Identifying KRACK Attack Vulnerable Devices with Splunk

What is KRACK Attack?

Most modern wireless networks use encryption to protect communications. KRACK Attack is a technique against the WPA2 wireless security protocol. By using this technique, an attacker can read information that was supposed to be encrypted. As a consequence, chat messages, photos, credit card numbers and other sensitive information can be stolen without your knowledge.

Why it Matters to Your Organization

Simply put, just about every device that uses WPA2 is at risk—including mobile devices, laptops, and routers. It’s important to highlight that the KRACK Attack technique exploits a flaw in the WPA2 protocol. This is not a vendor specific flaw.

What Should You Do

  • Identify vulnerable devices.
  • Patch your devices as quickly as reasonable.
  • Use additional security controls - SSL for web browsing or a VPN.
  • DO NOT disable WPA2. DO NOT go back to WEP

Using Splunk for Identifying Vulnerabilities

Splunk has integrations with leading vulnerability scanning technologies, which you can find on Splunkbase.


Before running the scans, please ensure that you update your vulnerability scanner signatures. Otherwise, you might end up missing vulnerable systems.

If you use Splunk Enterprise, you can do string searches against your scan data. In this example, we will look for the nessus scan data using the ‘sourcetype=nessus:scan’. You can replace this part with the scan sourcetype of your choice. If you use a different scan engine, please verify that you have fields called, cve, hostname, signature.

sourcetype=nessus:scan  (cve = cve-2017-13077 OR cve = cve-2017-13078 OR
cve = cve-2017-13079 OR cve = cve-2017-13080 OR cve = cve-2017-13081 OR
cve = cve-2017-13082 OR cve = cve-2017-13083 OR cve = cve-2017-13084 OR
cve = cve-2017-13085 OR cve = cve-2017-13086 OR cve = cve-2017-13087 OR
cve = cve-2017-13088) | bucket _time span=1d | stats values(cve) as CVEs by hostname, signature

If you are a Splunk Enterprise Security customer, you can use the Vulnerability dashboards. E.g. below is a screen shot of the Vulnerability Center—it gives you an overview of all the scans.

If you are looking for a specific vulnerability in ES, you can use the Vulnerability search dashboard. E.g. in the screenshot below you can see the results from a windows task scheduler vulnerability.

To search for multiple CVE numbers, you can use the search below. Here, we use the Vulnerability datamodel to look for the CVE numbers. Please ensure that the Vulnerability datamodel is populated in your Splunk Enterprise Security Instance.

| tstats `summariesonly` dc(Vulnerabilities.signature) as vuln_count from
datamodel=Vulnerabilities.Vulnerabilities where (Vulnerabilities.cve=cve-2017-13077 OR
Vulnerabilities.cve=cve-2017-13078 OR Vulnerabilities.cve=cve-2017-13079 OR
Vulnerabilities.cve=cve-2017-13080 OR Vulnerabilities.cve=cve-2017-13081 OR
Vulnerabilities.cve=cve-2017-13082 OR Vulnerabilities.cve=cve-2017-13083 OR
Vulnerabilities.cve=cve-2017-13084 OR Vulnerabilities.cve=cve-2017-13085 OR
Vulnerabilities.cve=cve-2017-13086 OR Vulnerabilities.cve=cve-2017-13087 OR
Vulnerabilities.cve=cve-2017-13088) by Vulnerabilities.dest, Vulnerabilities.signature,


Once you have identified the vulnerable systems, add them to a watch list (or equivalent) to track the associated activities while your IT team rolls out the patch.

For more information, contact a Splunk security expert.


The original disclosure by Mathy Vanhoef:

Cisco advisory:

Vendor responses to the vulnerability:

Microsoft Advisory:

Thanks to Rico Valdez, Splunk Research and the Splunk team.

Monzy Merza

Monzy Merza

Posted by