From 4bfd0c12776b4fd1c94aee4d8d983fee82770b70 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:18:50 -0700 Subject: [PATCH 1/6] content for June2023. --- .../splunk_dos_via_dump_spl_command.yml | 47 +++++++++++++++++ .../splunk_edit_user_privilege_escalation.yml | 49 ++++++++++++++++++ ...esponse_splitting_via_rest_spl_command.yml | 46 +++++++++++++++++ ...e_user_can_view_hashed_splunk_password.yml | 50 +++++++++++++++++++ ...sal_in_splunk_app_for_lookup_file_edit.yml | 50 +++++++++++++++++++ ..._via_url_validation_bypass_w_dashboard.yml | 48 ++++++++++++++++++ ...pass_on_indexing_preview_rest_endpoint.yml | 48 ++++++++++++++++++ macros/splunk_crash_log.yml | 3 ++ 8 files changed, 341 insertions(+) create mode 100644 detections/application/splunk_dos_via_dump_spl_command.yml create mode 100644 detections/application/splunk_edit_user_privilege_escalation.yml create mode 100644 detections/application/splunk_http_response_splitting_via_rest_spl_command.yml create mode 100644 detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml create mode 100644 detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml create mode 100644 detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml create mode 100644 detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml create mode 100644 macros/splunk_crash_log.yml diff --git a/detections/application/splunk_dos_via_dump_spl_command.yml b/detections/application/splunk_dos_via_dump_spl_command.yml new file mode 100644 index 0000000000..883c6eb45d --- /dev/null +++ b/detections/application/splunk_dos_via_dump_spl_command.yml @@ -0,0 +1,47 @@ +name: Splunk DOS Via Dump SPL Command +id: fb0e6823-365f-48ed-b09e-272ac4c1dad6 +version: 1 +date: '2023-05-10' +author: Rod Soto +status: production +type: Hunting +data_source: +- splunkd.log +description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. +search: '`splunk_crash_log` "*Segmentation fault*" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`' +how_to_implement: This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. +known_false_positives: Segmentation faults may occur due to other causes, so this search may produce false positives +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 100 + impact: 100 + message: Possible denial of service attack from $clientip$ + mitre_attack_id: + - T0814 + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + risk_score: 100 + required_fields: + - clientip + - host + - source + - status + - event_message + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T0814/splunk/splunk_dos_via_dump_spl_command.log + source: /opt/splunk/var/log/splunk/splunkd.log + sourcetype: splunkd_crash_log + custom_index: _internal diff --git a/detections/application/splunk_edit_user_privilege_escalation.yml b/detections/application/splunk_edit_user_privilege_escalation.yml new file mode 100644 index 0000000000..489e769609 --- /dev/null +++ b/detections/application/splunk_edit_user_privilege_escalation.yml @@ -0,0 +1,49 @@ +name: Splunk Edit User Privilege Escalation +id: 39e1c326-67d7-4c0d-8584-8056354f6593 +version: 1 +date: '2023-05-23' +author: Rod Soto, Chase Franklin +status: production +type: Hunting +data_source: +- audittrail +description: A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. +search: 'index=_audit sourcetype="audittrail" action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`' +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. +known_false_positives: This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 80 + impact: 80 + cve: [] + message: Possible attempt to abuse edit_user function by $User$ + mitre_attack_id: + - T1548 + observable: + - name: User + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - user + - action + - info + - _time + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/splunk/splunk_edit_user_privilege_escalation.log + source: audittrail + sourcetype: audittrail + custom_index: _audit diff --git a/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml b/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml new file mode 100644 index 0000000000..185bb31aea --- /dev/null +++ b/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml @@ -0,0 +1,46 @@ +name: Splunk HTTP Response Splitting Via Rest SPL Command +id: e615a0e1-a1b2-4196-9865-8aa646e1708c +version: 1 +date: '2023-05-23' +author: Rod Soto, Chase Franklin +status: production +type: Hunting +data_source: +- audittrail +description: A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. +search: '`audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") AND NOT search="index=_audit" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`' +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemps. +known_false_positives: This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 50 + impact: 50 + message: Suspicious access to $testing_endpoint$ + mitre_attack_id: + - T1027.006 + observable: + - name: testing_endpoint + type: URL String + role: + - Victim + product: + - Splunk Enterprise + risk_score: 25 + required_fields: + - search + - testing_endpoint + - info + - has_error_msg + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027.006/splunk/splunk_http_response_splitting_via_rest_spl_command.log + source: audittrail + sourcetype: audittrail + custom_index: _audit diff --git a/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml b/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml new file mode 100644 index 0000000000..a93e2a82bf --- /dev/null +++ b/detections/application/splunk_low_privilege_user_can_view_hashed_splunk_password.yml @@ -0,0 +1,50 @@ +name: Splunk Low Privilege User Can View Hashed Splunk Password +id: a1be424d-e59c-4583-b6f9-2dcc23be4875 +version: 1 +date: '2023-05-09' +author: Rod Soto, Eric McGinnis, Chase Franklin +status: production +type: Hunting +data_source: +- splunk_web_access +description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance. +search: '`splunkd_web` uri="*/servicesNS/nobody/system/configs/conf-user-seed*" | stats earliest(_time) as event_time values(method) as method values(status) as + status values(clientip) as clientip values(useragent) as useragent values(file) as file by user | convert ctime(*time) | `splunk_low_privilege_user_can_view_hashed_splunk_password_filter`' +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content. +known_false_positives: This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts. +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 90 + impact: 90 + message: Attempt to access Splunk hashed password file from $clientip$ + mitre_attack_id: + - T1212 + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + risk_score: 81 + required_fields: + - _time + - clientip + - useragent + - file + - user + - method + - status + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/splunk/splunk_low_privilege_user_can_view_hashed_splunk_password.log + source: /opt/splunk/var/log/splunk/web_access.log + sourcetype: splunk_web_access + custom_index: _internal diff --git a/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml b/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml new file mode 100644 index 0000000000..5e90aec70e --- /dev/null +++ b/detections/application/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.yml @@ -0,0 +1,50 @@ +name: Splunk Path Traversal In Splunk App For Lookup File Edit +id: 8ed58987-738d-4917-9e44-b8ef6ab948a6 +version: 1 +date: '2023-05-11' +author: Rod Soto, Eric McGinnis +status: production +type: Hunting +data_source: +- splunkd_access +description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance. +search: '`splunkda` uri_query=*lookup_file* | table clientip uri_query lookup_file owner namespace version | stats count by clientip namespace lookup_file uri_query | `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`' +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, + and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests. +known_false_positives: This search may find additional path traversal exploitation attempts or malformed requests. +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 80 + impact: 50 + message: Path traversal exploitation attempt from $clientip$ + mitre_attack_id: + - T1083 + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + risk_score: 40 + required_fields: + - clientip + - uri_query + - event_message + - lookup_file + - owner + - method + - user + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/splunk/splunk_path_traversal_in_splunk_app_for_lookup_file_edit.log + source: splunkd_access + sourcetype: splunkd_access + custom_index: _internal diff --git a/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml b/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml new file mode 100644 index 0000000000..1b3926d408 --- /dev/null +++ b/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml @@ -0,0 +1,48 @@ +name: Splunk Persistent XSS Via URL Validation Bypass W Dashboard +id: 8a43558f-a53c-4ee4-86c1-30b1e8ef3606 +version: 1 +date: '2023-05-09' +author: Rod Soto +status: production +type: Hunting +data_source: +- splunk_web_access +description: In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone. +search: '`splunkd_web` method=GET uri_path="*bootstrap-2.3.1*" file="*.js" | table _time clientip uri_path file status | `splunk_persistent_xss_via_url_validation_bypass_w_dashboard_filter`' +how_to_implement: This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions. +known_false_positives: This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability. +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 20 + impact: 80 + cve: + - CVE-2019-8331 + message: Attempted access to vulnerable bootstrap file by $clientip$ + mitre_attack_id: + - T1456 + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + risk_score: 16 + required_fields: + - file + - uri + - clientip + - user + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1456/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log + source: /opt/splunk/var/log/splunk/web_access.log + sourcetype: splunk_web_access + custom_index: _internal diff --git a/detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml b/detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml new file mode 100644 index 0000000000..7011fd726d --- /dev/null +++ b/detections/application/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.yml @@ -0,0 +1,48 @@ +name: Splunk RBAC Bypass On Indexing Preview REST Endpoint +id: bbe26f95-1655-471d-8abd-3d32fafa86f8 +version: 1 +date: '2023-05-10' +author: Rod Soto +status: production +type: Hunting +data_source: +- splunkd_access.log +description: An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. +search: '`splunkda` method="POST" uri="*/services/indexing/preview*" | table host clientip status useragent user uri_path | `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`' +how_to_implement: This search does not require additional data ingestion. It requires the ability to search _internal index. +known_false_positives: This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack. +references: +- https://advisory.splunk.com/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: endpoint + atomic_guid: [] + confidence: 50 + impact: 30 + message: Review $clientip$ access to indexing preview endpoint from low privilege user + mitre_attack_id: + - T1134 + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + risk_score: 15 + required_fields: + - host + - clientip + - status + - useragent + - user + - uri_path + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/splunk/splunk_rbac_bypass_on_indexing_preview_rest_endpoint.log + source: splunkd_access.log + sourcetype: splunkd_access + custom_index: _internal diff --git a/macros/splunk_crash_log.yml b/macros/splunk_crash_log.yml new file mode 100644 index 0000000000..540846ea73 --- /dev/null +++ b/macros/splunk_crash_log.yml @@ -0,0 +1,3 @@ +definition: (index=_internal AND sourcetype=splunkd_crash_log) +description: Searches through the Splunk Crash Log for low-level errors and crashes +name: splunk_crash_log \ No newline at end of file From 087a29c857cf523f334556a304b994f4ebc888c5 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Thu, 1 Jun 2023 09:45:20 -0700 Subject: [PATCH 2/6] fixing mitre ids --- detections/application/splunk_dos_via_dump_spl_command.yml | 4 ++-- ...k_persistent_xss_via_url_validation_bypass_w_dashboard.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/application/splunk_dos_via_dump_spl_command.yml b/detections/application/splunk_dos_via_dump_spl_command.yml index 883c6eb45d..83645566ac 100644 --- a/detections/application/splunk_dos_via_dump_spl_command.yml +++ b/detections/application/splunk_dos_via_dump_spl_command.yml @@ -22,7 +22,7 @@ tags: impact: 100 message: Possible denial of service attack from $clientip$ mitre_attack_id: - - T0814 + - T1499.004 observable: - name: clientip type: IP Address @@ -41,7 +41,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T0814/splunk/splunk_dos_via_dump_spl_command.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_dos_via_dump_spl_command.log source: /opt/splunk/var/log/splunk/splunkd.log sourcetype: splunkd_crash_log custom_index: _internal diff --git a/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml b/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml index 1b3926d408..1e756952b7 100644 --- a/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml +++ b/detections/application/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.yml @@ -24,7 +24,7 @@ tags: - CVE-2019-8331 message: Attempted access to vulnerable bootstrap file by $clientip$ mitre_attack_id: - - T1456 + - T1189 observable: - name: clientip type: IP Address @@ -42,7 +42,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1456/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_persistent_xss_via_url_validation_bypass_w_dashboard.log source: /opt/splunk/var/log/splunk/web_access.log sourcetype: splunk_web_access custom_index: _internal From 553ecb9478885b3a7afb176528b2591e54f9429c Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 1 Jun 2023 09:58:45 -0700 Subject: [PATCH 3/6] Update splunk_dos_via_dump_spl_command.yml --- .../application/splunk_dos_via_dump_spl_command.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/detections/application/splunk_dos_via_dump_spl_command.yml b/detections/application/splunk_dos_via_dump_spl_command.yml index 83645566ac..7f5e7b1f28 100644 --- a/detections/application/splunk_dos_via_dump_spl_command.yml +++ b/detections/application/splunk_dos_via_dump_spl_command.yml @@ -24,19 +24,17 @@ tags: mitre_attack_id: - T1499.004 observable: - - name: clientip + - name: host type: IP Address role: - - Attacker + - Victim product: - Splunk Enterprise risk_score: 100 required_fields: - - clientip - host - source - - status - - event_message + - _time security_domain: endpoint tests: - name: True Positive Test From f7cabb74bbd9168abf8ebf01a1b56e8838f81afc Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Thu, 1 Jun 2023 10:18:58 -0700 Subject: [PATCH 4/6] update yml --- .../application/splunk_dos_via_dump_spl_command.yml | 11 +++++++---- ...k_http_response_splitting_via_rest_spl_command.yml | 6 +++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/detections/application/splunk_dos_via_dump_spl_command.yml b/detections/application/splunk_dos_via_dump_spl_command.yml index 7f5e7b1f28..4236de482f 100644 --- a/detections/application/splunk_dos_via_dump_spl_command.yml +++ b/detections/application/splunk_dos_via_dump_spl_command.yml @@ -8,7 +8,8 @@ type: Hunting data_source: - splunkd.log description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. -search: '`splunk_crash_log` "*Segmentation fault*" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`' +search: '`splunk_crash_log` *Segmentation fault* event_message!=NULL status="killed" +| table host source status clientip event_message | `splunk_dos_via_dump_spl_command_filter`' how_to_implement: This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. known_false_positives: Segmentation faults may occur due to other causes, so this search may produce false positives references: @@ -24,16 +25,18 @@ tags: mitre_attack_id: - T1499.004 observable: - - name: host + - name: clientip type: IP Address role: - - Victim + - Attacker product: - Splunk Enterprise risk_score: 100 required_fields: - host - source + - event_message + - status - _time security_domain: endpoint tests: @@ -42,4 +45,4 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1499.004/splunk/splunk_dos_via_dump_spl_command.log source: /opt/splunk/var/log/splunk/splunkd.log sourcetype: splunkd_crash_log - custom_index: _internal + custom_index: _internal \ No newline at end of file diff --git a/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml b/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml index 185bb31aea..175cd974a4 100644 --- a/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml +++ b/detections/application/splunk_http_response_splitting_via_rest_spl_command.yml @@ -9,7 +9,7 @@ data_source: - audittrail description: A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. search: '`audit_searches` AND search IN ("*|*rest*POST*","*|*rest*PUT*","*|*rest*PATCH*","*|*rest*DELETE*") AND NOT search="index=_audit" | table user info has_error_msg search _time | `splunk_http_response_splitting_via_rest_spl_command_filter`' -how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemps. +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss. known_false_positives: This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators. references: - https://advisory.splunk.com/ @@ -20,11 +20,11 @@ tags: atomic_guid: [] confidence: 50 impact: 50 - message: Suspicious access to $testing_endpoint$ + message: Suspicious access by $user$ mitre_attack_id: - T1027.006 observable: - - name: testing_endpoint + - name: user type: URL String role: - Victim From 95cc544ca11a62784072e60e44ee12d3d47d2d84 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Thu, 1 Jun 2023 10:25:12 -0700 Subject: [PATCH 5/6] audit --- .../application/splunk_edit_user_privilege_escalation.yml | 6 +++--- macros/audittrail.yml | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 macros/audittrail.yml diff --git a/detections/application/splunk_edit_user_privilege_escalation.yml b/detections/application/splunk_edit_user_privilege_escalation.yml index 489e769609..deacb2d17c 100644 --- a/detections/application/splunk_edit_user_privilege_escalation.yml +++ b/detections/application/splunk_edit_user_privilege_escalation.yml @@ -8,7 +8,7 @@ type: Hunting data_source: - audittrail description: A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests. -search: 'index=_audit sourcetype="audittrail" action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`' +search: '`audittrail` action IN ("change_own_password","password_change","edit_password") AND info="granted" AND NOT user IN (admin, splunk-system-user) | stats earliest(_time) as event_time values(index) as index values(sourcetype) as sourcetype values(action) as action values(info) as info by user | `splunk_edit_user_privilege_escalation_filter`' how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege. known_false_positives: This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts. references: @@ -21,11 +21,11 @@ tags: confidence: 80 impact: 80 cve: [] - message: Possible attempt to abuse edit_user function by $User$ + message: Possible attempt to abuse edit_user function by $user$ mitre_attack_id: - T1548 observable: - - name: User + - name: user type: User role: - Attacker diff --git a/macros/audittrail.yml b/macros/audittrail.yml new file mode 100644 index 0000000000..56844d8e97 --- /dev/null +++ b/macros/audittrail.yml @@ -0,0 +1,3 @@ +definition: index=_audit sourcetype=audittrail +description: Macro to enable easy searching of audittrail logs +name: audittrail From c42c086a0a50f51b4d7e8512b3245f0874fd0754 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Thu, 1 Jun 2023 11:10:39 -0700 Subject: [PATCH 6/6] Fix detection --- .../application/splunk_dos_via_dump_spl_command.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/detections/application/splunk_dos_via_dump_spl_command.yml b/detections/application/splunk_dos_via_dump_spl_command.yml index 4236de482f..33ff72ef1d 100644 --- a/detections/application/splunk_dos_via_dump_spl_command.yml +++ b/detections/application/splunk_dos_via_dump_spl_command.yml @@ -8,8 +8,7 @@ type: Hunting data_source: - splunkd.log description: In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon. -search: '`splunk_crash_log` *Segmentation fault* event_message!=NULL status="killed" -| table host source status clientip event_message | `splunk_dos_via_dump_spl_command_filter`' +search: '`splunk_crash_log` "*Segmentation fault*" | stats count by host _time | `splunk_dos_via_dump_spl_command_filter`' how_to_implement: This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults. known_false_positives: Segmentation faults may occur due to other causes, so this search may produce false positives references: @@ -21,14 +20,14 @@ tags: atomic_guid: [] confidence: 100 impact: 100 - message: Possible denial of service attack from $clientip$ + message: Possible denial of service attack with Victim $host$ mitre_attack_id: - T1499.004 observable: - - name: clientip - type: IP Address + - name: host + type: Hostname role: - - Attacker + - Victim product: - Splunk Enterprise risk_score: 100