not all exports and downloads are malicious, special attention must be put as well on /en-us/splunkd/__raw/services/pdfgen/render in the context of this search.

Techniques

T1210

Sample rules

Splunk Code Injection via custom dashboard leading to RCE

source: splunk
technicques:
- T1210

Description

This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation.

Detection logic

`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* 
| dedup uri_path 
| eval URL=urldecode("uri_path")
| rex field=URL "\/saved\/searches\/(?<NAME>[^\/]*)" 
| rex field=URL "\/data\/ui\/views\/(?<NAME1>[^\/]*)" 
| eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" 
| eval NAME=coalesce(NAME,NAME1) 
| eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") 
| stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user 
| rename user as User 
| `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`