the command runshellscript can be used for benign purposes. analyst will have to review the searches and determined maliciousness specially by looking at targeted script.

Techniques

T1083

Sample rules

Splunk Absolute Path Traversal Using runshellscript

source: splunk
technicques:
- T1083

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.

Detection logic

`splunk_python` *runshellscript*  
| eval log_split=split(_raw, "runshellscript: ") 
| eval array_raw = mvindex(log_split,1) 
| eval data_cleaned=replace(replace(replace(array_raw,"\[",""),"\]",""),"'","") 
| eval array_indices=split(data_cleaned,",") 
| eval runshellscript_args_count=mvcount(array_indices) 
| where runshellscript_args_count = 10 
| eval interpreter=mvindex(array_indices,0) 
| eval targetScript=mvindex(array_indices,1) 
| eval targetScript != "*C:*" 
| stats count min(_time) as firstTime max(_time) as lastTime by splunk_server interpreter targetScript 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `splunk_absolute_path_traversal_using_runshellscript_filter`