Weaponizing Splunk: Attacking The Organization
Splunk allows administrators to perform application updates, configuration changes, and execute scripts on remote systems via its universal forwarders. All of this is controlled by a deployment server.
Universal Forwarders are used to collect logs that cannot normally be sent, such as Windows Event Logs or applications without a syslog.
Attack Demonstration Lab Setup
|Server Config||Victim Client #1||Victim Client #2|
|Ubuntu 16.04||Windows 7 Enterprise||Ubuntu Desktop 15.10|
|Splunk Server 6.5.3||Splunk Universal Forwarder 6.5.3||Splunk Universal Forwarder 6.5.3|
Penetration Test System Configuration
Attack Missions On The Organization (Videos)
Cyberattack Video: Configure Malicious Deployment Applications
Using the Technology Add-ons packaged with the splunk_shells app we installed from the previous section. We make some configuration changes to match our attack and victim environments.
Cyberattack Video: Deploy Malicious Applications
Deploying the specifically configured applications to all the systems within our victim organization via the Deployment Server and monitor as the shells calling home almost immediately.
Get In Touch
Have a question? We’re here to help.