Splunk Pentesting

admin:changeme

# "main" index stores all the processed data
index="main" earliest=0

index=main example.aspx sourcetype="<SourceType>"

# EventCode 8: CreateRemoteThread in sysmon.
index="main" sourcetype="<SourceType>" EventCode=8

# EventCode 11: FileCreate in sysmon.
index="main" sourcetype="<SourceType>" EventCode=11

index=main SourceIp=172.* AND DestinationIp=192.68.*

index="main" sourcetype="<SourctType>"

# Identify all SourceType
index="main" earliest=0 | stats count by sourcetype | sort -count

index=main AccountName = John AND AccountName != SYSTEM

# Retrieve MD5 hash of the target image
index="main" sourcetype="<SourceType>" Image="c:\\Path\\to\\file.exe" md5

index="main" sourcetype="<SourceType>" CommandLine="*/add*"

index=main | field host, User, SourceIp, DestinationIp

index=main | table User, Hostname

# Display the first N results
index=main | head 5

# Display the last N results.
index=main | tail 5

index=main | reverse

index=main | table EventID Hostname | sort EventID

# Display top N result of frequent
index=main | top limit=10 User

# Display top N result of the least
index=main | rare limit=10 User

index=main | chart count by Image

# time-series chart
index=main | timechart count by Image

index=main | table User, Hostname | dedup User

index=main | fields host, User | rename User as Member

# Retrive file locations and number of files.
index="main" sourcetype="<SourceType>" EventCode=11 | stats count by TargetFilename

# Client-server method "POST" and search by file formats
index="main" sourcetype="iis" cs_method="POST" | search *.php* OR *.asp* OR *.aspx* OR *.jsp*