Awesome Splunk SPL queries that can be used to detect the latest vulnerability exploitation attempts &, threat hunt for MITRE ATT&CK TTPs. I'm including queries with regular expressions, so detection will be possible even if you haven't parsed the logs properly.
| TTP | MITRE ATT&CK | Detection SPL |
|---|---|---|
| T1053.003 | Scheduled Task/Job: Cron | T1053.003 Detection SPL |
| T1190 | Exploit Public-Facing Application | T1190 Detection SPL |
| Vulnerability | Advisory | Detection SPL |
|---|---|---|
| CVE-2022-42889 | CVE-2022-42889 Advisory | Text4Shell Detection SPL |
| CVE-2022-41082 | CVE-2022-41082 Advisory | Microsoft Exchange 0day Detection SPL |
| CVE-2022-22954 | CVE-2022-22954 Advisory | CVE-2022-22954 Detection SPL |
| CVE-2022-22965 | CVE-2022-22965 Advisory | CVE-2022-22965 Detection SPL |
| CVE-2022-22963 | CVE-2022-22963 Advisory | CVE-2022-22963 Detection SPL |
| CVE-2022-2185 | CVE-2022-2185 Advisory | GitLab Malicious Project Upload Detection SPL |
| CVE-2022-33891 | CVE-2022-33891 Advisory | Apache Spark Command Injection Detection SPL |
| Malware | Reference | Detection SPL |
|---|---|---|
| BPFDoor | BPFDoor ATT&CK Community Presentation | BPFDoor Detection SPL |
| VIRTUALPITA & VIRTUALPIE | Mandiant Report - Investigating Novel Malware Persistence Within ESXi Hypervisors | Detection SPL |
| Linux Ransomware/Wiper | Linux Ransomware Report from UPTYCS | Ransomware Detection SPL |
| RTM Locker for Linux/ESXi | RTM Locker Ransomware as a Service (RaaS) Now on Linux - Uptycs | RTM Locker/Ransomware Detection SPL |
| ARCANEDOOR - LINE RUNNER, LINE DANCER, CVE-2024-20353, CVE-2024-20359 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | ARCANEDOOR - LINE RUNNER & LINE DANCER - CVE-2024-20353 - CVE-2024-20359 Detection SPL |