Splunk Pentesting

Last modified: 2023-08-03

Malware Network

Splunk is a tool for monitoring and searching through big data. A default port is 8089.

Default Credentials


SPL (Search Processing Language)

In Splunk, click Search & Reporting. Maybe we need to set the “All time” Preset on the right of the search form.
The cheat sheet of searching is below:

# "main" index stores all the processed data
index="main" earliest=0


index=main example.aspx sourcetype="<SourceType>"


# EventCode 8: CreateRemoteThread in sysmon.
index="main" sourcetype="<SourceType>" EventCode=8

# EventCode 11: FileCreate in sysmon.
index="main" sourcetype="<SourceType>" EventCode=11

IP Addresses

index=main SourceIp=172.* AND DestinationIp=192.68.*


index="main" sourcetype="<SourctType>"

# Identify all SourceType
index="main" earliest=0 | stats count by sourcetype | sort -count

Account Name

index=main AccountName = John AND AccountName != SYSTEM

Retrieving Hashes

# Retrieve MD5 hash of the target image
index="main" sourcetype="<SourceType>" Image="c:\\Path\\to\\file.exe" md5

Filtering by Commands

index="main" sourcetype="<SourceType>" CommandLine="*/add*"

Filtering Fields

index=main | field host, User, SourceIp, DestinationIp


Create a table.

index=main | table User, Hostname


# Display the first N results
index=main | head 5

# Display the last N results.
index=main | tail 5


Reverse the result order.

index=main | reverse


Order the result fields in ascending or descending order.

index=main | table EventID Hostname | sort EventID


# Display top N result of frequent
index=main | top limit=10 User

# Display top N result of the least
index=main | rare limit=10 User


Transform the result to chart.

index=main | chart count by Image

# time-series chart
index=main | timechart count by Image

Removing Duplicate Fields

index=main | table User, Hostname | dedup User

Rename the Field

index=main | fields host, User | rename User as Member


# Retrive file locations and number of files.
index="main" sourcetype="<SourceType>" EventCode=11 | stats count by TargetFilename

# Client-server method "POST" and search by file formats
index="main" sourcetype="iis" cs_method="POST" | search *.php* OR *.asp* OR *.aspx* OR *.jsp*