this is a hunting search and will produce false positives as it is not possible to view contents of a request payload. it shows the artifact resulting from a potential exploitation payload (the creation of a user with admin privileges).

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Splunk XSS in Highlighted JSON Events

source: splunk
technicques:
- T1189

Description

This detection provides information about possible exploitation against affected versions of Splunk Enterprise 9.1.2. The ability to view JSON logs in the web GUI may be abused by crafting a specific request, causing the execution of javascript in script tags. This vulnerability can be used to execute javascript to access the API at the permission level of the logged-in user. If user is admin it can be used to create an admin user, giving an attacker broad access to the Splunk Environment.

Detection logic

`splunkd_ui` "/en-US/splunkd/__raw/servicesNS/nobody/search/authentication/users" status=201 
| stats count min(_time) as firstTime max(_time) as lastTime by clientip, uri_path, method 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_xss_in_highlighted_json_events_filter`