ID | Technique | Tactic |
---|---|---|
T1210 | Exploitation of Remote Services | Lateral Movement |
Detection: Splunk Code Injection via custom dashboard leading to RCE
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies attempts to exploit a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, where an authenticated user can execute arbitrary code via the dashboard PDF generation component. It detects this activity by analyzing events in the _internal index with the file=export parameter. This behavior is significant because it indicates a potential code injection attack, which could lead to remote code execution (RCE). If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary commands, and potentially compromise the entire Splunk environment.
Search
1`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/*
2| dedup uri_path
3| eval URL=urldecode("uri_path")
4| rex field=URL "\/saved\/searches\/(?<NAME>[^\/]*)"
5| rex field=URL "\/data\/ui\/views\/(?<NAME1>[^\/]*)"
6| eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )"
7| eval NAME=coalesce(NAME,NAME1)
8| eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR")
9| stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user
10| rename user as User
11| `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`
Data Source
No data sources specified for this detection.
Macros Used
Name | Value |
---|---|
splunkd_ui | index=_internal sourcetype=splunkd_ui_access |
splunk_code_injection_via_custom_dashboard_leading_to_rce_filter | search * |
splunk_code_injection_via_custom_dashboard_leading_to_rce_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | False |
Implementation
This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index.
Known False Positives
Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Potential exploitation of Code Injection via Dashboard PDF generation. | 25 | 50 | 50 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | Not Applicable | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/splunkd_ui_access.log |
splunkd_ui_access |
Integration | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/splunkd_ui_access.log |
splunkd_ui_access |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3