Techniques
Sample rules
Splunk list all nonstandard admin accounts
- source: splunk
- technicques:
- T1189
Description
This search will enumerate all Splunk Accounts with administrative rights on this instance. It deliberately ignores the default admin account since this is assumed to be present. This search may help in a detection the Cross-Site Scripting Attack listed: In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting in an XML View through the ’layoutPanel’ attribute in the ‘module’ tag. The vulnerability affects instances with Splunk Web enabled.
Detection logic
| rest splunk_server=local /services/authentication/users
|search capabilities=admin* OR imported_capabilities=admin* title!=admin
| table title roles capabilities splunk_server
| `splunk_list_all_nonstandard_admin_accounts_filter`