Detection: Splunk Stored XSS conf-web Settings on Premises

Date: 2024-07-01 ID: ed1209ef-228d-4dab-9856-be9369925a5c Author: Rod Soto, Chase Franklin Type: Hunting Product: Splunk Enterprise Security

Description

This hunting detection provides information on exploitation of stored XSS against /configs/conf-web/settings by an admin level user.

Search

1`splunk_python` *script* *eval* 
2| stats min(_time) as firstTime max(_time) as lastTime by index, sourcetype, host 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| `splunk_stored_xss_conf_web_settings_on_premises_filter`

spl

Data Source

Name	Platform	Sourcetype	Source	Supported App
Splunk	Splunk	`'splunkd_ui_access'`	`'splunkd_ui_access.log'`	N/A

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
splunk_stored_xss_conf_web_settings_on_premises_filter	`search *`

splunk_stored_xss_conf_web_settings_on_premises_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1189	Drive-by Compromise	Initial Access

KillChainPhase.DELIVERY

NistCategory.DE_AE

Cis18Value.CIS_10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Enabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Risk Based Alerting	False

This configuration file applies to all detections of type hunting.

Implementation

Requires access to internal indexes.

Known False Positives

This is a hunting search and will produce false positives, operator must identify XSS elemetns in the splunk_python log related to the vulnerable endpoint.

Associated Analytic Story

Splunk Vulnerabilities

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Possible XSS attack against $host$	20	20	100

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://advisory.splunk.com/advisories/SVD-2024-0717

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`/opt/splunk/var/log/splunk/python.log`	`splunk_python`
Integration	✅ Passing	Dataset	`/opt/splunk/var/log/splunk/python.log`	`splunk_python`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1