t1189 | LoFP

t1189

Title	Tags
if host is vulnerable and xss script strings are inputted they will show up in search. not all post requests are malicious as they will show when users create and save dashboards. this search may produce several results with non malicious post requests. only affects splunk web enabled instances.	t1189 endpoint splunk
internal vulnerability scanners can cause some serious fps when used, if you experience a lot of fps due to this think of adding more filters such as \"user agent\" strings and more response codes	t1189 t1190 t1221 sigma
it is not possible to discern from the user table whether or not users with admin rights have been created intentionally, accidentally, or as a result of exploitation. each user with these rights should be investigated and, if legitimate, added to the filter macro above. if a user is not believed to be legitimate, then further investigation should take place.	t1189 endpoint splunk
javascripts,css files and png files	t1189 sigma
legitimate browser install, update and recovery scripts	t1059 t1189 t1203 macos sigma
some users and applications may leverage dynamic dns to reach out to some domains on the internet since dynamic dns by itself is not malicious, however this activity must be verified.	t1189 endpoint splunk
the error detected above can be generated for a wide variety of improperly formatted xml views. there will be false positives as the search cannot extract the malicious payload and the view should be manually investigated.	t1189 endpoint splunk
this hunting search only applies to the affected versions and setup mentioned in the description of this search, it does not extract payload so it requires manual investigation after executing search. this search will produce false positives.	t1189 endpoint splunk
this is a hunting search and will produce false positives as it is not possible to view contents of a request payload. it shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).	t1189 endpoint splunk
this is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. it will require further investigation based on the information presented by this hunting search.	t1189 endpoint splunk
this is a hunting search, the search provides information on upload, edit, and delete activity on lookup tables. manual investigation is necessary after executing search. this search will produce false positives as payload cannot be directly discerned.	t1189 endpoint splunk
this search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against \"/en-us/splunkd/__raw/servicesns/*/launcher/datamodel/model\" which is the injection point.	t1189 endpoint splunk
this search may produce false positives as it is difficult to pinpoint all possible xss injection characters in a single search string. special attention is required to \"en-us/list/entities/x/ui/views\" which is the vulnerable injection point.	t1189 endpoint splunk
this search will produce false positives. it is necessary to also look at uri_query parameter to determine the possible malicious intention of inserting makeresults within the uri string.	t1189 endpoint splunk
this search will produce numerous false positives as it shows any accesses to vulnerable bootstrap javascript files. accesses to these files occur during normal splunk usage. to reduce or eliminate false positives, update the a version of splunk which has addressed the vulnerability.	t1189 endpoint splunk
unknown flash download locations	t1036 t1036.005 t1189 t1204 t1204.002 sigma
use of the monitoring console where the less-than sign (<) is the first character in the description field.	t1189 endpoint splunk
user searches in search boxes of the respective website	t1189 t1190 t1221 t1505 t1505.003 sigma