west-wind/Threat-Hunting-With-Splunk

# 使用 Splunk 进行威胁狩猎 非常棒的 Splunk SPL 查询语句，可用于检测最新的漏洞利用尝试以及对 MITRE ATT&CK TTPs 进行威胁狩猎。我包含了带有正则表达式的查询语句，因此即使您没有正确解析日志，也可以进行检测。 ## MITRE ATT&CK TTP 与检测分析 | TTP | MITRE ATT&CK | 检测 SPL | |----------|:-------------:|------:| | T1053.003 | [计划任务/作业：Cron](https://attack.mitre.org/techniques/T1053/003/) | [T1053.003 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/MITRE/T1053.003.spl) | | T1190 | [利用面向公众的应用程序](https://attack.mitre.org/techniques/T1190/) | [T1190 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/MITRE/T1190.spl) | ## 漏洞与检测分析 | 漏洞 | 公告 | 检测 SPL | |----------|:-------------:|------:| | CVE-2022-42889 | [CVE-2022-42889 公告](https://nvd.nist.gov/vuln/detail/CVE-2022-42889) | [Text4Shell 检测 SPL](https://github.com/west-wind/CVE-2022-42889#detection-splunk-query) | | CVE-2022-41082 | [CVE-2022-41082 公告](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/) | [Microsoft Exchange 0day 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2022-41082) | | CVE-2022-22954 | [CVE-2022-22954 公告](https://github.com/advisories/GHSA-q7xc-35g4-g566) | [CVE-2022-22954 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2022-22954) | | CVE-2022-22965 | [CVE-2022-22965 公告](https://github.com/advisories/GHSA-36p3-wjmg-h94x) | [CVE-2022-22965 检测 SPL](https://github.com/west-wind/Spring4Shell-Detection) | | CVE-2022-22963 | [CVE-2022-22963 公告](https://nvd.nist.gov/vuln/detail/CVE-2022-22963) | [CVE-2022-22963 检测 SPL](https://github.com/west-wind/Spring4Shell-Detection/blob/main/README.md#detection-for-cve-2022-22963-not-spring4shell) | | CVE-2022-2185 | [CVE-2022-2185 公告](https://nvd.nist.gov/vuln/detail/CVE-2022-2185) | [GitLab 恶意项目上传检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2022-2185) | | CVE-2022-33891 | [CVE-2022-33891 公告](https://nvd.nist.gov/vuln/detail/CVE-2022-33891) | [Apache Spark 命令注入检测 SPL](https://github.com/west-wind/CVE-2022-33891) | | CVE-2026-12569 | [CVE-2026-12569 公告](https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-rce-vulnerability) | [Windchill RCE 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/CVE/CVE-2026-12569.md) | ## 恶意软件检测分析 | 恶意软件 | 参考资料 | 检测 SPL | |----------|:-------------:|------:| | BPFDoor | [BPFDoor ATT&CK 社区演示文稿](https://github.com/CiscoCXSecurity/presentations/blob/master/Auditd%20for%20the%20newly%20threatened.pdf) | [BPFDoor 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/BPFDoor) | | VIRTUALPITA & VIRTUALPIE | [Mandiant 报告 - 调查 ESXi Hypervisors 内的新型恶意软件持久化机制](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence) | [检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/VirtualPITA%20&%20VirtualPIE) | | Linux 勒索软件/Wiper | [来自 UPTYCS 的 Linux 勒索软件报告](https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development) | [勒索软件检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/Linux%20Ransomware) | | 适用于 Linux/ESXi 的 RTM Locker | [RTM Locker 勒索软件即服务 现已登陆 Linux - Uptycs](https://www-uptycs-com.cdn.ampproject.org/c/s/www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux?hs_amp=true) | [RTM Locker/勒索软件检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/RTM%20Locker%20for%20ESXi) | | ARCANEDOOR - LINE RUNNER, LINE DANCER, CVE-2024-20353, CVE-2024-20359 | [ArcaneDoor - 发现针对边界网络设备的新型间谍活动](https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns) | [ARCANEDOOR - LINE RUNNER & LINE DANCER - CVE-2024-20353 - CVE-2024-20359 检测 SPL](https://github.com/west-wind/Threat-Hunting-With-Splunk/blob/main/Malware-Backdoors/ARCANEDOOR.md) |

标签：CISA项目, SPL查询, 安全, 超时处理