this hunting search will produce false positives if ansi escape characters are included in urls either voluntarily or by accident. this search will not detect obfuscated ansi characters.

t1190
endpoint
splunk

Techniques

T1190

Sample rules

Splunk Unauthenticated Log Injection Web Service Log

source: splunk
technicques:
- T1190

Description

An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server.

Detection logic

`splunkd_webx`  uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") 
| stats count by uri_path method host status clientip 
| `splunk_unauthenticated_log_injection_web_service_log_filter`