Beware of Traitorware: Using Splunk for Persistence
ATT&CK techniques detected
T1059.001PowerShell
95%
"html comment tags contain powershell commands, and i found that some characters in the powershell commands would parse as html, which would not return the correct value with invoke - webrequest ( < and >, for example. ) to get around that challenge, i just base64 encoded the cont…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
82%
", the splunk uf runs as nt authority \ system and will execute scripts with the same user context. why does this work? the splunk uf configures the splunkuniversalforwarder service to run as nt authority \ system, and this is because several of the background tasks that splunk pe…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
70%
"as a user interface with executable code functionalities. an example is the splunk add - on for windows, which gives splunk additional functionality for collecting information from windows hosts. this is a very common splunk add - on, with over 415, 000 downloads ( at the time of…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
This blog illustrates how the Splunk Universal Forwarder (UF) can be used as traitorware for persistence and remote code execution.