this is a hunting search, the search provides information on upload, edit, and delete activity on lookup tables. manual investigation is necessary after executing search. this search will produce false positives as payload cannot be directly discerned.

Techniques

T1189

Sample rules

Splunk unnecessary file extensions allowed by lookup table uploads

source: splunk
technicques:
- T1189

Description

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads.

Detection logic

`splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views/* 
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method=="DELETE" , "Deleted" ) 
| rex field=uri_path "(?<user_and_app>.*?)\/ui\/views/(?<dashboard_encoded>.*)" 
| eval dashboard = urldecode( dashboard_encoded ) 
| table _time, uri_path, user, dashboard, activity, uri_path 
| `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`