Skip to content

Commit

Permalink
Update dist/escu, dist/ssa, and dist/api folders with the latest cont…
Browse files Browse the repository at this point in the history 
…ent associated with this tag
  • Loading branch information
research bot committed Jun 1, 2023
1 parent 859b1e8 commit a0022ac
Show file tree
Hide file tree
Showing 14 changed files with 393 additions and 32 deletions.
2 changes: 1 addition & 1 deletion dist/api/detections.json
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/api/macros.json
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/api/stories.json
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/escu/app.manifest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"id": {
"group": null,
"name": "DA-ESS-ContentUpdate",
"version": "4.3.0"
"version": "4.4.0"
},
"author": [
{
Expand Down
74 changes: 72 additions & 2 deletions dist/escu/default/analyticstories.conf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#############
# Automatically generated by generator.py in splunk/security_content
# On Date: 2023-05-30T18:06:50 UTC
# On Date: 2023-06-01T18:34:38 UTC
# Author: Splunk Security Research
# Contact: [email protected]
#############
Expand Down Expand Up @@ -375,6 +375,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mit
known_false_positives = None at this time
providing_technologies = null

[savedsearch://ESCU - Splunk DOS Via Dump SPL Command - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an attacker can exploit a vulnerability in the dump SPL command to cause a Denial of Service by crashing the Splunk daemon.
how_to_implement = This search does not require additional ingestion of data. Requires the ability to search _internal index and monitor segmentation faults.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives"], "mitre_attack": ["T1499.004"], "nist": ["DE.AE"]}
known_false_positives = Segmentation faults may occur due to other causes, so this search may produce false positives
providing_technologies = null

[savedsearch://ESCU - Splunk DoS via Malformed S2S Request - Rule]
type = detection
asset_type = Endpoint
Expand All @@ -385,6 +395,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives
known_false_positives = None.
providing_technologies = null

[savedsearch://ESCU - Splunk Edit User Privilege Escalation - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = A low-privilege user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover abuse of edit_user privilege.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1548"], "nist": ["DE.AE"]}
known_false_positives = This search may produce false positives as password changing actions may be part of normal behavior. Operator will need to investigate these actions in order to discern exploitation attempts.
providing_technologies = null

[savedsearch://ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule]
type = detection
asset_type = Endpoint
Expand All @@ -395,6 +415,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Actions on Objectives
known_false_positives = This search may reveal non malicious zip files causing errors as well.
providing_technologies = null

[savedsearch://ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = A low-privileged user, using a specially crafted search command, can trigger an HTTP response splitting vulnerability with the rest SPL command that lets them potentially access other REST endpoints in the system arbitrarily, including accessing restricted content such as password files. This is because the user is able to inject the rest SPL command into the q parameter of an HTTP GET web request. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will.
how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This search may assist in detecting possible http response splitting exploitation attemptss.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1027.006"], "nist": ["DE.AE"]}
known_false_positives = This search may have produce false positives as malformed or erroneous requests made to this endpoint may be executed willingly or erroneously by operators.
providing_technologies = null

[savedsearch://ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule]
type = detection
asset_type = Endpoint
Expand All @@ -415,6 +445,26 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_at
known_false_positives = It is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. Each user with these rights should be investigated and, if legitimate, added to the filter macro above. If a user is not believed to be legitimate, then further investigation should take place.
providing_technologies = null

[savedsearch://ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user who holds the user role can see the hashed version of the initial user name and password for the Splunk instance by using the rest SPL command against the conf-user-seed REST endpoint. This can lead to a privilege escalation that lets the user take over the admin account on the instance.
how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. This detection may assist in efforts to discover attempts to access con-user-seed file content.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1212"], "nist": ["DE.AE"]}
known_false_positives = This search may produce false positives as accounts with high privileges may access this file. Operator will need to investigate these actions in order to discern exploitation attempts.
providing_technologies = null

[savedsearch://ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, a low-privilege user with access to the Splunk App for Lookup File Editing can, with a specially crafted web request, trigger a path traversal exploit that can then be used to read and write to restricted areas of the Splunk installation directory, including but not limited to the password hash file for the instance.
how_to_implement = This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1083"], "nist": ["DE.AE"]}
known_false_positives = This search may find additional path traversal exploitation attempts or malformed requests.
providing_technologies = null

[savedsearch://ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule]
type = detection
asset_type = Endpoint
Expand All @@ -425,6 +475,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_at
known_false_positives = This is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. It will require further investigation based on the information presented by this hunting search.
providing_technologies = null

[savedsearch://ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = In Splunk Enterprise versions below 9.0.4, 8.2.10, and 8.1.13, a low-privileged user can bypass URL validation to perform a path traversal and access restricted and confidential information by targeting other users on the instance, including the admin user. The only affected version of bootstrap which shipped with Splunk was version 2.3.1, so the search is targeted at that version alone.
how_to_implement = This search does not require additional data to be ingested. This search requires ability to search _internal index. This search helps discover access to vulnerable bootstrap versions.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1189"], "nist": ["DE.AE"]}
known_false_positives = This search will produce numerous false positives as it shows ANY accesses to vulnerable bootstrap Javascript files. Accesses to these files occur during normal Splunk usage. To reduce or eliminate false positives, update the a version of Splunk which has addressed the vulnerability.
providing_technologies = null

[savedsearch://ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule]
type = detection
asset_type = Endpoint
Expand Down Expand Up @@ -465,6 +525,16 @@ annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Weaponization"], "mit
known_false_positives = This search tries to address validation of server and client certificates within Splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.
providing_technologies = null

[savedsearch://ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule]
type = detection
asset_type = endpoint
confidence = medium
explanation = An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.
how_to_implement = This search does not require additional data ingestion. It requires the ability to search _internal index.
annotations = {"cis20": ["CIS 10"], "kill_chain_phases": ["Exploitation"], "mitre_attack": ["T1134"], "nist": ["DE.AE"]}
known_false_positives = This is a hunting search which provides verbose results against this endpoint. Operator must consider things such as IP address, useragent and user(specially low privelege) and host to investigate possible attack.
providing_technologies = null

[savedsearch://ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule]
type = detection
asset_type = Endpoint
Expand Down Expand Up @@ -15096,7 +15166,7 @@ version = 1
references = ["https://www.splunk.com/en_us/product-security/announcements.html"]
maintainers = [{"company": "Splunk", "email": "-", "name": "Lou Stella"}]
spec_version = 3
searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"]
searches = ["ESCU - Detect Risky SPL using Pretrained ML Model - Rule", "ESCU - Path traversal SPL injection - Rule", "ESCU - Splunk Account Discovery Drilldown Dashboard Disclosure - Rule", "ESCU - Splunk Code Injection via custom dashboard leading to RCE - Rule", "ESCU - Splunk Command and Scripting Interpreter Delete Usage - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky Commands - Rule", "ESCU - Splunk Command and Scripting Interpreter Risky SPL MLTK - Rule", "ESCU - Splunk csrf in the ssg kvstore client endpoint - Rule", "ESCU - Splunk Data exfiltration from Analytics Workspace using sid query - Rule", "ESCU - Splunk Digital Certificates Infrastructure Version - Rule", "ESCU - Splunk Digital Certificates Lack of Encryption - Rule", "ESCU - Splunk DOS Via Dump SPL Command - Rule", "ESCU - Splunk DoS via Malformed S2S Request - Rule", "ESCU - Splunk Edit User Privilege Escalation - Rule", "ESCU - Splunk Endpoint Denial of Service DoS Zip Bomb - Rule", "ESCU - Splunk HTTP Response Splitting Via Rest SPL Command - Rule", "ESCU - Splunk Improperly Formatted Parameter Crashes splunkd - Rule", "ESCU - Splunk list all nonstandard admin accounts - Rule", "ESCU - Splunk Low Privilege User Can View Hashed Splunk Password - Rule", "ESCU - Splunk Path Traversal In Splunk App For Lookup File Edit - Rule", "ESCU - Persistent XSS in RapidDiag through User Interface Views - Rule", "ESCU - Splunk Persistent XSS Via URL Validation Bypass W Dashboard - Rule", "ESCU - Splunk Process Injection Forwarder Bundle Downloads - Rule", "ESCU - Splunk Protocol Impersonation Weak Encryption Configuration - Rule", "ESCU - Splunk protocol impersonation weak encryption selfsigned - Rule", "ESCU - Splunk protocol impersonation weak encryption simplerequest - Rule", "ESCU - Splunk RBAC Bypass On Indexing Preview REST Endpoint - Rule", "ESCU - Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature - Rule", "ESCU - Splunk Reflected XSS in the templates lists radio - Rule", "ESCU - Splunk risky Command Abuse disclosed february 2023 - Rule", "ESCU - Splunk Stored XSS via Data Model objectName field - Rule", "ESCU - Splunk unnecessary file extensions allowed by lookup table uploads - Rule", "ESCU - Splunk User Enumeration Attempt - Rule", "ESCU - Splunk XSS in Monitoring Console - Rule", "ESCU - Splunk XSS in Save table dialog header in search page - Rule", "ESCU - Splunk XSS via View - Rule", "ESCU - Open Redirect in Splunk Web - Rule", "ESCU - Splunk Enterprise Information Disclosure - Rule", "ESCU - Splunk Identified SSL TLS Certificates - Rule"]
description = Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.
narrative = This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.

Expand Down
4 changes: 2 additions & 2 deletions dist/escu/default/app.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
is_configured = false
state = enabled
state_change_requires_restart = false
build = 14375
build = 14461

[triggers]
reload.analytic_stories = simple
Expand All @@ -20,7 +20,7 @@ reload.es_investigations = simple

[launcher]
author = Splunk
version = 4.3.0
version = 4.4.0
description = Explore the Analytic Stories included with ES Content Updates.

[ui]
Expand Down
2 changes: 1 addition & 1 deletion dist/escu/default/collections.conf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#############
# Automatically generated by generator.py in splunk/security_content
# On Date: 2023-05-30T18:06:50 UTC
# On Date: 2023-06-01T18:34:38 UTC
# Author: Splunk Security Research
# Contact: [email protected]
#############
Expand Down
2 changes: 1 addition & 1 deletion dist/escu/default/content-version.conf
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
[content-version]
version = 4.3.0
version = 4.4.0
2 changes: 1 addition & 1 deletion dist/escu/default/es_investigations.conf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#############
# Automatically generated by generator.py in splunk/security_content
# On Date: 2023-05-30T18:06:50 UTC
# On Date: 2023-06-01T18:34:38 UTC
# Author: Splunk Security Research
# Contact: [email protected]
#############
Expand Down
Loading

0 comments on commit a0022ac

Please sign in to comment.