Techniques
Sample rules
Splunk Enterprise Windows Deserialization File Partition
- source: splunk
- technicques:
- T1190
Description
In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data resulting in the unsafe deserialization of untrusted data. This vulnerability only affects Splunk Enterprise for Windows.
Detection logic
`splunk_python` request_path="/en-US/app/search/C:\\Program" *strings*
| rex "request_path=(?<file_path>[^\"]+)"
| rex field=file_path "[^\"]+/(?<file_name>[^\"\'\s/\\\\]+)"
| stats min(_time) as firstTime max(_time) as lastTime values(file_path) as file_path values(file_name) as file_name by index, sourcetype, host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_enterprise_windows_deserialization_file_partition_filter`