| ID | Technique | Tactic |
|---|---|---|
| T1567 | Exfiltration Over Web Service | Exfiltration |
Detection: Splunk Data exfiltration from Analytics Workspace using sid query
Description
The following analytic identifies attempts to exfiltrate data by executing a prepositioned malicious search ID in Splunk's Analytic Workspace. It leverages the audit_searches data source to detect suspicious mstats commands indicative of injection attempts. This activity is significant as it may indicate a phishing-based attack where an attacker compels a victim to initiate a malicious request, potentially leading to unauthorized data access. If confirmed malicious, this could result in significant data exfiltration, compromising sensitive information and impacting the organization's security posture.
Search
1`audit_searches` info=granted search NOT ("audit_searches") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))
2| eval warning=if(match(search,"\\\\\""), "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION")
3| table search, user, warning, timestamp
4| `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Splunk |  Splunk |
'splunkd_ui_access' |
'splunkd_ui_access.log' |
N/A |
Macros Used
| Name | Value |
|---|---|
| audit_searches | index=_audit sourcetype=audittrail action=search |
| splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter | search * |
splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.ACTIONS_ON_OBJECTIVES
NistCategory.DE_AE
Cis18Value.CIS_10
APT28
Magic Hound
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration.
Known False Positives
This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Potential data exfiltration attack using SID query by $user$ | 25 | 50 | 50 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | audittrail |
audittrail |
| Integration | ✅ Passing | Dataset | audittrail |
audittrail |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2