this is a hunting search, it will not deobfuscate base64 payload, it provides however it will provide what user added the view artifact and what user opened it. it will require further investigation based on the information presented by this hunting search.

t1189
endpoint
splunk

Techniques

T1189

Sample rules

Persistent XSS in RapidDiag through User Interface Views

source: splunk
technicques:
- T1189

Description

In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. This search provides information on what user may have potentially added a malicious payload and what users were exposed to it.

Detection logic

`audit_searches` path=/opt/splunk/etc/users/*/search/local/data/ui/views/* action=* 
|table user action roles info roles path 
| dedup user action 
| `persistent_xss_in_rapiddiag_through_user_interface_views_filter`