Techniques
Sample rules
Splunk unnecessary file extensions allowed by lookup table uploads
- source: splunk
- technicques:
- T1189
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the lookup table uploads let a user upload lookup tables with unnecessary filename extensions. Lookup table file extensions may now only be one of .csv, .csv.gz, .kmz, .kml, .mmdb, or .mmdb.gz. This search provides user activity focus on uploads which aims to help hunt for malicious file uploads.
Detection logic
`splunkda` method IN ("POST", "DELETE") uri_path=/servicesNS/*/ui/views/*
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method=="DELETE" , "Deleted" )
| rex field=uri_path "(?<user_and_app>.*?)\/ui\/views/(?<dashboard_encoded>.*)"
| eval dashboard = urldecode( dashboard_encoded )
| table _time, uri_path, user, dashboard, activity, uri_path
| `splunk_unnecessary_file_extensions_allowed_by_lookup_table_uploads_filter`