Weaponizing Splunk: Attacking The Organization

Splunk allows administrators to perform application updates, configuration changes, and execute scripts on remote systems via its universal forwarders. All of this is controlled by a deployment server.

Universal Forwarders are used to collect logs that cannot normally be sent, such as Windows Event Logs or applications without a syslog.

“Our successful Splunk server attacks have provided me enough information and access, so I can now move laterally across the victim environment. As an attacker, my aim is to communicate with and control as large a proportion of the victim’s network, without raising any alarms.”
-Ryan, TBG Security‘s Director of Security Engineering


Attack Demonstration Lab Setup

Server Config Victim Client #1 Victim Client #2
Ubuntu 16.04 Windows 7 Enterprise Ubuntu Desktop 15.10
Splunk Server 6.5.3 Splunk Universal Forwarder 6.5.3 Splunk Universal Forwarder 6.5.3

Penetration Test System Configuration
Kali Linux


Attack Missions On The Organization (Videos)

Cyberattack Video: Configure Malicious Deployment Applications

Using the Technology Add-ons packaged with the splunk_shells app we installed from the previous section. We make some configuration changes to match our attack and victim environments.

Cyberattack Video: Deploy Malicious Applications
Deploying the specifically configured applications to all the systems within our victim organization via the Deployment Server and monitor as the shells calling home almost immediately.


Get In Touch

Have a question? We’re here to help.

Contact Us