count by sourcetype | sort -count
# Specity the SourceType
index="main" sourcetype="<SourctType>"
# Specify the EventCode
# EventCode 8: CreateRemoteThread in sysmon.
index="main" sourcetype="<SourceType>" EventCode=8
# EventCode 11: FileCreate in sysmon.
index="main" sourcetype="<SourceType>" EventCode=11
# Retrieve MD5 hash of the target image
index="main" sourcetype="<SourceType>" Image="c:\\Path\\to\\file.exe" md5
# Retrive file locations and number of files.
index="main" sourcetype="<SourceType>" EventCode=11 | stats count by TargetFilename
# Filter by commands
# e.g. "net user /add"
index="main" sourcetype="<SourceType>" CommandLine="*/add*"
# Client-server method "POST" and search by file formats
index="main" sourcetype="iis" cs_method="POST" | search *.php* OR *.asp* OR *.aspx* OR *.jsp*
# Specify the file
index=main example.aspx sourcetype="<SourceType>"