| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Splunk Enterprise Windows Deserialization File Partition
Description
The following analytic identifies attempts to exploit a deserialization vulnerability in Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3. It detects irregular path file executions by analyzing splunk_python logs and extracting file paths and names. This activity is significant because it indicates potential exploitation of a known vulnerability, which could lead to arbitrary code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially compromise the entire Splunk environment, leading to data breaches and further system exploitation.
Search
1`splunk_python` request_path="/*/app/search/C:\\Program" *strings*
2| rex "request_path=(?<file_path>[^\"]+)"
3| rex field=file_path "[^\"]+/(?<file_name>[^\"\'\s/\\\\]+)"
4| stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `splunk_enterprise_windows_deserialization_file_partition_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Splunk |  Splunk |
'splunkd_ui_access' |
'splunkd_ui_access.log' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| splunk_enterprise_windows_deserialization_file_partition_filter | search * |
splunk_enterprise_windows_deserialization_file_partition_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
Requires access to internal indexes. This detection search will display irregular path file execution, which will display exploit attempts. Only applies to Microsoft Windows Splunk versions.
Known False Positives
Irregular path with files that may be purposely called for benign reasons may produce false positives.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Possible Windows Deserialization exploitation via irregular path file against $host$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| host | system | 90 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | C:\Program File\Splunk\var\log\splunk\python.log |
splunk_python |
| Integration | ✅ Passing | Dataset | C:\Program File\Splunk\var\log\splunk\python.log |
splunk_python |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 5