Techniques
Sample rules
Splunk Absolute Path Traversal Using runshellscript
- source: splunk
- technicques:
- T1083
Description
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.
Detection logic
`splunk_python` *runshellscript*
| eval log_split=split(_raw, "runshellscript: ")
| eval array_raw = mvindex(log_split,1)
| eval data_cleaned=replace(replace(replace(array_raw,"\[",""),"\]",""),"'","")
| eval array_indices=split(data_cleaned,",")
| eval runshellscript_args_count=mvcount(array_indices)
| where runshellscript_args_count = 10
| eval interpreter=mvindex(array_indices,0)
| eval targetScript=mvindex(array_indices,1)
| eval targetScript != "*C:*"
| stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_absolute_path_traversal_using_runshellscript_filter`