horrorhub.club is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon server for Horror fans.

Server stats:

85
active users

#splunk

1 post1 participant0 posts today

Happy #PatchTuesday from Splunk:

  • SVD-2024-1201 Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway (CVE-2024-53243, 4.3 medium)
  • SVD-2024-1202 Risky command safeguards bypass in "/en-US/app/search/report" endpoint through "s" parameter (CVE-2024-53244, 5.7 medium)
  • SVD-2024-1203 Information Disclosure due to Username Collision with a Role that has the same Name as the User (CVE-2024-53245, 3.1 low)
  • SVD-2024-1204 Sensitive Information Disclosure through SPL commands (CVE-2024-53246, 5.3 medium)
  • SVD-2024-1205 Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app (CVE-2024-53247, 8.8 high)
  • SVD-2024-1206 Third-Party Package Updates in Splunk Enterprise - December 2024 (multiple CVEs)
  • SVD-2024-1207 Third-Party Package Updates in Splunk Universal Forwarder - December 2024 (CVE-2024-5535, 9.1 critical)

No verbiage of exploitation.

Splunk Vulnerability DisclosureInformation Disclosure in Mobile Alert Responses in Splunk Secure GatewayIn Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and versions below 3.2.462, 3.7.18, and 3.8.5 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could see alert search query responses using Splunk Secure Gateway App Key Value Store (KVstore) collections endpoints due to improper access control.

Information Stealer malware remains one of the most active and dangerous threats in the wild. In this blog, #Splunk Threat Research Team #STRT, dive into Braodo Stealer, a Python-based malware designed to steal sensitive information while leveraging a popular developer platform to distribute its payload. We’ve analyzed its techniques, tactics, and procedures (TTPs) and shared the detection strategies we developed to combat this threat. Additionally, we took a closer look at its batch script loader, which employs layered obfuscation to complicate analysis and reverse engineering. To counter this, we created a custom Python de-obfuscation tool, which we detail in this post. #reverseengineering #blueteam #detectionengineering #incidentresponse #splunk #malwareanalysis . 😊

de-obfuscator tool:
lnkd.in/du2n7Gh8

Braodo Stealer Blog:
lnkd.in/d6bZ5AAX

This is my first survey, hopefully it will be answered 😃

Hi Splunk #Admins out there, if you setup an #onpremise Splunk enterprise server, do you already know that additional #hardening is required?
Especially that you have to create your own `/opt/splunk/etc/system/local/inputs.conf` file with blacklist entries for local files or directories, to protect against local file inclusion attacks?

/etc/passwd
/proc/net/arp (to spy internal network details)
/old splunk version installation directories/etc/passwd 😉
....

Otherwise a very simple #LFI #vulnerability in default #Splunk installation is possible. Fortunately with role splunk-system-role or admin only and not low privileged user.
Splunk states if someone has system or admin role, he can do anything.

Do you know about required hardening with `inputs.conf` (docs.splunk.com/Documentation/)?

Can a Splunk admin/system role edit `inputs.conf` via WebUI or its endpoints?
I did not check in detail and did not found any reference for it.

Have your Splunk users with admin/system roles #SSH access to the OS too, to modify files locally?

I this an issue for you?

Turn your phone horizontally to read the full entries:

docs.splunk.cominputs.conf - Splunk Documentation

I just wrote a #splunk query that uses two join statements to correlate 3 different kinds of events across two logfiles. It's not pretty but gives me the results I need.

I can't shake the feeling that this could be more efficient.

Any suggestions to replace those joins for event correlation?

👋 Hello Mastodon!

I'm Steven Butterworth, aka UKITGURU. I specialise in InfoSec and SIEM technologies (Splunk, Sentinel, Elastic). As a freelancer, I create and deliver SIEM content, working with gov departments and private sectors. Passionate about Data Science, Data Engineering, and data literacy. Avid triathlon enthusiast—never enough bikes! 🚴‍♂️

Looking forward to connecting!

#InfoSec
#SIEM
#Splunk
#Sentinel
#DataScience
#Triathlon
#Cycling

👋 Hello Mastodon!

I'm Steven Butterworth, aka UKITGURU. I specialise in InfoSec and SIEM technologies (Splunk, Sentinel, Elastic). As a freelancer, I create and deliver SIEM content, working with gov departments and private sectors. Passionate about Data Science, Data Engineering, and data literacy. Avid triathlon enthusiast—never enough bikes! 🚴‍♂️

Looking forward to connecting!

I am not a #DataScience person, so I need the wisdom of the #LazyWeb to help me out, please.

(I’m running queries on #Splunk, but I don’t think this question applies to Splunk only.)

I have a report running hourly to calculate metrics and store these to a separate index (in Splunk terms, a “summary metrics index”), for faster querying later. It's a data roll-up. (1/4)

I am proud of the infrastructure we created for our Introduction to Security class at CTU in Prague.

It is a challenge to keep services and student containers up in a quite adversarial network where everyone is attacking but we managed to secure a 99% uptime.

In 15-16 weeks of class, our network sees hundreds of millions of network flows. We use #zeek for log collection, a dockerised suite with #grafana for monitoring, and #splunk for threat hunting.

Students are in full control of their containers. Our classes are a well-balanced mix of attack and defence, where students are in charge of protecting their own containers for the duration of the class. The attacking includes a wide variety of attacks and tools, including active exploiting of web applications and services.

Very proud of each of our students who do not stop surprising us each year!

A small PSA/FYI: if #Cisco buys #Splunk for 28b, that’s because they think it will position them to corner a market and then make a profit with it.

The ones they’ll have cornered are Splunk customers current and future, and those orgs are also supposed to make Cisco a multitude of 28b.

Hope every Splunk user’s pockets are deep enough for what is about to hit them. 🫣