Created
January 3, 2023 21:49
-
-
Save yosignals/af2aa65d7e564db6e2cfee38940a1fd5 to your computer and use it in GitHub Desktop.
Dynamic Subdomain C2 Exfil detection - Splunk Query
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Select events from all indexes | |
| index=* | |
| # Extract the subdomain from the domain field and add a new field called "subdomain" | |
| | eval subdomain=split(domain, ".")[0] | |
| # Format the time field into a more human-readable format and add a new field called "time" | |
| | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S") | |
| # Bin the time field into 2 minute intervals and add a new field called "bin_time" | |
| | bin _time as bin_time span=2m | |
| # Count the number of unique subdomains contacted in each 2 minute interval and add a new field called "subdomain_count" | |
| | stats count(subdomain) as subdomain_count by bin_time | |
| # Filter the results to only include intervals where more than 6 subdomains were contacted | |
| | where subdomain_count > 6 | |
| # Create an alert | |
| | streamstats count as alert_count | |
| | eval alert_text="More than 6 subdomains contacted in 2 minutes, investigate" | |
| | eval alert_severity=if(alert_count=1,"warning","critical") | |
| | eval alert_title="Subdomain Alert" | |
| | eval trigger_time=now() | |
| | table trigger_time, alert_title, alert_text, alert_severity | |
| | sendalert |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment