Skip to content

Instantly share code, notes, and snippets.

@darkquasar
Last active May 10, 2022 08:06
Show Gist options
  • Save darkquasar/84fb2cec6cc1668795bd97c02302d380 to your computer and use it in GitHub Desktop.
Save darkquasar/84fb2cec6cc1668795bd97c02302d380 to your computer and use it in GitHub Desktop.
Splunk Search to Weed Out Low Hanging Fruit and Out-Of-The-Box Pentest

Draft rule for a Splunk Search

Suspicious User Agents

You will not detect APTs with this but you will weed out low hanging fruit and not too savvy pentesters :)

user_agent IN ("burp" "burpcollaborator.net" "qualys" "nexpose" "OpenVAS" "Nikto" "Meterpreter" "IceWeasel" "DirB" "Comodo" "Tripwire" "Retina" "MBSA" "ImmuniWeb" "Netsparker" "Acunetix" "Intruder" "WinHttp.WinHttpRequest" "nmap" "CVE" "base64" "eval" "ftp" "/script" "javascript" "alert" ) NOT (user_agent="google") | eval detection_description=if(like(user_agent,"%WinHttpRequest%"),"CScript or VBScript Call",detection_description) | eval detection_description=if(like(user_agent,"%Iceweasel%"),"Potentially Kali",detection_description) | eval detection_description=if(like(user_agent,"%Meterpreter%"),"Meterpreter",detection_description) | eval detection_description=if(like(user_agent,"%Nikto%"),"Nikto Scanning",detection_description) | eval detection_description=if(like(user_agent,"%dirb%"),"Dirbuster Scanning",detection_description) | eval detection_description=if(like(user_agent,"%burp%"),"BurpSuite Scanning",detection_description) | eval detection_description=if(like(user_agent,"%qualys%"),"Qualys Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Comodo%"),"Comodo Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Tripwire%"),"Tripwire Scanning",detection_description) | eval detection_description=if(like(user_agent,"%Retina%"),"Retina Scanning",detection_description) | eval detection_description=if(like(user_agent,"%MBSA%"),"Microsoft Baseline Security Analyzer",detection_description) | eval detection_description=if(like(user_agent,"%nmap%"),"NMAP Engine Scan",detection_description) | eval detection_description=if(like(user_agent,"%OpenVAS%"),"OpenVAS Scanning",detection_description) | eval detection_description=if(like(user_agent,"%CVE%"),"CVE Scan",detection_description) | eval detection_description=if(like(user_agent,"%/script%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%alert%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%javascript%"),"Cross Site Scripting Attempt",detection_description) | eval detection_description=if(like(user_agent,"%base64%"),"Potential SQL Injection",detection_description) | eval detection_description=if(like(user_agent,"%eval%"),"Potential SQL Injection",detection_description) | eval detection_description=if(like(user_agent,"%ftp%"),"Attempt at data Exfiltration",detection_description) | table _time, user_agent, detection_description

@darkquasar
Copy link
Author

updated thanks to @ateixei to improve readability by using "IN" in Splunk query

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment