this detection does not require you to ingest any new data. the detection does require the ability to search the _internal index. focus of this search is \"uri_path=/servicesns/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*\" which is the injection point.

t1210
endpoint
splunk

Techniques

T1210

Sample rules

Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature

source: splunk
technicques:
- T1210

Description

This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.

Detection logic

`splunkda` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" sort="notification.created_at:-1" 
| table  clientip file host method uri_query sort 
| `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`