Techniques
Sample rules
Splunk Unauthenticated Log Injection Web Service Log
- source: splunk
- technicques:
- T1190
Description
An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server.
Detection logic
`splunkd_webx` uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*")
| stats count by uri_path method host status clientip
| `splunk_unauthenticated_log_injection_web_service_log_filter`