Techniques
Sample rules
Splunk Code Injection via custom dashboard leading to RCE
- source: splunk
- technicques:
- T1210
Description
This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation.
Detection logic
`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/*
| dedup uri_path
| eval URL=urldecode("uri_path")
| rex field=URL "\/saved\/searches\/(?<NAME>[^\/]*)"
| rex field=URL "\/data\/ui\/views\/(?<NAME1>[^\/]*)"
| eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )"
| eval NAME=coalesce(NAME,NAME1)
| eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR")
| stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user
| rename user as User
| `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`