Detection: Splunk Path Traversal In Splunk App For Lookup File Edit

Updated Date: 2024-05-22 ID: 8ed58987-738d-4917-9e44-b8ef6ab948a6 Author: Rod Soto, Eric McGinnis Type: Hunting Product: Splunk Enterprise Security

Description

The following analytic identifies path traversal attempts in the Splunk App for Lookup File Editing. It detects specially crafted web requests targeting lookup files by analyzing the uri_query field in the _internal index. This activity is significant because it allows low-privilege users to read and write to restricted areas of the Splunk installation directory, potentially accessing sensitive files like password hashes. If confirmed malicious, this could lead to unauthorized access, data breaches, and further exploitation of the Splunk environment.

Search

1`splunkda` uri_query=*lookup_file* 
2| table clientip uri_query lookup_file owner namespace  version 
3| stats count by clientip namespace lookup_file uri_query 
4| `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`

Data Source

Name	Platform	Sourcetype	Source	Supported App
Splunk	Splunk	`'splunkd_ui_access'`	`'splunkd_ui_access.log'`	N/A

Macros Used

Name	Value
splunkda	`index=_internal sourcetype=splunkd_access`
splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter	`search *`

splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1083	File and Directory Discovery	Discovery

KillChainPhase.EXPLOITAITON

NistCategory.DE_AE

Cis18Value.CIS_10

APT18

APT28

APT3

APT32

APT38

APT39

APT41

APT5

Aoqin Dragon

BRONZE BUTLER

Chimera

Confucius

Dark Caracal

Darkhotel

Dragonfly

FIN13

Fox Kitten

Gamaredon Group

HAFNIUM

Inception

Ke3chang

Kimsuky

Lazarus Group

Leafminer

LuminousMoth

Magic Hound

MuddyWater

Mustang Panda

Patchwork

Sandworm Team

Scattered Spider

Sidewinder

Sowbug

TeamTNT

ToddyCat

Tropic Trooper

Turla

Windigo

Winnti Group

admin@338

menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	False

This configuration file applies to all detections of type hunting.

Implementation

This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection is meant for on premise environments, and if executed on internet facing servers without a WAF may produce a lot of results. This detection will not work against obfuscated path traversal requests.

Known False Positives

This search may find additional path traversal exploitation attempts or malformed requests.

Associated Analytic Story

Splunk Vulnerabilities

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Path traversal exploitation attempt from $clientip$	40	50	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://advisory.splunk.com/

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`splunkd_access`	`splunkd_access`
Integration	✅ Passing	Dataset	`splunkd_access`	`splunkd_access`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2