Merge pull request #2698 from splunk/june2023

June2023

detections/application/splunk_dos_via_dump_spl_command.yml

@@ -0,0 +1,47 @@
+name: Splunk DOS Via Dump SPL Command
+id: fb0e6823-365f-48ed-b09e-272ac4c1dad6
+version: 1
+date: '2023-05-10'
+author: Rod Soto
+status: production
+type: Hunting
+data_source:
+- splunkd.log
+description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon.
+search: '`splunk_crash_log` "*Segmentation fault*" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`'
+how_to_implement: This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.
+known_false_positives: Segmentation faults may occur due to other causes, so this search may produce false positives 
+references:
+- https://advisory.splunk.com/
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 100
+  impact: 100
+  message: Possible denial of service attack with Victim $host$
+  mitre_attack_id:
+  - T1499.004
+  observable:
+  - name: host
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  risk_score: 100
+  required_fields:
+  - host 
+  - source 
+  - event_message
+  - status
+  - _time
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_dos_via_dump_spl_command.log
+    source: /opt/splunk/var/log/splunk/splunkd.log
+    sourcetype: splunkd_crash_log
+    custom_index: _internal

detections/application/splunk_edit_user_privilege_escalation.yml

@@ -0,0 +1,49 @@
+name: Splunk Edit User Privilege Escalation
+id: 39e1c326-67d7-4c0d-8584-8056354f6593
+version: 1
+date: '2023-05-23'
+author: Rod Soto, Chase Franklin
+status: production
+type: Hunting
+data_source:
+- audittrail
+description: A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
+search: '`audittrail` action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`'
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. 
+known_false_positives: This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. 
+references:
+- https://advisory.splunk.com/ 
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 80
+  impact: 80
+  cve: []
+  message: Possible attempt to abuse edit_user function by $user$ 
+  mitre_attack_id:
+  - T1548
+  observable:
+  - name: user
+    type: User
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 64
+  required_fields:
+  - user 
+  - action 
+  - info 
+  - _time 
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_edit_user_privilege_escalation.log
+    source: audittrail
+    sourcetype: audittrail
+    custom_index: _audit

detections/application/splunk_http_response_splitting_via_rest_spl_command.yml

@@ -0,0 +1,46 @@
+name: Splunk HTTP Response Splitting Via Rest SPL Command
+id: e615a0e1-a1b2-4196-9865-8aa646e1708c
+version: 1
+date: '2023-05-23'
+author: Rod Soto, Chase Franklin
+status: production
+type: Hunting
+data_source:
+- audittrail
+description: A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
+search: '`audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") AND NOT search="index=_audit" | table user info has_error_msg search _time  | `splunk_http_response_splitting_via_rest_spl_command_filter`'
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. 
+known_false_positives: This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. 
+references:
+- https://advisory.splunk.com/
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 50
+  impact: 50
+  message: Suspicious access by $user$
+  mitre_attack_id:
+  - T1027.006
+  observable:
+  - name: user
+    type: URL String
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  risk_score: 25
+  required_fields:
+  - search
+  - testing_endpoint 
+  - info 
+  - has_error_msg
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.006/splunk/splunk_http_response_splitting_via_rest_spl_command.log
+    source: audittrail
+    sourcetype: audittrail
+    custom_index: _audit

detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml

@@ -0,0 +1,50 @@
+name: Splunk Low Privilege User Can View Hashed Splunk Password
+id: a1be424d-e59c-4583-b6f9-2dcc23be4875
+version: 1
+date: '2023-05-09'
+author: Rod Soto, Eric McGinnis, Chase Franklin
+status: production
+type: Hunting
+data_source:
+- splunk_web_access
+description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance.
+search: '`splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" | stats earliest(_time) as event_time values(method) as method values(status) as
+  status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`'
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.
+known_false_positives: This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.
+references:
+- https://advisory.splunk.com/
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 90
+  impact: 90
+  message: Attempt to access Splunk hashed password file from $clientip$
+  mitre_attack_id:
+  - T1212
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker 
+  product:
+  - Splunk Enterprise
+  risk_score: 81
+  required_fields:
+  - _time  
+  - clientip 
+  - useragent 
+  - file 
+  - user 
+  - method 
+  - status 
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/splunk/splunk_low_privilege_user_can_view_hashed_splunk_password.log
+    source: /opt/splunk/var/log/splunk/web_access.log
+    sourcetype: splunk_web_access
+    custom_index: _internal

detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml

@@ -0,0 +1,50 @@
+name: Splunk Path Traversal In Splunk App For Lookup File Edit
+id: 8ed58987-738d-4917-9e44-b8ef6ab948a6
+version: 1
+date: '2023-05-11'
+author: Rod Soto, Eric McGinnis
+status: production
+type: Hunting
+data_source:
+- splunkd_access 
+description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance.
+search: '`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace  version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`'
+how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments,
+  and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.
+known_false_positives: This search may find additional path traversal exploitation attempts or malformed requests.
+references:
+- https://advisory.splunk.com/
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint 
+  atomic_guid: []
+  confidence: 80
+  impact: 50
+  message: Path traversal exploitation attempt from $clientip$
+  mitre_attack_id:
+  - T1083
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  risk_score: 40
+  required_fields:
+  - clientip
+  - uri_query 
+  - event_message 
+  - lookup_file 
+  - owner 
+  - method 
+  - user
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.log
+    source: splunkd_access 
+    sourcetype: splunkd_access
+    custom_index: _internal

detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml

@@ -0,0 +1,48 @@
+name: Splunk Persistent XSS Via URL Validation Bypass W Dashboard
+id: 8a43558f-a53c-4ee4-86c1-30b1e8ef3606
+version: 1
+date: '2023-05-09'
+author: Rod Soto
+status: production
+type: Hunting
+data_source:
+- splunk_web_access
+description: In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user.  The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.
+search: '`splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`'
+how_to_implement: This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. 
+known_false_positives: This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files.  Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.
+references:
+- https://advisory.splunk.com/
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 20
+  impact: 80
+  cve: 
+  - CVE-2019-8331
+  message:  Attempted access to vulnerable bootstrap file by $clientip$
+  mitre_attack_id:
+  - T1189
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  risk_score: 16
+  required_fields:
+  - file 
+  - uri 
+  - clientip 
+  - user 
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log
+    source: /opt/splunk/var/log/splunk/web_access.log
+    sourcetype: splunk_web_access
+    custom_index: _internal

detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml

@@ -0,0 +1,48 @@
+name: Splunk RBAC Bypass On Indexing Preview REST Endpoint
+id: bbe26f95-1655-471d-8abd-3d32fafa86f8
+version: 1
+date: '2023-05-10'
+author: Rod Soto
+status: production
+type: Hunting
+data_source:
+- splunkd_access.log
+description: An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.
+search: '`splunkda` method="POST" uri="*/services/indexing/preview*" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`'
+how_to_implement: This search does not require additional data ingestion. It requires the ability to search _internal index. 
+known_false_positives: This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack. 
+references:
+- https://advisory.splunk.com/
+tags:
+  analytic_story:
+  - Splunk Vulnerabilities 
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 50
+  impact: 30
+  message: Review $clientip$ access to indexing preview endpoint from low privilege user
+  mitre_attack_id:
+  - T1134
+  observable:
+  - name: clientip
+    type: IP Address
+    role:
+    - Attacker 
+  product:
+  - Splunk Enterprise
+  risk_score: 15
+  required_fields:
+  - host 
+  - clientip 
+  - status 
+  - useragent 
+  - user 
+  - uri_path 
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/splunk/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.log
+    source: splunkd_access.log
+    sourcetype: splunkd_access
+    custom_index: _internal

macros/audittrail.yml

@@ -0,0 +1,3 @@
+definition: index=_audit sourcetype=audittrail
+description: Macro to enable easy searching of audittrail logs
+name: audittrail

macros/splunk_crash_log.yml

@@ -0,0 +1,3 @@
+definition: (index=_internal AND sourcetype=splunkd_crash_log)
+description: Searches through the Splunk Crash Log for low-level errors and crashes
+name: splunk_crash_log