Techniques
Sample rules
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
- source: splunk
- technicques:
Description
This is a composed hunting search that looks for POST requests to splunk_internal_metrics/data/ui/views which can be used to elevate privileges on the Splunk server via custom urls. The way to find privilege escalation is by looking at created users with high privielges after payload has been executed. This search looks at POST request and then looks at created users privileges.
Detection logic
`splunkd_ui` method=POST /*/data/ui/views*
| stats values(method) as method by _time index, sourcetype, host
| eval event="post_request"
| append [
| search `audittrail` action="edit_user" operation="create"
| rex field=_raw "object=\"(?<newUser>.*)\""
| stats count values(operation) as operation values(splunk_server) as splunk_server values(user) as user by _time index, sourcetype, host, newUser
| eval event="create_user"]
| sort - _time
| transaction host startswith=event="post_request" endswith=event="create_user" maxspan=10m
| table _time index, sourcetype, host, method, user, splunk_server, operation, event, newUser eventcount
| `splunk_xss_privilege_escalation_via_custom_urls_in_dashboard_filter`