Merge pull request #2946 from splunk/gitlab_release_v4.21.0

Gitlab release v4.21.0

.gitlab/merge_request_templates/release_branch.md

@@ -0,0 +1,34 @@
+### Release Branch
+#### ESCU 
+##### New Analytic Story
+- 
+##### Updated Analytic Story
+- 
+##### New Analytics
+* 
+##### Updated Analytics
+
+##### Other Updates
+* 
+
+#### BA Release Notes
+* 
+
+##### New Validation Analytics
+
+* 
+
+##### New Production Analytics (promoting from validation to production)
+
+* 
+
+##### Comments-
+
+* What are the new detections we're adding, including any new validation detections?
+  * 
+
+* What are the existing detections that we're deprecating?
+  * 
+
+* Are there any detections that we're promoting from validation to production in this package? If we're adding new any detections to help understand the over-firing detections, please indicate those as well
+  *

contentctl.yml

@@ -5,8 +5,8 @@ build:
   name: DA-ESS-ContentUpdate
   path_root: dist
   prefix: ESCU
-  build: 004200
-  version: 4.20.0
+  build: 004210
+  version: 4.21.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: [email protected]

detections/application/splunk_enterprise_kv_store_incorrect_authorization.yml

@@ -0,0 +1,53 @@
+name: Splunk Enterprise KV Store Incorrect Authorization
+id: 8f0e8380-a835-4f2b-b749-9ce119364df0
+version: 1
+date: '2024-01-18'
+author: Rod Soto, Eric McGinnis, Chase Franklin
+status: production
+type: Hunting
+data_source: []
+description: In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections. 
+search: '`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload
+  | stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `splunk_enterprise_kv_store_incorrect_authorization_filter`'
+how_to_implement: Requires access to internal indexes and REST API enabled instances. 
+known_false_positives: This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0105
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server
+  confidence: 50
+  impact: 50
+  message: Possible attempt to access KV Store collections at $host$
+  mitre_attack_id:
+  - T1548
+  cve:
+  - CVE-2024-23675
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Cloud
+  risk_score: 25
+  required_fields:
+  - uri
+  - status 
+  - method 
+  - file 
+  - clientip 
+  - host 
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_enterprise_kv_store_incorrect_authorization_splunkd_access.log
+    source: /opt/splunk/var/log/splunk/splunkd_access.log
+    sourcetype: splunkd_access 
+    custom_index: _internal 

detections/application/splunk_enterprise_windows_deserialization_file_partition.yml

@@ -0,0 +1,52 @@
+name: Splunk Enterprise Windows Deserialization File Partition
+id: 947d4d2e-1b64-41fc-b32a-736ddb88ce97
+version: 1
+date: '2024-01-18'
+author: Rod Soto, Eric McGinnis, Chase Franklin
+status: production
+type: TTP
+data_source: []
+description: In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows. 
+search: '`splunk_python` request_path="/en-US/app/search/C:\\Program" *strings* 
+  | rex "request_path=(?<file_path>[^\"]+)" 
+  | rex field=file_path "[^\"]+/(?<file_name>[^\"\''\s/\\\\]+)" 
+  | stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host 
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `splunk_enterprise_windows_deserialization_file_partition_filter`'
+how_to_implement: Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions. 
+known_false_positives: Irregular path with files that may be purposely called for benign reasons may produce false positives. 
+references:
+- https://advisory.splunk.com/advisories/SVD-2024-0108
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: Splunk Server
+  confidence: 90
+  impact: 100
+  message: Possible Windows Deserialization exploitation via irregular path file against $host$
+  mitre_attack_id:
+  - T1190
+  cve:
+  - CVE-2024-23678
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  risk_score: 90
+  required_fields:
+  - request_path
+  - field 
+  - file_name 
+  - host
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/splunk_enterprise_windows_deserialization_file_partition_splunk_python.log
+    source: C:\Program File\Splunk\var\log\splunk\python.log 
+    sourcetype: splunk_python 
+    custom_index: _internal 

detections/application/splunk_risky_command_abuse_disclosed_february_2023.yml

@@ -1,7 +1,7 @@
 name: Splunk risky Command Abuse disclosed february 2023
 id: ee69374a-d27e-4136-adac-956a96ff60fd
 version: 2
-date: '2023-08-30'
+date: '2024-01-22'
 author: Chase Franklin, Rod Soto, Eric McGinnis, Splunk
 status: production
 type: Hunting
@@ -25,7 +25,7 @@ references:
 tags:
   analytic_story:
   - Splunk Vulnerabilities
-  asset_type: Endpoint
+  asset_type: Splunk Server
   confidence: 50
   cve:
   - CVE-2023-22931
@@ -37,6 +37,7 @@ tags:
   - CVE-2023-40598
   - CVE-2023-40598
   - CVE-2023-46214
+  - CVE-2024-23676
   impact: 50
   message: Use of risky splunk command $splunk_risky_command$ detected by $user$
   mitre_attack_id:
@@ -79,6 +80,12 @@ tests:
 - name: True Positive Test Additional runshellscript abuse
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/splunk/splunk_cmd_injection_using_external_lookups_audittrail.log
+    source: audittrail
+    sourcetype: audittrail
+    custom_index: _audit
+- name: True Positive Test mrollup abuse
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/splunk/splunk_mrollup_abuse_audittrail.log
     source: audittrail
     sourcetype: audittrail
     custom_index: _audit

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.20.0"
+      "version": "4.21.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-17T18:35:46 UTC
+# On Date: 2024-01-22T23:37:39 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -495,6 +495,26 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives
 known_false_positives = This search may reveal non malicious zip files causing errors as well.
 providing_technologies = null
 
+[savedsearch://ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule]
+type = detection
+asset_type = Splunk Server
+confidence = medium
+explanation = In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.
+how_to_implement = Requires access to internal indexes and REST API enabled instances.
+annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]}
+known_false_positives = This is a hunting search and will produce false positives. Operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.
+providing_technologies = null
+
+[savedsearch://ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule]
+type = detection
+asset_type = Splunk Server
+confidence = medium
+explanation = In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows.
+how_to_implement = Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.
+annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]}
+known_false_positives = Irregular path with files that may be purposely called for benign reasons may produce false positives.
+providing_technologies = null
+
 [savedsearch://ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule]
 type = detection
 asset_type = Endpoint
@@ -687,7 +707,7 @@ providing_technologies = null
 
 [savedsearch://ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule]
 type = detection
-asset_type = Endpoint
+asset_type = Splunk Server
 confidence = medium
 explanation = This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures.  Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com
 how_to_implement = Requires implementation of Splunk_Audit.Search_Activity datamodel.
@@ -17412,12 +17432,12 @@ This Analytic Story focuses on detecting signs that a malicious payload has been
 
 [analytic_story://Splunk Vulnerabilities]
 category = Best Practices
-last_updated = 2023-11-16
+last_updated = 2024-01-22
 version = 1
 references = ["https://www.splunk.com/en_us/product-security/announcements.html"]
-maintainers = [{"company": "Splunk", "email": "-", "name": "Lou Stella"}]
+maintainers = [{"company": "Rod Soto, Eric McGinnis, Splunk", "email": "-", "name": "Lou Stella"}]
 spec_version = 3
-searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"]
+searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Absolute Path Traversal Using runshellscript - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk App for Lookup File Editing RCE via User XSLT - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS Using Malformed SAML Request - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk DOS via printf search function - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Enterprise KV Store Incorrect Authorization - Rule", "ESCU - Splunk Enterprise Windows Deserialization File Partition - Rule", "ESCU - Splunk ES DoS Investigations Manager via Investigation Creation - Rule", "ESCU - Splunk ES DoS Through Investigation Attachments - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Serialized Session Payload - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway  Splunk Mobile alerts feature - Rule", "ESCU - Splunk RCE via User XSLT - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk Reflected XSS on App Search Table Endpoint - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk Unauthenticated Log Injection Web Service Log - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Highlighted JSON Events - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"]
 description = Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.
 narrative = This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.
 

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-17T18:35:46 UTC
+# On Date: 2024-01-22T23:37:39 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240117183348
+build = 20240122233501
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.20.0 
+version = 4.21.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-17T18:35:46 UTC
+# On Date: 2024-01-22T23:37:39 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-17T18:35:46 UTC
+# On Date: 2024-01-22T23:37:39 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
 [content-version]
-version = 4.20.0 
+version = 4.21.0 

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-17T18:35:46 UTC
+# On Date: 2024-01-22T23:37:39 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/macros.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-17T18:35:46 UTC
+# On Date: 2024-01-22T23:37:39 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -193,6 +193,14 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[splunk_enterprise_kv_store_incorrect_authorization_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[splunk_enterprise_windows_deserialization_file_partition_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [splunk_es_dos_investigations_manager_via_investigation_creation_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.