Techniques
Sample rules
Splunk Path Traversal In Splunk App For Lookup File Edit
- source: splunk
- technicques:
Description
The following analytic identifies path traversal attempts in the Splunk App for Lookup File Editing. It detects specially crafted web requests targeting lookup files by analyzing the uri_query field in the _internal index. This activity is significant because it allows low-privilege users to read and write to restricted areas of the Splunk installation directory, potentially accessing sensitive files like password hashes. If confirmed malicious, this could lead to unauthorized access, data breaches, and further exploitation of the Splunk environment.
Detection logic
`splunkda` uri_query=*lookup_file*
| table clientip uri_query lookup_file owner namespace version
| stats count by clientip namespace lookup_file uri_query
| `splunk_path_traversal_in_splunk_app_for_lookup_file_edit_filter`