LoFP LoFP / not all exports and downloads are malicious, special attention must be put as well on /en-us/splunkd/__raw/services/pdfgen/render in the context of this search.

Techniques

Sample rules

Splunk Code Injection via custom dashboard leading to RCE

Description

The following analytic identifies attempts to exploit a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, where an authenticated user can execute arbitrary code via the dashboard PDF generation component. It detects this activity by analyzing events in the _internal index with the file=export parameter. This behavior is significant because it indicates a potential code injection attack, which could lead to remote code execution (RCE). If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary commands, and potentially compromise the entire Splunk environment.

Detection logic

`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* 
| dedup uri_path 
| eval URL=urldecode("uri_path")
| rex field=URL "\/saved\/searches\/(?<NAME>[^\/]*)" 
| rex field=URL "\/data\/ui\/views\/(?<NAME1>[^\/]*)" 
| eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" 
| eval NAME=coalesce(NAME,NAME1) 
| eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") 
| stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user 
| rename user as User 
| `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`